Law Firms Are Uneducated & Exposed

Uploaded on 2018-08-15 in NEWS-Cybersecurity News, FREE TO VIEW, BUSINESS-Services-Law, BUSINESS-Services-Financial

Law professionals can gain a deeper understanding of the digital threats they face, and why (and how) they can be properly insured.

Insurance thought-leader Ralph Pasquariello offers a cautionary tale about one law firm that recently paid the price for cheapening out on its cyber liability insurance.

“I got called in to insure a firm here in Atlanta,” he recalls. “When I met with them over the last couple of years, they resisted my help and assessment of their coverages. Then, six months ago, they were involved with a business e-mail compromise that cost them $127,000.

“The cyber policy I would have sold them would have cost somewhere around $6,000,” says Pasquariello, cyber/data/network liability specialist and commercial liability consultant for Atlanta-based Snellings Walters Insurance. “Do the math. The loss they incurred was much more than $127,000, as they needed to pay for forensics and restoration costs.”

While that may sound like a good-sized loss, in the larger scheme of cyber losses, it’s still on the low end, and that firm’s blind spot for a major cyber-related loss is not uncommon.

When it comes to purchasing adequate insurance coverage to protect them against digital-based threats, many law firms often spend far less than they should to protect themselves, and put themselves at serious risk.

This is largely due to two key factors: First, most law firms typically do not comprehend the scope of the cyber exposures they face, and second, those firms, like many businesses, possess a very limited understanding of the coverage protections available to them, what losses are covered, and how valuable Cyber insurance can be.

Cyber risks for law firms: A primer

Joshua Motta, CEO/co-founder of cyber insurer Coalition, explains that because law firms act as title agents and hold funds in escrow for their clients, if that firm gets socially engineered or its security fails, any dollar amount between the entire cost of a home to millions of dollars can be lost.

“We have seen criminal actors target law firms due to the role they play in managing large-ticket wire transfers on behalf of their clients,” says Motta. “If an attacker can gain access or social engineer their way to those funds, they can often walk away with hundreds of thousands of dollars.”

If you think only large firms are at risk, think again. Small to midsize law firms, Motta continues, “have the sort of information that criminal actors would love to have, and they’re collecting data on a scale that their size may not necessarily imply.”

One example would be a firm handling a class-action suit for multiple clients against a hospital, in which medical records are involved and held by the firm. “Regulatory fines for the loss of private health information (PHI) can be significant,” Motta stresses. “Law firms collecting this information from clients may not realize the extent to which they’ve set themselves up as aggregators of PII or PHI. That’s a unique exposure.”

One key risk that all commercial businesses are subject to is business interruption due to hacking. “Most people are under the impression that their General Liability insurance will pay for business interruption. It will under general liability risks, but not in the case of a cyber-attack or malware incident,” Pasquariello notes.

Consider, he says, what the cost would be to any size firm if that business has to close its doors for two weeks or four weeks while the proper forensics are done and systems are restored to normal. “The new malware that is out there will not only encrypt your system, it will also migrate to your backup in the cloud,” he explains. “That renders a company useless.”

Likewise, a ransomware attack, in which a firm can get locked out of its computer systems, can cost a firm millions of dollars and lost business, while all of its data is rendered inaccessible. “How much would you pay for an insurance policy to cover those types of damages?” Pasquariello asks.

“Law firms may also be particularly susceptible to ransomware,” says Edward Chang, second vice president, Cyber Risk Management, Bond & Specialty Insurance at Travelers. “There have been instances, for example, where cybercriminals have coerced a ransom payment by threatening to contact a firm’s clients, since law firms may be especially vulnerable to such threats.”

Cyber criminals who use ransomware are now tailoring their ransom demands based on the value of the systems and the data that have been compromised.

“A law firm’s entire business is built on trust,” says Motta. “Any breach or loss of client data can substantially impair that trust, and even become a company-ending event.”

Understanding what’s covered

Uncertainty about exactly what protections are provided in a cyber policy is part of the problem. That’s not always clear to the potential client.

Cyber coverage 101

So what exactly does a cyber policy include for a law firm?

“That’s the million-dollar question, because every cyber policy is different,” says Motta. “There is no standardized policy language. That’s why it’s important to work with a carrier that understands this risk, and whose policy will respond to all possible loss scenarios. Not all policies are created equal.”

Cyber insurance is still relatively new. As a consequence, forms and coverages are still evolving, so it’s important to review the actual policy to ensure that the coverage provided meets the needs of the insured.

Some typical first-party coverages include:

  • Incident response costs: The legal fees and expenses associated with computer forensics, breach notification, and identity monitoring when a security breach occurs.
  • Cyber extortion: Money (or cryptocurrency) paid as a result of threats made to destroy data, attack a computer system, or disclose electronic computer information.
  • Business interruption: Loss of income and expenses to restore operations as a result of a computer system disruption caused by a virus or other computer system attack. Contingent business interruption is available to provide coverage when such a computer system disruption occurs to a third-party service provider, such as a website hosting company, rather than to the insured’s own network.
  • Fraud: Loss of money or securities as a result of computer fraud, funds transfer fraud, or social engineering.

Typical third-party coverages include:

  • Network and information-security liability: Coverage for claims arising from unauthorized access to data, failure to provide notification of a data breach when required by law, or transmission of a computer virus from the insured’s network.
  • Communications and media liability: Coverage for claims arising from copyright infringement, defamation, libel, or slander in electronic content.
  • Regulatory defense expenses: Coverage for claims by government agencies as a result of network and information security liability or communications and media liability.

More recent additional cyber protections include:

  • System failure: Extends business interruption coverage to computer system disruptions caused by any unintentional or unplanned outage of a computer system, not only those caused by viruses; and
  • Reputational harm: Lost profits to an insured resulting from damage to its reputation caused by a data breach.

Some policies will even cover the cost of replacing the actual computer systems impacted by malware. Not every insurer offers that protection; Coalition is one that does. Depending upon the size of your operation, it may be wise to consult your broker or insurer to inquire about availability.

Additionally, many policies offer coverage against physical perils that may be caused by a cyber event, such as bodily damage, destruction of property, or pollution. An example would be a manufacturer that gets hacked and has its entire inventory destroyed when cooling systems are turned off remotely or sprinklers are turned on.

Even if law firms had a better understanding of their risk, however, some would still opt to buy cyber insurance policies that don’t fully cover their exposure; for many, it’s a matter of expense. “People are concerned that cyber insurance is going to be very expensive, so cost is always a big factor” when determining what policy to buy, says Rebecca Rakoski, managing partner at Xpan Law Group, a boutique privacy law firm in Philadelphia.

Educational Opportunity for Insurers

Getting clients and prospects to understand both their exposures and how a comprehensive Cyber policy would respond are the two hurdles that insurance agents and brokers must clear when dealing with any commercial client, especially law firms. That creates an educational opportunity for all involved, particularly on the broker/insurer side.

PropertyCasulaty360

You Might Also Read: 

Cyber Insurance Report 2017-2018:

Cyber Risk Insurance: A View From The Prudential Regulation Authority:

 

« Bots & Ballots Make A Sophisticated Threat
Cybersecurity In Self-Driving Cars »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

Engineering Group

Engineering Group

Engineering is the Digital Transformation Company, a leader in Italy and with over 80 offices across Europe, the United States, and South America.

Industrial Cyber-Physical Systems Center (iCyPhy)

Industrial Cyber-Physical Systems Center (iCyPhy)

The goal of iCyPhy is to conduct pre-competitive research on architectures and design, modeling, and analysis techniques for cyber-physical systems.

Seceon

Seceon

Seceon OTM, is a cyber security advanced threat management platform that visualizes, detects, and eliminates threats in real time.

Upstream Security

Upstream Security

Upstream Security is the first cloud-based cyber-security solution that protects the technologies and applications of connected and autonomous vehicles.

Mantix4

Mantix4

Mantix4’s M4 Cyber Threat Hunting Platform actively defends against cyber threats.

NSHC

NSHC

NSHC is a provider of mobile security solutions, cyber security consulting and training, and offensive research.

Mitre

Mitre

At Mitre we work across government to tackle challenges to the safety, stability, and well-being of our nation. Areas of expertise include Cybersecurity.

ECOLUX

ECOLUX

ECOLUX is a professional IoT security service company committed to developing world-leading “IoT Lifecycle Security” technologies and products.

Cyentia Institute

Cyentia Institute

The Cyentia Institute is a research & data science firm with a mission to advance knowledge in the cybersecurity industry.

Securosys

Securosys

Securosys is a technology company dedicated to securing data and communications. We develop, produce, and distribute hardware, software and services that protect and verify data and their transmission

Siege Technologies

Siege Technologies

Siege Technologies is a pioneer of multi-purpose cybersecurity products and services that enable customers to leverage both offensive and defensive technologies.

Quantum eMotion (QeM)

Quantum eMotion (QeM)

Quantum eMotion is a Montreal-based advanced developer leading the way towards a new generation of quantum-safe encryption for the quantum computing age.

View

View

View is the leader in smart building technologies including OT cybersecurity to securely connect buildings to the cloud and manage building networks and OT devices.

VAST Data

VAST Data

The VAST Data Platform delivers scalable performance, radically simple data management and enhanced productivity for the AI-powered world.

Cyver Core

Cyver Core

Cyver Core is a pentest management and pentest report automation platform that consolidates cybersecurity work, automates overhead, and frees cybersecurity professionals up for the work that matters.

Parried

Parried

Parried is a leading Managed IT Services and Cybersecurity provider, known for blending deep technical knowledge with business strategy.