A cyber insurance policy can force an insured client to take certain security precautions. But for law firms, this doesn't mean dropping their own cybersecurity vendors for their carrier's recommended list. Indeed, even with financial incentive, some law firms continue to leverage their own preferred cybersecurity vendors, despite their insurance carrier's suggestions.

Typically, ALPS Corp., a legal malpractice company that also offers cyber liability insurance to law firms, requires policyholders to work with specific cybersecurity vendors in the event of a claim.

"Think of how most health insurance policies are with their lists of preferred providersthe cyber insurers [also] have lists of providers," explained Attorneys Liability Protection Society risk manager Mark Bassingthwaighte.

The preference for specific cybersecurity vendors is driven by the insurance carrier previously negotiating fixed rates, which help contain some costs. "Cyber insurers have potentially very high exposure in terms of all of this, and they are going to try to do everything to keep their losses in line," Bassingthwaighte said.

Cyber insurers also review their preferred cybersecurity third parties beforehand for quality purposes. "I think that the insurance company, in general, is investing a lot of time and money to vet if those cybersecurity companies are qualified and capable," noted Lowenstein Sandler insurance recovery group chair Lynda Bennett.

Still, law firm clients are also taking the initiative in specifying who will manage their client data, sometimes against the cyber insurer's suggestions.

"I think some law firms are inquiring whether they can get vendors [who] right now manage their data to be preauthorized in the event of a breach, and that's really driven by how law firms are very concerned about keeping their confidential data confidential," Bennett explained. "Rather than having a discussion and debate when a data breach is ongoing, they are asking their cyber insurers to already authorize [their vendor]."

Usually cyber insurers will accept the request to use a client-suggested vendor, but with a caveat.

"I think the insurers, when you ask them to add your own vendor, they may be willing to do that but there might be a higher deductible or self-insured retention up front," Bennett said.

Still, not all cyber insurers require clients to use specific cybersecurity vendors. Eddie Chang, second vice president of cyber risk management at Travelers, said that when a cyber incident occurs some cyber insurance carriers are offering a new coverage called "betterment." He described the coverage as helping the company pay for security improvements that will reduce a repeat breach, as recommended by the client's incident response vendor.

"Because there isn't a one-size-fits-all solution when it comes to cybersecurity, it won't always work for an insurer to dictate the use of a specific product or service," Chang wrote in an email.

To be sure, finding a vendor to perform security audits, router checks and other preventive services can sometimes be challenging for firms and cyber insurers, especially in in rural areas. 

"In terms of the upfront preventive things that is a little harder," Bassingthwaighte said. "I'm a national risk manager for ALPS; I'm working with firms across the country. I get these calls from three-lawyer firms in small communities, and it's very difficult to find who they can work with to provide preventative cybersecurity services. There is a shortage in some areas."