Cyberinsurance Fact vs Fiction
At Paradigm, we speak with many small and midsize law firms, and hear a lot of inaccurate information. Here are some of the common myths surrounding cyberinsurance:
If you don’t <scary security requirement>, you will get your claim denied
Recently a legal industry publication published an article from an IT consultant around this topic. The article touched on how firms “don’t realize they can lose their policy if they do not maintain compliance with its requirements”, then went on to describe several requirements which may or may not exist in a cyberinsurance policy. The fact is, you are only bound by the security controls you attested to, no carriers are adding requirements mid-policy. For example, if you say that your firm does not have MFA in place during the application process, then you are NOT required to have MFA in place. The policy itself may have specific requirements around other items such as making a claim, or excluded perils.
FACT: Any cybersecurity controls that are required are the ones you attest to in the application form on your annual renewal (and there may be additional details in the policy).
Cyberinsurance never pays out
An insurance endorsement is an add-on to a policy, and how a lot of cyber coverage was handled until recently. The endorsement is added on to an existing policy, such as your firm’s general liability. The issue is that most endorsement are super low limits, and very restricted on how they pay out. For example, Paradigm recently saw a firm with over $20m/year revenue that had an endorsement with a maximum payout of $25k. Some quick math shows that policy covers only a couple hours of the firm being unable to generate billable hours, and that is IF it even pays out a claim.
FACT: Stand alone cyber policies pay out in the majority of cases, while endorsements may not (or when they do, provide very minimal coverage). Ensure your firm has proper coverage.