Cybersecurity committee co-chair recommends insurance to protect against ransomware attacks
While insurance becomes more restrictive and expensive, Steven Teppler says it’s still a good idea even for small firms
Steven Teppler
Cybersecurity insurance is getting more restrictive and expensive but it’s still good to have, said Steven Teppler, the co-chair of The Florida Bar’s Committee on Cybersecurity and Privacy Law.
Teppler makes this recommendation for both financial and preventive reasons.
Depending on the focus of the practice, even small firms should consider getting cybersecurity insurance coverage of between $3 to $5 million, Teppler said, since they’ll have to take into consideration not only potentially affected clients, but clients of those clients.
“You might have to have all of them notified. And that doesn’t take into account the forensic examination, the legal compliance costs that will ensue immediately,” said Teppler, a Florida-based attorney who is the chief cybersecurity legal officer at New Jersey-based Mandelbaum Barrett. “Dealing with data breaches or cybersecurity events is expensive.”
Teppler and the Bar’s cybersecurity committee, created last summer under President Scott Westheimer, will be releasing recommendations for members in the next six months on how to prepare for a ransomware attack. But in the meantime, firms that try to get coverage will benefit from the application process, Teppler said.
“If you apply for cyber insurance now, you’ll be asked a number of questions, such as: Do you have multi-factor authentication? Do you encrypt your clients’ information at rest, meaning when it’s being stored? How are you communicating with your clients?” Teppler said. “Are you doing it in a manner in which preserves confidentiality? Do you have a firewall? Do you deploy anti-malware?”
In addition to these preventative measures, Teppler said insurers are looking to see whether firms have policies in place for what to do when they are attacked. If firms don’t take these steps, or if they misrepresent the steps they’ve taken to the insurer, their policies could be rejected or rescinded, or their claims could be denied even if they’ve qualified for coverage.
“One question is, ‘Well, if I do all these protections, why do I need cyber insurance?’” Teppler said. “The answer to that is: nothing’s perfect. You know, criminals are always one step ahead.”
He added: “And it doesn’t mean you have to build Fort Knox.”
But the cybersecurity landscape is ever-evolving, Teppler said, which is why his committee is trying to focus more on best practices rather than a specific piece of protective software, for instance, which doesn’t really exist yet, and comes with its own risks.
“If you have a one-source provider for everything, that’s wonderful. They’re called managed service providers,” Teppler said. “But if they go out, you’re down for the count.”
During the Master’s Seminar on Ethics at the Annual Florida Bar Convention in Boca Raton last June, Teppler was in disagreement with two cybersecurity experts who were speaking on a panel he moderated titled, “Cybersecurity, Ethics, and the Law.”
The two experts were Mary Frantz and Eric Hibbard. Frantz is the CEO and founder of Enterprise Knowledge Partners LLC, a cybersecurity consulting company with offices in Chicago, Dallas, New York, Washington, D.C., and San Francisco. Hibbard is the director of product planning with a focus on security management and storage at Samsung Semiconductor, Inc.
“We’re not in agreement with the cybersecurity insurance market, and what they’ve become and what they do, and we don’t believe it’s necessary,” said Frantz on behalf of both her and Hibbard at the event. “But we’re not the attorneys, so I’m going to leave that alone.”
Frantz later gave an example of a how an insurance company could deny a claim because the attack occurred on an attorney’s personal phone that wasn’t encrypted.
Hibbard seemed to agree and mentioned what he learned about insurance policies when putting together the small business cybersecurity checklist published in 2021 for the American Bar Association. (He has also helped to create international cybersecurity insurance standards).
“The terms and conditions vary radically,” Hibbard said. “You might have an incident, but from an insurance company’s perspective, the incident may not commence until after the actual event. So, you may have incurred massive costs that may not be covered.”
Hibbard added: “There are lots of opt outs.”
One of these opt outs that has made the news is when a cyberattack may constitute an act of war.
In two high profile cases that both settled, insurers denied coverage citing a war exclusion related to a 2017 cyberattack against Ukraine that The White House in 2018 blamed on Russia.
Caught up in the attack were two global companies headquartered in the United States: Merck & Co., a pharmaceutical company based in Rahway, New Jersey; and Mondelēz International, the manufacturer behind snacks such as Oreo cookies and Ritz crackers based in Deerfield, Illinois.
The companies sued their insurers over the coverage denial.
But because they settled – Merck on January 3 for an undisclosed amount over $1.4 billion in alleged damages, and Mondelēz on November 2, 2022 for an undisclosed amount over $100 million in alleged damages – no legal precedent has been set for this type of exclusion.
Teppler acknowledged these kinds of challenges with cybersecurity insurance at the Bar seminar last summer and in his interview with the Bar News.
“Insurance companies aren’t created to pay money. They’re created to insure risk,” Teppler told the News. “You have to look at the quality of the insurance company.”
To learn more about data privacy, technology, and cybersecurity insurance, check out these related LegalFuel: The Practice Resource Center of The Florida Bar, resources:
