There are over 70 insurers that offer some form of cyber risk insurance, so why should you choose SafeLaw for your firm? At a high level, the answer is very simple. SafeLaw was created by lawyers to provide best possible cyber risk coverage and services for law firms. Law firms need customized cyber risk coverage and services to protect the firm from cyber risk and generic “one size fits all” cyber risk policies can’t do it. When you begin to drill down into the SafeLaw policy language and the accompanying services, the reasons why you should select SafeLaw become crystal clear. Here are just a few reasons why more law firms purchase SafeLaw than any other cyber risk insurance policy.
Industry Leading Coverage For Law Firms
SafeLaw insurance coverage is built specifically for a law firm’s cyber risks. The combination of coverage included in SafeLaw is not available in any other cyber risk policy sold today. A few examples of enhancements unique to SafeLaw include the following:
SafeLaw does not have sub limits of coverage.
SafeLaw includes the full policy limit of coverage for any type of covered cyber risk claim including incident response, notification, regulatory violations, and fraudulent finds transfer.
SafeLaw covers all of the firm’s sensitive data, not just personally identifiable information.
The data breach liability coverage in all generic cyber risk policies is built for privacy breaches. Most law firms have some personally identifiable information that creates privacy exposure, but the privacy exposure at most law firms is reaches of a retailer, hospital, or bank. Therefore, offering a law firm good privacy coverage with limited (or no) confidentiality breach coverage doesn’t cover the majority of the firm’s data or exposures. SafeLaw was created to protect law firms from confidentiality breaches, breaches of attorney client privilege, and privacy breaches.
SafeLaw covers the firm’s whole computer network including outsourced components
The majority of cyber risk policies provide narrow (or no) coverage for outsourced parts of the firm’s computer network including hardware, software and data processing. Most law firms, especially firms with 10 or less lawyers outsource the majority of computer network and data processing operations. Therefore, we designed SafeLaw to provide broad coverage for the firm’s computer system including blanket coverage for outsourced components of the computer network, software, could based or data processing operations.
SafeLaw provides legal liability coverage for civil, criminal, regulatory, and disciplinary proceedings as well as punitive damages, fines, and penalties for any covered third-party claim.
SafeLaw provides the broadest third-party liability cyber risk protection for law firms. Generic Cyber risk policies limit coverage for regulatory proceedings to privacy breaches only and do not extend coverage to other types of third-party liability claims covered by the policy, such as network security breaches, media liability, or even confidentiality breaches. SafeLaw provides regulatory coverage for any type of third-party liability claim covered by the policy.
Most generic cyber risk policies do not cover disciplinary proceedings. Coverage for disciplinary proceedings is particularly important for licensed professional services entities, such as law firms. Law firms and individual lawyers are subject to a litany of professional rules including some regarding information security and confidentiality such as model rules 1.1 and 1.6. Those rules are subject to enforcement by agencies such as the state level Attorney Registration and Disciplinary Commissions (ARDC), and those lawyers or firms that violate the rules are subject to disciplinary proceedings.
Currently, SafeLaw is the only cyber risk policy for lawyers that covers criminal proceedings. We included coverage for criminal proceedings to address the needs of our law firms with international exposure. In some international jurisdictions, negligent acts such as privacy breaches, confidentiality breaches, defamation, or intellectual property infringement are considered criminal acts. It’s not uncommon for foreign governments to criminally charge the firm leadership for failure prevent confidentiality or privacy breaches.
SafeLaw is designed to provide protection for the firm’s contractual relationships with clients
SafeLaw is the only cyber risk policy that adequately protects law firms for loss of income due to cyber perils.
The business interruption (also known as business income) coverage in SafeLaw was drafted to contemplate the way law firm’s earn revenue. More specifically, SafeLaw includes coverage for loss of income due to the loss of billable hours and loss of clients as part of the business income coverage. Other cyber risk policies use standard business interruption coverage language similar to the language published by the Insurance Services Office. The main problem with generic business interruption coverage is that it won’t work for law firms. Standard business interruption wording only covers losses fully realized during the period of restoration, meaning that generic business income coverage only applies to “lost income” from work that would have been: (1) performed; (2) billed for; and (3) collected, all within the period of restoration. The generic business income valuation model works well for a restaurant or retailer where it’s easy to illustrate how many people would have made purchases in a few days or even weeks, but unfortunately there is very little (if any) lost income that a law firm could recover under such a valuation model.
SafeLaw’s coverage for theft of money and securities applies to the firm’s accounts as well as trust accounts.
Cyber crime (also known as “social engineering” or “fraudulent funds transfer”) coverage in cyber risk policies is becoming increasingly important to law firms. Thieves have been targeting all kinds of law firms and especially firms that handle transactions or money for clients. In addition to the risk of financial loss due to theft from the firm’s own accounts, law firms are also subject to liability when client accounts are pilfered. Law firms that act as custodians for client accounts are subject to trust accounting rules. Any time client funds are removed from a trust account without the client’s authorization the firm must report it as a trust account violation. SafeLaw was specially crafted to cover the firm’s loss of money or securities, including client accounts where the firm is an authorized custodian. Furthermore, the SafeLaw coverage for theft of money and securities in SafeLaw extends to legal liability, regulatory risk, and ethics violations. Generic cyber crime coverage typically covers the firm for loss of their own money and securities, but such coverage is typically only available at a small sub limit and in many cases does not apply to loss of client money or securities. Likewise, the crime coverage in generic cyber risk does not extend to legal liability, regulatory risk, or ethics violations.
SafeLaw does not have “terrorism” or “war” exclusions.
Most cyber risk policies have some combination of war and terrorism exclusions, which limit or eliminate coverage for state sponsored acts that result in loss. Unfortunately, law firms are widely considered as a “weak link” or “soft underbelly” in corporate information security at large organizations, so law firms are frequently targeted by state sponsored actors seeking sensitive information such as intellectual property, mergers and acquisitions data, and public company insider information. SafeLaw was designed to cover such claims and is currently the only cyber risk policy without any war or terrorism exclusion.
Coverage Dovetails With Lawyers Professional Liability
SafeLaw is structured to work in tandem with a law firm’s Lawyers Professional Liability (“LPL”) insurance policies. Most generic cyber risk policies assume the firm has no other coverage that could apply to cyber risk, which often results in coverage clashes, coverage gaps, and multiple deductibles for a single claim. SafeLaw was developed using a wraparound (also known as difference in conditions or D.I.C.) structure to dovetail with the LPL policy. A brief summary of the SafeLaw wrap structure follows below:
LPL policies were originally built to cover lawyers for professional malpractice. Although LPL policies have evolved to cover a broader range of legal services and some peripheral exposures such as employment practices liability, they were not designed to provide coverage for cyber risk. Today, most LPL policies are either “silent” with respect to cyber risk coverage or include a very small sub limit of coverage for cyber risk by endorsement. The result is law firm’s often overpay for coverage and end up with serious coverage deficiencies and numerous coverage overlaps. These issues make structuring proper cyber risk coverage that much more complicated and important for law firms.
A cyber risk policy that is structured properly will cover a broad range of cyber risk and fill gaps in the firm’s other liability and property insurance policies without duplicating coverage. To achieve this goal, SafeLaw uses a specialized policy structure called a “wrap” or a “difference in conditions wrap”. SafeLaw’s radically different construction is designed to work in tandem with the firm’s LPL policy to provide the broadest cyber risk protection available for law firms. In summary, SafeLaw works with the LPL to cover cyber risk claims as follows:
- Primary: When the firm’s LPL does not cover a particular cyber risk claim, then SafeLaw provides the firm with cyber risk coverage on a primary basis.
- Excess: When the firm’s LPL provides primary coverage for a cyber risk claim, then SafeLaw provides the firm with excess cyber risk coverage over the coverage in the LPL.
- Co-Primary: When the firm’s LPL covers some, but not all of a cyber risk claim, SafeLaw covers the portion of the claim not covered by the LPL.
In addition to limit and coverage structure briefly described in points A-C above, SafeLaw also utilizes a wraparound deductible structure to eliminates situations where policyholder is forced to pay two deductibles for a single claim, one to LPL insurer and one to the cyber risk insurer. The SafeLaw deductible structure can infill the LPL deductible for recognize erosion of payments made under the LPL, including the deductible.
Overall, the a wrap structure is the optimal approach for providing flexible, inexpensive and seamless cyber risk coverage for law firms. Generic cyber risk policies contain none of the wrap features in the coverage, limit, or deductible. Only SafeLaw provides a cyber wrap structure to law firm clients and ultimately, it is our largest advantage. Please see the chart below for an illustration on a how the SafeLaw policy works compared to traditional cyber risk insurance.
Standard cyber risk insurance is a separate tower of defined perils coverage. It does not interact with the other policies in the program, resulting in multiple deductibles, coverage conflicts and gaps in coverage.
Law Firm Specific Incident Response And Claims Handling
Cyber risk losses at law firms can be more complicated than claims in other industries and they frequently require specialized expertise when confidential information or data subject to attorney client privilege is involved. SafeLaw’s incident response team was created using legal, information technology risk, and cyber remediation specialists with an expertise in law firm cyber risk claims. Our approach is created to protect your firm’s brand by handling claims quickly and quietly. An overview of the SafeLaw incident response and claims handling is outlined below.
- SafeLaw’s incident response and claims team is staffed by internal and external members with best of breed expertise including: (1) information technology and technical professionals; (2) legal experts in breach response, breach of privilege, and confidentiality breaches; (3) victim notification and remediation specialists; and (4) public relations advisors.
- Incident and claims notification and intake are handled by lawyers specializing in cyber risk. Claims report data is protected by attorney client privilege.
- Third-party breach response process built around confidentiality breaches, breaches of attorney client privilege, and privacy breaches.
- Specialist advisors are available for ABA and related professional ethics violations, PCI breaches, trust account violations, and regulatory breaches.
- First-party claims including data restoration, extra expense and loss of income developed using a industry leading technical forensics, information technology restoration, and forensic accounting.
- Expert guidance in ransomware attacks, extortion negotiation, social engineering and fraudulent funds transfer.
- Contractual risk guidance for firms with merchant banking contracts as well as firms that work with clients in regulated industries such as financial services or healthcare.
The incident response and claims handling services listed above are just a handful of the specialized cyber risk services we provide to our law firm clients. Please click HERE for a more detailed overview of the incident response and claims handling services incorporated into the SafeLaw program.
Access To Cutting Edge Law Firm Cyber Loss Prevention and Control Services
The SafeLaw program incorporates pre-claim loss prevention and control education and training. We provide SafeLaw clients with the tools, templates, and expertise to reduce the frequency and severity of cyber risk losses. A short overview of the education and training we provide to SafeLaw clients includes the following:
- Law firm cyber risk resiliency assessment;
- Sample law firm cyber risk claim examples and loss valuation(s);
- Contractual risk playbook and negotiating strategies for vendors as well as clients in regulated and non-regulated industries;
- Incident response planning;
- Introductory cyber risk training and education
- Access to template network security, confidentiality, and privacy policies and procedures.
- Access to cyber risk focused CLE training at reduced cost provided in partnership with the Legal Risk Institute.