MANAGING YOUR PRACTICE A New Dawn for Law Firm Cyberinsurance ‘We Don’t Insure Stupid’ Illustration: Sunny Chao Conduct have required more technologi- cal competence of lawyers (Rules 1.1 and 1.6 — thus far adopted by 15 states, and that number expected to grow), it may be an ethical violation if you don’t inform yourself about the state of your firm’s infor- mation security — and of course one way you protect your clients is by managing risk through cyberinsurance. We regularly hear lawyers insist that their comprehensive general liability (CGL) policy will protect them. It almost never does. Almost all insurers have now riddled the CGL policies with exclusions to push clients into new specialized cyber- security insurance policies or riders. Cy- berinsurance is its own beast — and a law firm without it in our breach-laden world is very foolish. W e have written about cyberin- surance previously. It would be too strong to say “forget every- thing you knew before” on this topic, but there have been such major developments in the last year that a strong cup of coffee might be helpful while you carefully read this article. A new dawn has indeed bro- ken, and law firms have a lot of catching up to do. How Good is Your Cyberinsurance? In the ABA’s 2015 Legal Technology Resource Center Survey, only 11 percent of respondents knew their firm had cyber- insurance. That’s alarming when the same survey showed a marked increase in data breaches and security incidents. The survey showed that many lawyers didn’t know whether their law firms had cyberinsurance — in fact, in firms of more than 100 lawyers, 80 percent didn’t know if the law firm carried such insurance. Now that the ABA Model Rules of Professional 34 By Sharon D. Nelson & John W. Simek OREGON STATE BAR BULLETIN • AUGUST/SEPTEMBER 2016 The Rapid Evolution of Cybersecurity Policies Cybersecurity insurance policies, first introduced in the 1990s, are now the fast- est growing segment of the insurance in- dustry. As of 2015, according to a report from insurer Allianz Global Corporate and Specialty the cyberinsurance market is es- timated to be worth around $2 billion in premiums, with U.S. businesses account- ing for about 90 percent of the market. While fewer than 10 percent of companies in the U.S. purchase cyberinsurance today, the market is expected to grow by double- digit figures from year to year and could reach more than $20 billion in the next decade. And no wonder — a recent study by the Ponemon Institute estimates that more than one billion records of personally identifiable information have been stolen worldwide to date. “It Can’t Happen Here” Myth Has Vanished It is now widely accepted that most large law firms have been breached, many more than once. Or put another way, there are two kinds of law firms: those who have been breached and those who will be breached. Very simply, data that has value (and is usually sold on the “dark web”) is a magnet for the bad guys. Why is cyberinsurance such an im- portant part of information security? The plain truth is that information security has no silver bullet. You can never secure your data 100 percent of the time. A deter- mined and sophisticated hacker can over- come your technological defenses. Worse yet are the carbon-based units (your employees) who steadfastly refuse to practice safe computing. According to Verizon’s 2015 Data Breach Investiga- tions Report, 23 percent of recipients open emails sent by scammers/hackers, and 11 percent download attachments from phishing emails. Results also showed that 50 percent of users click on phishing links within the first hour of being exposed. Given the depth and breadth of vul- nerabilities, much of information security is about risk management. There is some point at which you’ve done all you can do, within your budget, to secure your data. Now you turn to managing the risk through cyberinsurance. Your first step is to review your current insurance policy and see what it does cov- er. If it is indeed the sort of standard policy described above, it is now time to talk to your insurance agent and explain the kind of coverage you need. How Much Does It Cost? Cyberinsurance is not cheap, so be a savvy shopper. The prices remain all over the map, so make sure your insurance agent looks around. There isn’t yet a good model for measuring prices, risks and how