The threat to law firms posed by data breaches and ransomware has been in the news lately —and for good reason. The financial and reputational fallout from a data breach or successful ransomware attack can be catastrophic. We’ve written about the topic ourselves (here, and here, and here).
One line of defense that’s frequently recommended as a means of mitigating security risks is cyber insurance. Cyber insurance policies cover risks for internet-connected firms that own digital assets or handle digital personal information for their employees and clients. These include insurance policies addressing computer fraud, forgery, data breaches, funds transfer fraud, and general “cyber liability” protections that are commonly attached to a firm’s business insurance policy.
Firms can also purchase “social engineering fraud coverage.” The Chubb Insurance Group, for example, says that its social engineering policy protects businesses from losses that occur when a well-meaning employee is duped by a criminal posing as a supplier, new client, or fellow employee. Basically, this is insurance against phishing attacks.
However, there is one large gotcha with cyber insurance. These policies are relatively new. Important policy provisions have not been subjected to decades of litigation, as is the case with other traditional types of insurance. The insurer and insured parties can reasonably differ as to the meaning of key terms — particularly technical terms that…
