As ransomware attacks and data breaches increase, cybersecurity insurance policies represent a growing coverage area. Insurance defense law firms may find new cyber insurance panel opportunities if they take the time to learn the industry.
There are now 4 million cyber insurance policies in place for cyber coverage, according to a 2021 report by the U.S. Government Accountability Office (“GAO”) titled, Cyber Insurance: Insurers and Policyholders Face Challenges in an Evolving Market. The “take up” rate at which insureds add cyber coverage to their insurance portfolio has grown from 26% in 2016 to 47% in 2020.
The primary coverages provided in a cyber policy include the following, according to Chubb and AIG:
- Incident response expense
- First-party cyber risk (may include event management, data restoration, financial costs to third parties, network interruption, and cyber extortion)
- Third-party cyber liability
- Professional liability/errors and omissions
In most cases the cyber policy is written on a standalone basis, apart from other lines of coverage. There are instances where a professional liability policy may include some cyber coverage. It is unlikely but possible to find a cyber endorsement associated with other types of business or commercial coverage, according to the GAO report. The growth in cyber policies has prompted insurers to add exclusions to other forms of P&C coverage to minimize any overlap of cyber coverage.
Insurance carriers often offer insureds proactive loss prevention and incident response testing services to measure the organization’s ability to withstand and respond to an attack. A typical evaluation may include the following:
- Response readiness assessments
- Security performance benchmarking
- Network vulnerability testing
- Cyberattack simulations
Premiums for cyber insurance policies range from $1,400 to $3,000 per million of the policy’s per-incurrence limit for small accounts operating in a low risk industry, according to the GAO report. Higher premiums are charged for larger organizations that operate in a more complex environment.
Limits for cyber insurance have declined in some industries to $5 million from a previous level of $10 million. At the same time, self-insured retentions (“SIR”) are increasing. This means that there may be cyber insurance panel opportunities within corporate accounts as well as for carriers.
The top U.S. carriers for cyber insurance wrote $1.86 billion in premiums in 2020 representing 68 percent of the cyber market, according to an NAIC report. Standalone cybersecurity direct written premiums grew 28 percent in 2020 while the number of standalone policies increased by 22 percent.
Major Cybersecurity Attacks in 2021
Data breaches across all industries – including healthcare, education, government, and retail—present growing risks to supply chains and business operations nationwide. Below are a few of the more significant cybersecurity events that took place in 2021 alone.
- The Microsoft Corp. Exchange email software was exposed to a hack in March, 2021. Up to 250,000 servers may have been affected by the data breach, which exposed confidential email addresses and network security across many countries.
- Colonial Pipeline temporarily halted its oil infrastructure operations after a cyberattack on May 7, 2021. The company paid $4.4 million in ransom, some of which was later recovered.
- The Metropolitan Police Department in Washington, D.C., was the target of a May 13th attack that disrupted access to sensitive case and informer files. A payment of $4 million was demanded in return for not publishing the data.
- JBS USA, the U.S. subsidiary of an international meatpacking company, was forced to stop production following a May 30, 2021 ransomware attack. Facilities in multiple states were affected. The company reportedly paid $11 million in ransom.
- In July, dozens of “managed service providers” were affected by a REvil ransomware attack on Kaseya VSA software.
- Public disclosure of a previously undetected flaw in a widely utilized piece of Internet code became known in December 2021. Security officials are concerned that the “Log4j” code has the potential to disrupt service to millions of devices.
Federal Government Cybersecurity Actions
On January 19, 2022, President Biden signed an executive order titled “National Security Memorandum to Improve the Cybersecurity of National Security, Department of Defense, and Intelligence Community Systems.” The order requires that “National Security Systems employ the same network cybersecurity measures as those required of federal civilian networks in Executive Order 14028.”
The U.S. Government Accountability Office (“GAO”) first recognized the security risk associated with government information in 1997. In the intervening 25 years, the GAO has expanded its risk assessment to include cyber infrastructure and personally identifiable information (“PII”) maintained in government agencies.
It is likely that cybersecurity will be subject to increased state and federal regulations as government agencies strive to tighten security levels around the nation’s cyber infrastructure.
Implications for Cyber Insurance Panels
Cyber insurance panels represent a growth opportunity for insurance defense law firms that can demonstrate capabilities in privacy and data security. In the aggressive market for panel counsel positions, cyber insurance skills allow a law firm to distinguish itself from competitors.
The top P&C carriers generally offer some level of cyber insurance, which creates a cross-sell opportunity for law firms that are already panel counsel for a carrier in another line of coverage. Management liability and professional liability panels provide a natural extension for cyber coverage, for example.
If the law firm is not already on panel with a cyber carrier, skills in this area enables the law firm to pursue new panel appointments.
Some law firms are partnering, formally or informally, with data security consultants to strengthen their offering. Many insurance carriers also have a panel-type relationship with these data security consultants, so this could also be an indirect channel to cyber claims management.
On a related note, cybersecurity is very important to litigation panel managers when they evaluate a law firm for a panel position in any line of coverage. Managing partners will want to make internal law firm cybersecurity a priority in 2022. Firms should be able to clearly articulate how sensitive case data is protected across a distributed network.
Related Articles for Cyber Insurance Panels
Insurance Defense Marketing Consultant for Law Firms
If your insurance defense law firm is asking how you can improve your marketing communications and business development efforts, give us a call. We have helped more than 220 insurance defense law firms in 40 states pursue new client opportunities.
Legal Expert Connections, Inc. offers three key benefits to insurance defense law firms nationwide:
- We are the leading U.S. legal marketing agency specializing in the insurance defense market. We make it our business to identify who you need to contact at an insurance company, corporation or municipality to be considered as a panel counsel member. We accelerate your business development process by helping you focus on introducing your law firm to new prospective clients.
- You get a structured business development process. We guide your law firm through a proven three-step campaign that brings discipline, focus, and productivity to your marketing efforts.
- Increase revenue with professional, Bar-compliant legal marketing campaigns. We do the research to identify insurance panel managers, so you can focus your time on the business development process.
This article is provided for educational purposes only. It is not to be interpreted as legal advice or an opinion in regard to any topic discussed. The article should not be used as a substitute for legal advice from a licensed attorney in your state. Every situation is different and circumstances vary widely depending on the governing state law, policy provisions, and related considerations.