Law Firms that are relying on their Business Owners Policy (BOP) or their Attorney Malpractice Policy to cover Cyber Exposures should pay attention to the Rhode Island Law Firm that was hit with Ransomware. According to the ABA Journal Article, the Law Firm of Moses Afonso Ryan Ltd was hit with a Ransomware attack that essentially locked its computers for 3 months before they could be restored. Sentinel Insurance (Subsidiary of The Hartford) wrote the firm’s BOP. Sentinel’s Policy had a $20,000 sub limit for losses caused by computer viruses under the computers and media endorsement. Sentinel paid $20,000 per the policy sublimit. The 10 person law firm states that they were out over $700k in billings for that time period and has sued Sentinel in attempt to recover their loss billings.
Sentinel denied coverage for business income stating that business income only applies to physical loss or damage to property at the premises per the BOP policy language.
Firms should take heed that a BOP is designed to cover physical and general liability insurance exposures. A BOP is not a substitute for attorney malpractice insurance or in this case cyber Insurance. The basic BOP combines insurance coverages for:
- Property Insurance (Building and Business Personal Property)
- Crime Insurance-Likely limited to a sub limit
- Liability Insurance (not the malpractice insurance)
- Business Interruption Insurance-For physical losses that occur on the premises
- Hired non owned auto
Cyber Insurance/Data Breach is a more appropriate coverage for this exposure. We have previously posted that a good Data Breach/Cyber Liability Insurance offers 1st party and 3rd party coverage. It needs to respond to the following exposures:
1st Party Claims
1. Incident Response Services
2. Ransom demands to unlock your system.
3. Notification requirements costs from federal & state laws & regulations to your clients that have suffered a data breach
4. System assistance in restoring your systems and data
5. Loss of income for the time that it takes to recover from a data breach
6. Harm to reputation & goodwill
7. Crisis Management and public relations costs
3rd Party Claims
1. Damages to clients that have suffered a data breach
2. Cost of defense to defend you from these claims
3. Regulatory Violations, fines and penalties that may be accessed against the firm
It remains to be seen whether Moses Afonso Ryan Ltd will prevail in their suit against Sentinel, but doesn’t it make sense to have the specific coverage that addresses the specific peril? Hoping to have the courts expand coverage interpretation after the fact can be an expensive lesson.