Law Firm Cyber Risk

WHY THIS MATTERS
Law firms and legal services organizations have a treasure trove of sensitive data that is attractive to cybercriminals -- personally identifiable information (PII) of clients and employees, personal health information (PHI) of clients, confidential financial information, contracts and trade secrets, and transactional and litigation strategies.
Hackers are in pursuit of valuable data from vulnerable targets. A cyberattack can happen to a sole practitioner, a mid-size legal services organization, or a large law firm.
A staggering 25% of all law firms practicing in the United States alone have experienced at least one data breach.
Silent cyber means if your commercial insurance policies do not explicitly provide coverage for cyber losses, then you should not rely on them for cyber insurance coverage. A protracted coverage dispute is not the best solution for obtaining cyber insurance coverage.
Insurance markets are explicitly excluding cyber coverage from non-cyber policies, making a more pronounced shift to affirmative cyber insurance.
Reach out to a specialized cyber insurance broker and cyber insurance carrier to ensure that you transfer your residual cyber risk to satisfy your individual cyber risk tolerance.
Stand-alone cyber insurance can pick up where the cybersecurity failure left off
The Law of Attraction
Law firms and legal services organizations have a treasure trove of sensitive data that is attractive to cybercriminals.
Lawyers collect personally identifiable information (PII) of clients and employees, personal health information (PHI) of clients, confidential financial information, contracts and trade secrets, and transactional and litigation strategies.
Furthermore, hackers may pursue one of your third-party vendors as a gateway into your network.
Your cyber due diligence includes assessing the cybersecurity and cyber insurance coverage of your vendors and suppliers.
Size Does Not Matter to Hackers
Hackers are in pursuit of valuable data from vulnerable targets.
You may not think this could happen to you, but according to the 12th edition of the Verizon Data Breach Investigations Report 2019 (publicly available to download or read online), 43% of the victims were small businesses -- which means that any size organization can be a target.
A cyberattack can happen to a sole practitioner, a mid-size legal services organization, or a large law firm.
Data Breaches
According to the National Law Review, data collected by the American Bar Association (ABA) indicates that law firms are big business in the hacking world. A staggering 25% of all law firms practicing in the United States alone have experienced at least one data breach.
The ABA reports that there are five common types of data breach attempts on practicing law firms: 1) inside information, 2) hostage and ransom, 3) user error, 4) surveillance, and 5) hacktivism. Our focus here is ransomware attacks.
Ransomware Attacks
Ransomware is a form of malware that infiltrates your network or computer system, allowing hackers to lock your data while seeking a ransom payment (usually in Bitcoin). Typically, these attacks occur via a breach of trust using email impersonation. Individuals or company employees are tricked into opening a hyperlink or attachment sent by a phishing or spoof email.
In our recent article on Ransomware attacks during COVID-19, we discussed how cybercriminals are taking advantage of increased vulnerabilities during remote work by using phishing email attacks -- with a reported 667% spike in fraudulent coronavirus emails since March 1, 2020.
Recently, the media first reported a ransomware attack on a New York-based law firm representing celebrities by a group of cybercriminals called REvil or Sodinokibi.
The group’s ransom demand is $21 million (to be paid in Bitcoin) to prevent the publication of 756 gigabytes of stolen data, including contracts, personal correspondence, phone numbers, and email addresses of celebrities. One such attempt to share data has been thwarted. However, they have released a screenshot of some of Madonna’s contract.
The FBI is investigating, while the law firm, which is reportedly not negotiating with the group, has issued a public statement that they were the victim of a cyberattack, have notified their clients, and are working with experts to address the matter.
There are no reports of a ransom payment or whether the firm had cyber insurance.
Non-payment of the demand will result in the information being published. If payment is made, there is no guarantee that the hackers will delete the stolen data.
The Best Response is a Prepared Response
Lawyers are accustomed to preparing for cases.
That same level of discipline should be applied to the firm’s cyber hygiene, namely preparing an Incident Response Plan. Planning can make a difference in loss mitigation, preventing your firm or organization from a disastrous outcome after a cyber event.
In a cost-benefit analysis, having a robust cyber insurance policy in place could save you the out-of-pocket costs of consultants, new equipment, marketing, and other associated expenses.
You are well-advised to seek the support of a cyber insurance broker and carrier, provided via your stand-alone cyber insurance policy, in developing your Incident Response Plan.
Stand-Alone Cyber Insurance Coverage for Ransomware Attacks
Many cyber liability policies provide cyber extortion coverage to protect your business against losses caused by ransomware and other types of cyber extortion.
For example:
- Ransom payments – when hackers lock your network or computer system demanding payment of ransom for the key to unlocking your system.
- Loss of business income during the cyber event – after a brief waiting period.
- Extortion-related expenses – when you incur losses because of the extortion threat, such as making the ransom payment and the cost of hiring a security expert to advise you on how to respond to a threat.
- Repair costs – when you sustain losses due to damage, disruption, theft, or misuse of your data, such as the cost to restore, replace or reconstruct programs, software, or data.
Silent Cyber
It is worth noting, your other commercial lines of insurance (e.g., general liability or commercial crime) may not explicitly cover or exclude cyber losses. This lack of affirmative coverage has led to insurance coverage disputes, with no clear line drawn in the sand. We reviewed disputes involving Business Email Compromise (BEC) under commercial crime policies in our recent article on Silent Cyber.
Insurance markets are explicitly excluding cyber coverage from non-cyber policies, making a more pronounced shift to affirmative cyber insurance.
TAKEAWAYS
- Cybersecurity measures are an essential part of your cyber risk management, but they are only as effective as the weakest player on your team, or your most vulnerable third-party vendor.
- Planning and preparation are a vital part of the cyber risk management process.
- Silent cyber means if your commercial insurance policies do not explicitly provide coverage for cyber losses, then you should not rely on them for cyber insurance coverage. The time and cost of coverage disputes is not money well spent.
- Lawyers are well-advised to invest in a robust stand-alone cyber insurance policy, whether a sole practitioner, a mid-sized law firm, or legal services organization or a large law firm.
- If you are caught off guard, a cyberattack could lead to a catastrophic loss.
Reach out to a specialist cyber broker, such as Cyber Armada Insurance, to request innovative and robust cyber solutions appropriate for your needs and cyber risk tolerance. We understand the evolving demands and expectations of cyber insurance clients.
Contact Cyber Armada today to examine how your company faces potential financial losses from business interruption caused by a ransomware attack. Contact us at 888.727.6232.
NEXT ARTICLE
Please watch for our next article on Third-Party Logistics (3PL) Cyber Risks.