Law firms are a "fully radioactive class of risk"

Law firms are a "fully radioactive class of risk" | Insurance Business Canada

Law firms are a "fully radioactive class of risk"

The cyber insurance market in Canada is under immense strain. In recent years, the proliferation of ransomware claims, coupled with a general lack of sufficient cyber security controls, has led to rapid hardening in the cyber insurance market, with widespread rate increases, a reduction of capacity, and major shifts in underwriting and risk appetite.

By the end of 2020, cyber insurance loss ratios were up to 400%, which means that for every $1 taken in, insurers were paying out $4. To recalibrate their portfolios, many cyber insurers have significantly increased the premiums they’re charging, often for reduced coverage.

“In the past, businesses said: “We don’t need cyber insurance.’ Then they progressed to: ‘OK, we’ll buy cyber insurance, but only if it’s inexpensive.’ And now, clients are saying: ‘We’re in a lot of trouble if we don’t have cyber insurance,’ but the market has become extremely challenging,” said Patrick Bourk, principal and national cyber practice leader at HUB International Ontario. “What we [brokers] end up doing is remarketing a lot of accounts.”

Read next: A daily conundrum for cyber insurance brokers – but it hasn't always been this wayv

Some sectors are easier to service than others. Bourk works with a lot of law firms, which he described as a “fully radioactive class of risk” that hardly anybody wants to underwrite.

“Law firms have this treasure trove of information. Statistically, they’re about six times more likely to pay the first ransom demanded, rather than negotiate it – which is quite ironic,” he said. “So, I go and speak to these smaller law firms who have been buying cyber insurance for a number of years (because they’ve realized it’s not a professional liability exposure; it’s a data exposure) and I have to tell them, months in advance of their renewal, that their premium is going to shoot up.

“I had one law firm client whose premium went from about $4,000 to $36,000. So, I remarketed the account, which led to all of these questions coming back from different insurers about cyber security controls. So, that client had to very quickly work with IT security firms and managed services security providers to get their house in order as quickly as possible and become a more attractive risk. And that’s a challenge too, because a lot of times, you can’t do that very quickly.”

While Bourk’s clients are busy shoring up their cybersecurity posture, he (like many other cyber insurance brokers dealing with the more complex sectors, like law firms) is trying to find insurers who are still willing to write the risks.

“Then you’ve got the office manager of these smaller boutique law firms trying to balance: ‘If I hire somebody to help me with pre-breach preparedness, or if I buy all of these security tools like endpoint detection and response or a privileged access management system, that’s going to cost me $30,000 too. So, what should I do now? Do I need the insurance piece?’ And they have to grapple with all that in a pretty short, condensed timeframe,” Bourk told Insurance Business.

In the case of the client who had a $4,000 to $36,000 rate increase, Bourk managed to find an insurer who acknowledged the law firm’s efforts around security controls and risk mitigation – even though they weren’t fully implemented by the time they needed the policy – and their final premium was increased to just $9,000.

Read more: University accidentally leaks personal information of 15,000 students

“My team at HUB does a lot of larger, complex risk placements – and for those firms, we have to say: ‘You can start from the premise that your deductible is going to go up twice, your premium’s going to go up by 100%, and you’re going to get half the limit you had before,’” Bourk explained.

“The nice thing is, the larger, sophisticated clients are not shocked by it because they’re been hearing about this for months. What they’ve appreciated about our team is that we get out there early and we try to manage their expectations with constant updates.”