“Never assume your organization is fully covered. Cyber insurance policy language is fraught with exclusions, limitations of coverage, and conditions that will void a policy.” – Delinea 2025 Cyber Insurance Research Report
As I have written before, law firms and cybersecurity: it’s a subject that often makes managing partners’ eyes glaze over. They don’t understand it, it’s expensive, and frankly, it’s boring. They assume cybersecurity events won’t happen to their firm and when they do, the only question they ask is “do we have insurance?” Increasingly, the answer is: yes, maybe, and sort of.
That’s why a recent survey by the cybersecurity company Delinea is significant and lends credence to my concerns. At the very least, it should serve as a wake-up call for firm leadership. Delinea is a cybersecurity consulting company that focuses on securing privileged access and identity security for organizations. Delinea partnered with Censuswide and surveyed more than 750 security leaders about cyber insurance and claims practices.
While you often have to take with a grain of salt what consultants find in their surveys since they often strengthen their case for being hired, the Delinea survey reveals some potentially troubling gaps between what insureds think they have and what their policies actually cover. Those gaps apply just as well to law firms.
It’s a Question of When, Not If
First things first, if a law firm doesn’t think a cybersecurity event is going to happen, think again. Seventy-seven percent of those surveyed by Delinea revealed they suffered a cybersecurity incident in the last year.
While the survey didn’t focus on law firms, there’s little reason to think firms are any different. In fact, law firms may be more at risk since they hold highly confidential client material that, frankly, is valuable to the bad guys. But all too often firms think a cybersecurity event isn’t going to happen to them. It’s sort of the security through obscurity notion about which I have written before.
Cyber Insurance: It May Not Be What You Think
According to the Delinea report, often cyber insurance policies don’t cover what you expect. Only 33% of policies of those responding covered a critical loss component: lost revenue. Only 45% of the policies covered ransomware (where a bad guy demands the payment of ransom to return stolen data) despite the fact that 1 in 5 surveyed reported a ransomware incident.
That’s an important limitation since often management concludes the payment of the ransom offers the quickest return of needed data and the return to business operations, which may or may not be true. Forty percent of the policies don’t cover costs to recover data. Less than half covered incident response services or additional remedial security controls.
What all this means is that a firm may end up not being covered for a significant loss. I recently wrote about a company that sadly had to go out of business because it did not have sufficient coverage for a ransomware claim.
Years ago, I attended a cybersecurity conference. I had lunch with a bunch of insurance marketing guys licking their chops over the huge market for cyber insurance. I asked what would happen when the claims pour in as they most certainly would. I was met with stone silence. We now know what will happen: as the report puts it, “Insurance adjusters are on the lookout for a range of controls lapses that could get their companies off the hook for paying a claim.”
And it’s not just coverage issues that can trip up a claim. The lack of security controls can do the same thing.
Security Controls
Not taking cybersecurity seriously and having robust protections in place not only means an increased threat of an incident, it also could mean that appropriate coverage can’t be obtained or if it is, will be voided once there is a claim.
Indeed, almost everyone surveyed by Delinea said that their organization had to have some level of security controls in place to get coverage. Some 97% of those surveyed indicated that their carriers were demanding things like identity security controls, authorization controls, and better password management, and that carriers were increasingly scrutinizing their insureds’ security controls.
Moreover, increasingly, the policies that are in place may be voided if sufficient security controls aren’t in place, a failure that often is not discovered until a claim is filed. According to the Delinea report, 45% of those surveyed said their policies could be voided due to lack of security controls. Other reasons for voiding coverage include human error, misconfiguration, internal bad actors, not following compliance procedures, failure to timely report, and acts of terrorism and war.
It’s a hot mess: firm management doesn’t take cybersecurity seriously, doesn’t spend the money for adequate controls, and then relies on insurance once a claim happens. Only to discover that they aren’t covered.
Artificial Intelligence
In addition, the advent of the GenAI world has some insurance implications as well. Here’s a noteworthy finding: 42% of those surveyed said their policies excluded AI misuse and liability from coverage. That’s important because firms have to assume that their lawyers and legal professionals, like just about everyone else, are using GenAI in their personal and often in their work lives. But if they don’t use AI tools properly, the misuse could result in liability that won’t be covered. All the more reason to undertake robust AI training and create appropriate use guidelines.
So, What To Do?
So, what can law firm management do? First, it may be stating the obvious, but management needs to read their cyber insurance policies carefully. They need to identify the exclusions and coverage gaps. They need to do research into how the policies and the mandated controls are being interpreted.
They can’t assume coverage based on marketing material, or what the carrier has offered in the past or to others. Management also needs to carefully review the security controls that the carrier has demanded and be sure they are met. Conduct an annual policy audit with your IT director and insurance broker present.
Treat that review and everything else with the same level of scrutiny as they would if a client asked them to review their own policies.
The report makes an excellent point in this regard:
Because the cyber insurance market is still maturing, policy language and coverage options can vary widely from insurer to insurer — and even policy to policy. One of the challenges that organizations face is in the interpretation of policy requirements. While policy exclusions tend to be fairly clear-cut (i.e., exclusions around acts of war or nation-state activity), the language around controls requirements can sometimes remain vague.
Never assume your organization is fully covered Cyber insurance policy language is fraught with exclusions, limitations of coverage, and conditions that will void a policy. It is incumbent upon risk leaders to collaborate with executive management and the board to identify how existing controls weaknesses could jeopardize their insurability and to utilize gap analysis for prioritizing investments.
Couldn’t have said it any better.
Stephen Embry is a lawyer, speaker, blogger, and writer. He publishes TechLaw Crossroads, a blog devoted to the examination of the tension between technology, the law, and the practice of law.
The post Think You Are Covered? Better Read Your Cybersecurity Policy — Carefully appeared first on Above the Law.