Any law firm or legal advisor can face a cyber threat.
Recent trends demonstrate an increase in cyber attacks against the legal industry, often targeting the sensitive client data that firms hold – including personal information, sensitive financial and health records, as well as third-party corporate data.
These data types are commonly targeted in ransomware attacks and can be exfiltrated and used to extort both the law firm, its clients and the firm’s wider stakeholders.
Law firms also hold significant funds in trust and their wider financial accounts which are increasingly targeted using social engineering, push payment, funds transform and identify fraud methods.
The loss of client data or of a client’s funds can create extensive ethical, professional and reputational dilemmas. This complex risk environment makes the legal profession one of the industries that most commonly pay ransom and cyber extortion demands.
Law firms’ difficult IT environments are also challenging to defend and secure, as they regularly have weaknesses in their authentication processes, limited privilege and access management. There may also be a poor understanding of key IT assets and IT inventorying, high levels of data aggregation, extensive shadow IT, legacy and un-supported systems, and supply chain exposure due to their reliance on third-party managed service vendors to administer and protect the firm’s IT environment.
To combat this exposure, landscape law firms must adopt an in-depth approach to defence and develop a holistic risk management strategy. There are many security investments and risk management processes that should be considered, however this article focuses on one of the most poorly understood, and underutilised investments by law firms, the procurement of specialist cyber liability insurance.
What is cyber liability insurance?
Cyber insurance is a first and third-party risk policy that seeks to address the common losses an organisation or law firm is likely to experience in the event it sustains a major cyber incident. The product is a financial lines insurance policy and was created to address the gaps commonly seen in traditional wordings, which failed to respond to cyber incidents.
From an overall risk management perspective, cyber insurance enhances an organisation’s ability to respond to suspected incidents and to recover its impacted IT environments, as well as providing support to manage wider reputational and stakeholder risks caused by cyber attacks.
Cyber insurance policies are typically enlivened when a firm identifies a suspected unauthorised access or intrusion into a computer or network system. The key coverage pillars in the policy cover incident response expenses (which indemnify the costs for forensic investigator, external advisors, and public relations support), notification processes, extortion demand payments and expenses, data restoration costs, financial business interruption, privacy and data regulatory obligations, and third-party complaints arising from a failure to protect data or a failure to prevent a malicious intrusion.
Law firms must increasingly rely on cyber insurance products, given cyber exclusions are commonly seen across professional indemnity, crime, and other packaged insurance cover.
The current cyber insurance market
The cyber insurance market is relatively new when compared to traditional insurance policies.
The first modern cyber policy was issued in the London market in 2002. In the period between 2002 to 2019, the cyber insurance market was relatively ‘soft’, with few claims and a high insurer appetite to underwrite the risk.
Since 2020, however, the market has been ‘hard’, with insurers sustaining significant ransomware incident losses and business interruption claims resulting from cyber events. This has caused capacity to shrink, with fewer carriers willing to write the risk and the scope of cover reducing, particularly for perceived immature organisations.
As cyber insurance is an emerging risk, the market is exposed to volatile changes, given carriers have limited historical data and a relatively small premium pool, compared to tradition risk lines.
These factors require insurers to continually assess the covers they are willing to offer under polices, their desired industries to insure, pricing, coverage conditions, and the overall cyber maturity demanded from insured organisations within their book.
Over the past 12 months, carriers have responded to the unpredictability of the cyber threat landscape by requesting greater insurance disclosure information and demanding higher levels of cyber maturity for risk they will quote.
A number of the insurers mandate risk controls with common elements to the Australian Signals Directorate Essential 8 Cyber Security Framework. Other insurance requirements drill into how well an organisation understands its overall financial and operational exposures from cyber events, as well as the specific control failures commonly seen in cyber events such as domain controller security, poor supply chain risk management, and the use of privileged accounts within the IT environment.
For many organisations, the control issues identified by carriers provide valuable insight into their own cyber maturity and cyber uplift strategy.
How does the cyber insurance market examine law firms?
Carriers are increasingly selective about when they will offer terms to law firms, due to concerns around the risk exposure landscape and the loss profile of law firms.
In the current landscape, legal, financial and professional service industries are amongst the most attractive targets for cyber criminals. Numerous law firms have been subject to significant extortion and ransomware attacks over the past 12 months.
Many cyber attacks against law firms focus on data exfiltration. Once a threat actor holds a law firm’s key information assets, they can exert significant leverage over the firm by threatening to disclose the data loss to clients and demanding ransom payments in exchange for deletion of stolen data. Malicious actors are also aware that compromises of client data can expose a firm to potential breaches of its professional and ethical obligations.
Confidentiality lies at the heart of the roles performed by law firms, and failure to protect client data can result in a wide range of exposures. Cyber breaches can cause harms such as breaching court obligations, impairing a client’s ability to establish privilege, contraventions of solicitors’ rules, the inability to meet time-sensitive client deadlines, reputational damage, as well as long-term financial harm and loss of business.
These factors also mean that law firms incur high levels of investigation and triage costs when compared to other industries, and will perform significant crisis work in an effort to limit the risk of consequential harm following the incident.
The interplay between cyber events and social engineering attacks is also a key problem for law firms. Cyber criminals can cause significant harm through intercepting email communications, changing payment instructions or by manipulating invoicing processes.
These types of attacks can be difficult to detect and may arise from business email compromise or attack methods which pray upon weaknesses in employee awareness, or a compromise of a supply chain partner.
Over the previous 12 months, carriers have increasingly had to pay out significant cyber claims to law firms resulting from successful cyber attacks. The scope of risk and extent of financial losses paid by insurers has resulted in some cyber insurers deeming law firms as out of appetite.
Thankfully, more sophisticated carriers accept that law firms can still be appropriate risks to insure, where they demonstrate an understanding of their situational risks and industry exposure profile and adopt proportionate cyber controls within an overall cyber risk management strategy.
A common demand of carriers is that the law firms seeking insurance should engage with the insurer to explain how they approach cyber risk management, and the reasons why the firm has confidence in its overall risk management approach.
Key underlying controls such as multi-factor authentication, monitoring, logging, privilege management and patching are critical minimum controls demanded from law firms. Where appropriate controls are demonstrated, skilful brokers can still obtain good results in the current market.
Do you need cyber insurance?
Because of the deteriorating loss environment, cyber insurance is now one of the most expensive classes of financial lines insurance. All organisations, including law firms, should objectively assess their needs for the product, as well as the appropriate limit and the types of cyber covers they require.
In almost all cyber incidents impacting law firms, significant forensic and crisis support is called upon during investigation, triage and recovery processes. For this reason, cyber insurance policies that include strong incident response support and established insurer vendor panels should be prioritised.
The insurance obtained should also reflect how the firm assesses the likely financial losses it would sustain following a significant cyber event. There are many approaches available for cyber risk quantification, however firms should avoid methods that rely on a cost per record metrics, and should instead consider the wider financial, legal and reputational issues that can result from cyber incidents, particularly a ransomware incident.
Firms should also consider the amount of data they aggregate, given many data assets stored across client files will include sensitive commercial, financial and reputational information.
Where breaches occur, cyber insurance supports effective incident response and recovery as it indemnifies financial costs and key third-party risks.
The wordings will also provide organisations with access to leading incident response providers, and the ability to leveraging the insurance market’s knowledge drawn from handling tens of thousands of incidents every year.
While not the sole answer, insurance is now a fundamental cyber investment, which when tied to strong cyber controls and resilience investment, is the linchpin of an effective overall cyber risk management strategy.
This article appears courtesy of the QLS Privacy, Data, Technology and Intellectual Property Law Committee. Ben Di Marco is a cyber specialist at Willis Towers Watson and a member of the committee. The author wishes to acknowledge Olivija Radinovic for her assistance.
Resources
forbes.com/sites/forbestechcouncil/2021/03/12/ransomware-attackers-take-aim-at-law-firms/?sh=7f4a424ca13e
cyfor.co.uk/cyber-attacks-law-firms-increasing-firm-secure
lca.lawcouncil.asn.au/lawcouncil/cyber-precedent-risk-management/cyber-precedent-insurance
abovethelaw.com/2022/05/two-law-firm-data-breaches-and-new-breach-stats
law.com/international-edition/2022/05/18/australian-companies-face-increased-cyber-risks-law-firm-minterellision-says
Share this article