“Never
assume
your
organization
is
fully
covered.
Cyber
insurance
policy
language
is
fraught
with
exclusions,
limitations
of
coverage,
and
conditions
that
will
void
a
policy.”
–
Delinea
2025
Cyber
Insurance
Research
Report
As
I
have
written
before,
law
firms
and
cybersecurity:
it’s
a
subject
that
often
makes
managing
partners’
eyes
glaze
over.
They
don’t
understand
it,
it’s
expensive,
and
frankly,
it’s
boring.
They
assume
cybersecurity
events
won’t
happen
to
their
firm
and
when
they
do,
the
only
question
they
ask
is
“do
we
have
insurance?”
Increasingly,
the
answer
is:
yes,
maybe,
and
sort
of.
That’s
why
a
recent
survey
by
the
cybersecurity
company
Delinea
is
significant
and
lends
credence
to
my
concerns.
At
the
very
least,
it
should
serve
as
a
wake-up
call
for
firm
leadership.
Delinea is
a
cybersecurity
consulting
company
that
focuses
on
securing
privileged
access
and
identity
security
for
organizations. Delinea
partnered
with
Censuswide
and
surveyed
more
than
750
security
leaders
about
cyber
insurance
and
claims
practices.
While
you
often
have
to
take
with
a
grain
of
salt
what
consultants
find
in
their
surveys
since
they
often
strengthen
their
case
for
being
hired,
the
Delinea
survey
reveals
some
potentially
troubling
gaps
between
what
insureds
think
they
have
and
what
their
policies
actually
cover.
Those
gaps
apply
just
as
well
to
law
firms.
It’s
a
Question
of
When,
Not
If
First
things
first,
if
a
law
firm
doesn’t
think
a
cybersecurity
event
is
going
to
happen,
think
again.
Seventy-seven
percent
of
those
surveyed
by
Delinea
revealed
they
suffered
a
cybersecurity
incident
in
the
last
year.
While
the
survey
didn’t
focus
on
law
firms,
there’s
little
reason
to
think
firms
are
any
different.
In
fact,
law
firms
may
be
more
at
risk
since
they
hold
highly
confidential
client
material
that,
frankly,
is
valuable
to
the
bad
guys.
But
all
too
often
firms
think
a
cybersecurity
event
isn’t
going
to
happen
to
them.
It’s
sort
of
the
security
through
obscurity
notion
about
which
I
have
written
before.
Cyber
Insurance:
It
May
Not
Be
What
You
Think
According
to
the
Delinea
report,
often
cyber
insurance
policies
don’t
cover
what
you
expect.
Only
33%
of
policies
of
those
responding
covered
a
critical
loss
component:
lost
revenue.
Only
45%
of
the
policies
covered
ransomware
(where
a
bad
guy
demands
the
payment
of
ransom
to
return
stolen
data)
despite
the
fact
that
1
in
5
surveyed
reported
a
ransomware
incident.
That’s
an
important
limitation
since
often
management
concludes
the
payment
of
the
ransom
offers
the
quickest
return
of
needed
data
and
the
return
to
business
operations,
which
may
or
may
not
be
true.
Forty
percent
of
the
policies
don’t
cover
costs
to
recover
data.
Less
than
half
covered
incident
response
services
or
additional
remedial
security
controls.
What
all
this
means
is
that
a
firm
may
end
up
not
being
covered
for
a
significant
loss.
I
recently
wrote
about
a
company
that
sadly
had
to
go
out
of
business
because
it
did
not
have
sufficient
coverage
for
a
ransomware
claim.
Years
ago,
I
attended
a
cybersecurity
conference.
I
had
lunch
with
a
bunch
of
insurance
marketing
guys
licking
their
chops
over
the
huge
market
for
cyber
insurance.
I
asked
what
would
happen
when
the
claims
pour
in
as
they
most
certainly
would.
I
was
met
with
stone
silence.
We
now
know
what
will
happen:
as
the
report
puts
it,
“Insurance
adjusters
are
on
the
lookout
for
a
range
of
controls
lapses
that
could
get
their
companies
off
the
hook
for
paying
a
claim.”
And
it’s
not
just
coverage
issues
that
can
trip
up
a
claim.
The
lack
of
security
controls
can
do
the
same
thing.
Security
Controls
Not
taking
cybersecurity
seriously
and
having
robust
protections
in
place
not
only
means
an
increased
threat
of
an
incident,
it
also
could
mean
that
appropriate
coverage
can’t
be
obtained
or
if
it
is,
will
be
voided
once
there
is
a
claim.
Indeed,
almost
everyone
surveyed
by
Delinea
said
that
their
organization
had
to
have
some
level
of
security
controls
in
place
to
get
coverage.
Some
97%
of
those
surveyed
indicated
that
their
carriers
were
demanding
things
like
identity
security
controls,
authorization
controls,
and
better
password
management,
and
that
carriers
were
increasingly
scrutinizing
their
insureds’
security
controls.
Moreover,
increasingly,
the
policies
that
are
in
place
may
be
voided
if
sufficient
security
controls
aren’t
in
place,
a
failure
that
often
is
not
discovered
until
a
claim
is
filed.
According
to
the
Delinea
report,
45%
of
those
surveyed
said
their
policies
could
be
voided
due
to
lack
of
security
controls.
Other
reasons
for
voiding
coverage
include
human
error,
misconfiguration,
internal
bad
actors,
not
following
compliance
procedures,
failure
to
timely
report,
and
acts
of
terrorism
and
war.
It’s
a
hot
mess:
firm
management
doesn’t
take
cybersecurity
seriously,
doesn’t
spend
the
money
for
adequate
controls,
and
then
relies
on
insurance
once
a
claim
happens.
Only
to
discover
that
they
aren’t
covered.
Artificial
Intelligence
In
addition,
the
advent
of
the
GenAI
world
has
some
insurance
implications
as
well.
Here’s
a
noteworthy
finding:
42%
of
those
surveyed
said
their
policies
excluded
AI
misuse
and
liability
from
coverage.
That’s
important
because
firms
have
to
assume
that
their
lawyers
and
legal
professionals,
like
just
about
everyone
else,
are
using
GenAI
in
their
personal
and
often
in
their
work
lives.
But
if
they
don’t
use
AI
tools
properly,
the
misuse
could
result
in
liability
that
won’t
be
covered.
All
the
more
reason
to
undertake
robust
AI
training
and
create
appropriate
use
guidelines.
So,
What
To
Do?
So,
what
can
law
firm
management
do?
First,
it
may
be
stating
the
obvious,
but
management
needs
to
read
their
cyber
insurance
policies
carefully.
They
need
to
identify
the
exclusions
and
coverage
gaps.
They
need
to
do
research
into
how
the
policies
and
the
mandated
controls
are
being
interpreted.
They
can’t
assume
coverage
based
on
marketing
material,
or
what
the
carrier
has
offered
in
the
past
or
to
others.
Management
also
needs
to
carefully
review
the
security
controls
that
the
carrier
has
demanded
and
be
sure
they
are
met.
Conduct
an
annual
policy
audit
with
your
IT
director
and
insurance
broker
present.
Treat
that
review
and
everything
else
with
the
same
level
of
scrutiny
as
they
would
if
a
client
asked
them
to
review
their
own
policies.
The
report
makes
an
excellent
point
in
this
regard:
Because
the
cyber
insurance
market
is
still
maturing,
policy
language
and
coverage
options
can
vary
widely
from
insurer
to
insurer
—
and
even
policy
to
policy.
One
of
the
challenges
that
organizations
face
is
in
the
interpretation
of
policy
requirements.
While
policy
exclusions
tend
to
be
fairly
clear-cut
(i.e.,
exclusions
around
acts
of
war
or
nation-state
activity),
the
language
around
controls
requirements
can
sometimes
remain
vague.Never
assume
your
organization
is
fully
covered
Cyber
insurance
policy
language
is
fraught
with
exclusions,
limitations
of
coverage,
and
conditions
that
will
void
a
policy.
It
is
incumbent
upon
risk
leaders
to
collaborate
with
executive
management
and
the
board
to
identify
how
existing
controls
weaknesses
could
jeopardize
their
insurability
and
to
utilize
gap
analysis
for
prioritizing
investments.
Couldn’t
have
said
it
any
better.
Stephen
Embry
is
a
lawyer,
speaker,
blogger,
and
writer.
He
publishes TechLaw
Crossroads,
a
blog
devoted
to
the
examination
of
the
tension
between
technology,
the
law,
and
the
practice
of
law.