Specialty Podcast: Cyber Incidents and Rising Claims: Best Practices for Law Firms

Intro (00:00):
You are listening to the Alliant Specialty Podcast, dedicated to insurance and risk management solutions and trends shaping the market today.

Brendan Hall (00:08):
Ladies and gentlemen, thank you very much for being here and welcome to another Alliant Specialty podcast. We are very lucky today. We've got the esteemed, Mr. Stuart Panensky of Pearson Ferdinand. Stu, welcome to the podcast.

Stuart Panensky (00:22):
Thank you for the opportunity, Brendan, and thank you to Brian.

Brendan Hall (00:26):
We really appreciate you being here. This all came out of some news that we saw on, I believe it was initially LinkedIn about the launch of the new firm, and it's been a bold venture. I have to say, we were just looking at the news earlier that you've added another 25 attorneys recently, and so now that brings you about to 130 or so.

Stuart Panensky (00:45):
135

Brendan Hall (00:47):
135, plus staff. I think Brian, you had said this is the biggest brand new law firm launch in the history.

Brian Kill (00:54):
I think that's what you were telling me Stu. It's certainly the largest fresh launch I've ever seen.

Stuart Panensky (00:59):
That's what we understand and again, we didn't set out to do that, but we're very proud that we're able to say that. So appreciate you pointing that out. It’s been quite a ride. We're very excited. It's all positive energy.

Brendan Hall (01:11):
We thought, wow, that's really cool. Let's get on the podcast and talk about this. So we have a couple of questions here for you. Maybe we start with some of the basics and ask you to tell us just about your background and how you got into cybersecurity as an attorney and privacy.

Stuart Panensky (01:26):
I tell my story often, so many people may have heard it already, but I came up the ranks at a traditional insurance services law firm. They performed insurance coverage and litigation and all kinds of services for the insurance industry. I got to know the commercial insurance industry very well. As a practicing attorney, I was doing mostly architects and engineer liability cases, bridges and tunnel construction defect and that type of claim. And through those assignments, you don't get to choose when you're a young attorney what cases you get; they're just sort of given to you. We would have a couple of software development liability cases come through the door with one particular carrier and the same people that were managing the claims for the bridges and tunnels cases were also handling those claims. So I got those assignments and started working on them and candidly I was better at those than it was the other assignments.

I enjoyed the work more and what I learned was known as technology errors and omissions, which was at that time considered a design profession, which it is. And just being in that space allowed me to see the creation of the cyber insurance product and the evolution of that product first as an add in to other policies that my clients were marketing and then eventually into its own standalone policy. And I was there for the journey. I was very fortunate in my career to be at that crossroads. And I got on board the train, as they say. We got to know cyber and started developing relationships with cyber insurers and we did well. So we got a decent relationship, moved to the legacy law firm and developed the practice that came with me when we started Pearson Ferdinand. We have a great team and as Brian mentioned in our prep session, we do the entire 360-degree of services. So we do the so-called peacetime services, corporate risk management counseling, getting folks ready for cyber. We do the data privacy, the website compliance, the T's and C's, etc. But then also we do the wartime services, which is really where I would say the bulk of our focus is in our practice. Wartime being the incident response, data breach, ransomware, business email compromises and then of course the lawsuits, the third party liability cases that arise out of those types of incidences, of which tech liability is just one.

Brian Kill (04:03):
So Stuart, I had just a follow up question on that last part about the liability cases. What has been your experience over the last couple years, seeing those liability cases? For law firms, which is my area of expertise, it hadn't been a tremendous issue until about two years ago. And of course we've all seen the data where data breach class actions are way up. So I was just curious what your experience might be with the third party liability piece of the coverage.

Stuart Panensky (04:31):
It's a growth area. I would agree with that observation. I was always in the Tech E&O game. That's where I started, as I mentioned earlier. But I would say in the last couple years, the trends are, we see three different kinds of liability actions that arise out of these types of instances. The first is Tech E&O, which I mentioned we could talk about at more length whenever you want. The second one is the one you mentioned, privacy class action lawsuit. Sometimes it's not a class, sometimes it's just a singular plaintiff, but it's essentially the argument that a person has been damaged as a result of the incident or somehow there's some causal nexus with the incident and there's some nuances there of course. And then the other thing that we're seeing a lot of is wire fraud liability or cases where two companies or multiple, more than two companies are arguing over who's responsible for the loss of funds when a fraudster has come in from either socially engineered someone to send money to the wrong place, or somehow or another was able to misdirect funds that were meant for someone else. And the liability cases that arise out of that argument has been on the increase a hundred percent.

Brian Kill (05:45):
You know, that's really timely that you mentioned that Stu, because Brendan and I were just on an RFP call where we pointed out that the policy had an exclusion for that exact thing, and it was the first time I had ever seen it, and that's probably over reviewing in the last 18 months, maybe 19 primary policies. It was the only time I'd ever seen it, and we did point that out as something that an insurer should definitely look to avoid having appended to their coverage.

Brendan Hall (06:12):
With that said, getting back to the actual launch of the new firm, obviously there's bazillion firms out there, so there's always the opportunity to just go and bring a practice group to another firm, but you guys decided to start fresh and launch an entirely new firm, new name and really make a splash. Can you give us some background on what was the momentum and the thought behind doing that and how the whole thing came together?

Stuart Panensky (06:40):
Sure. Pearson Ferdinand is a distributed law firm, so I should put that up front, meaning that most of our partners either work from virtual offices or their home offices. We do have a few brick and mortar spaces when we're required to under local rules. But otherwise we're in the jurisdictions where our partners practice. And so most of the firm comes from another distributed law firm, so it was very easy for us to adopt that model. The advantage of starting fresh is that the management was able to design the technology stack for our partners to maximize the efficiencies for both the partners that practice the services and the clients that receive the services. So whereas most law firms, when they have their technology decision making, it's not all the time, but most of the time a product of needs. So they'll be people of computers that are networked together when a law firm's first starting out, and then maybe they bring in a few servers and then they'll say, "oh, we should probably secure those servers."

So they'll bring in some security tools, a firewall, and then they need someone to manage all that. So maybe they'll bring in an outside party to manage all of those and they just grow as organically as you can see. And it's not really thought through in the sense that what we were able to do by knowing what our needs were going to be and having the experience with the amount of lawyers that we knew we were going to be joining us to start to maximize that user experience and client experience. So what does that mean? In practical terms, faster conflict checks, more responsiveness from the partners themselves, maybe more automated services. And so we're able to try to leverage the different technology resources that we've adopted in order to improve the performance of our partners and the experience of our clients.

Brendan Hall (08:48):
That's great. This is such a long time coming for this sort of new model. I remember talking years ago about the idea of, do clients really want the penthouse suite type office space on Sixth Avenue? Because you can imagine at some point that's going to come back to haunt them in what they're paying for fees. So I have to imagine your model, you're passing some significant savings along to clients just by not having a massive real estate footprint.

Stuart Panensky (09:14):
That's exactly right. The other thing that makes us very unique as a law firm, and I'm going to tie this back to your question, is the way we compensate our partners, and this is getting a little in the weeds, but we have an objective, which means non-discretionary and completely transparent compensation system for our partners. And doing that allowed us to take the two essentially biggest line items of a law firm's operation off the table: the real large real estate footprint that you just mentioned, and loaded staff budgeting that comes along with associate salaries and guaranteed pay. So we have a different system that is very entrepreneurial, allows happiness and freedom back into the life of our partners because we give them control of their own careers. We give them control of their own practices and their own lives. We're one of the few law firms that is very transparent about how we do that, and I welcome anyone who's interested to learn more to contact me.

Brendan Hall (10:25):
Yeah, transparent and compensation are not two words that typically find themselves next to each other anywhere let alone in law firms sometimes. So that's really great and I'm glad you guys are doing that.

Brian Kill (10:38):
Yeah. And then Stu, you mentioned in our prep call that you've done quite a bit of representation for law firms with regard to breach response and the like. And selfishly I'm interested to know as part of Alliant's law firm division, so maybe you could expand on that a little bit. And I think what would be helpful is if we could drill down specifically on claims, best practices and where you see problems and where you see avenues for avoiding the most common problems.

Stuart Panensky (11:05):
And I don't know why that was, but just it happened. If you look, we keep metrics on all of the types of clients that we get and the types of matters that we have, and we just happen to have a lot of law firms as clients. I don't think there's any particular reason for that, but it just worked out that way. And so we have a lot of the same conversations with those law firm clients about cyber, about data privacy, correlating issues that go along with an incident response or a claim or a cyber claim. So part of the issues that we address with our clients, not just law firms, but especially law firms, is the claim process itself. A lot of times a law firm outsources, especially the medium sized law firms, they'll outsource their technology services usually to an outside technology provider.

And it's a lot of experience where that provider assumes the incident response almost as a matter of engagement. Maybe it's even in the retainer. And we disagree with that as a best practice from a claim perspective because we usually want to bring in services where the carrier, the insurer is already agreed that they will provide coverage for if they're engaged. So we want to see the client use the insurer's claim process, the preferred claim process. Our default if you have cyber insurance is to follow the claim process that's set forth in the cyber insurance policy. We also offer to facilitate that on behalf of our clients because we know the cyber insurance processes very well and we can navigate the intake process and other parts of the claim overhead parts rather efficiently.

Brian Kill (12:50):
Yeah, and we tell them the same is that if this is an emergency, call your breach coach right away and the breach coach will facilitate the engagement of the approved vendors that are part of your insurance company's panel who do this day and night, have deep expertise in the space. That rings true with what our advice typically is to our firms as well.

Stuart Panensky (13:12):
Even using appropriate terminology that the cyber claim professionals are used to is important in the process. And while there are hundreds, thousands of qualified IT companies that can do an incident response, there's no uniform terminology for some of the things that go on. The budgets are wildly different. The rates are wildly different. And so as all things where commercial insurance has taken over behind the scenes to resolve matters and to transfer risk, there's metrics behind it. We know how much a business email compromise investigation should cost. If your policy holder's local provider who's awesome charges three times the amount of money for the same work, there's no reason to use that awesome local provider when there's a lot of awesome carrier providers that could do it for a lot less. So we always try to guide them in those directions. Then there are the occasions where they've gotten ahead of themselves. We just have one recently where we were retained after the digital forensics firm, which was not an approved firm, already deployed all of the security tools, which are the same tools that any of the vendors that are approved would've used. And from a practical perspective as council, I don't want to undo all of that good work that got done. That's silly.

Brendan Hall (14:42):
Yeah.

Stuart Panensky (14:42):
So it's a different kind of conversation you have with the carrier at that point.

Brendan Hall (14:46):
Yeah, I mean IR providers should know, "Hey, we're not actually approved on your panel. Are you sure you want to use us?"

Brian Kill (14:55):
Yeah. A common obstacle for our clients, and we get out in front of this as much as we can, is that you have to go to the vendor panels because the most common claims dispute that we see is when it's a non-panel provider. And I think further to what you were talking about Stu, is that the policy is a resilience tool. So it isn't just indemnification, it has plugged in all the vendors and the response and firms like yourselves that really help manage much more efficiently the response to an incident.

Stuart Panensky (15:25):
A common refrain we hear from our policyholder clients before they file the claims is that they don't trust the carrier. We hear that a lot. Not you all, the broker, there's a trust relationship there, and that's why we have very strong partnerships because we know we can sometimes have a different kind of conversation with our mutual client before a carrier gets involved. What tend to end up doing is persuading the policyholder to trust the carrier in the case of incident response for the reasons you just said, Brian, because you do have access to this pre-vetted, fully qualified panel of experts in multiple disciplines that can make the incident response process for you as inconsequential to your day-to-day life as possible. And if I'm a business owner, or if I'm the CFO or if I'm the general counsel of a company and breach council shows up and says, "look, I do this a lot, here's what's about to happen, and then here are the folks that it's going to happen with," and it actually happens exactly the way council says it's going to happen. I would be very satisfied. That's a very efficient process. So I try to put my myself in the place of the policyholder to make those observations and to try to make those decisions and to meet that expectation.

Brendan Hall (16:51):
Very cool. This has been a great conversation. We really appreciate the time. We like to end these things, when we have guests here to take it a little off subject and ask what's a fun fact about yourself that maybe some of the audience or clients of yours would not know.

Stuart Panensky (17:06):
Oh, I have to take the opportunity to plug my very lit LinkedIn feed. I love posting on LinkedIn. I post serious subject matter content. I also post something funny every single Friday. So I encourage you to find me on LinkedIn and follow me there.

Brendan Hall (17:25):
Again, Stu, we do appreciate time. Congratulations on a bold move here with the launching the of the new firm. For the listeners out there, check out Pearson Ferdinand for any of your data privacy and, certainly, your cyber needs and anything else that they're services are offering. Well, Stu, thanks for the time and let's be in touch.

Stuart Panensky (17:43):
Thank you everyone for this opportunity. This was awesome.