Views on Cybersecurity Insurance for Law Firms From Lockton Cyber Risk Practice Leader Ben Beeson

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

Law firms are prime targets for hackers but cybersecurity insurance for law firms has never been clear-cut.

Bloomberg BNA Privacy & Data Security News Senior Legal Editor Jimmy H. Koo posed a series of questions to Lockton Companies Senior Vice President and Cyber Risk Practice Leader Ben Beeson on must-have coverage areas and limitations of cybersecurity insurance policies available in the market.

Bloomberg BNA:

What is so special about law firms that hackers are compelled to target them?

Ben Beeson:

Law firms are targets for two reasons principally. Firstly, they hold sensitive confidential corporate information on behalf of their clients. Depending on the adversary, this could be information that a criminal might use to short a company’s stock or perhaps steal trade secrets for competitive advantage.

Secondly, law firms can often be the path of least resistance. It isn't unusual for the law firm’s defenses to be weaker than that of the client whose information they hold.

Bloomberg BNA:

Are there particular hacking tactics or special vulnerabilities for which law firms should be on the lookout?

Beeson:

According to FireEye, 95 percent of targeted stealth attacks known as APTs (Advanced Persistent threats) use a technique known as “Spear Phishing.” The hacker will often trawl social media sites such as LinkedIn and Facebook to build up a profile of the targeted associate or partner.

More often than not the individual is sent an e-mail from whom they believe to be a trusted third party such as a colleague, a friend, or their immediate supervisor. Typically the e-mail will require the individual to click on a link, which will then allow the hacker to download malware and penetrate the firm’s network.

Bloomberg BNA:

For law firms looking for cybersecurity insurance policies, what are some of the must-have coverage areas?

Beeson:

Cybersecurity insurance for law firms has never been clear-cut. Errors & Omissions (E&O) or professional liability insurance protects against breach of contract or negligence allegations by clients for such things as non-performance. Within those policies typically lies coverage for a breach of security or privacy.

You would expect an E&O policy to pay for that. Some areas that cybersecurity insurance covers above and beyond an E&O policy include:

  •  loss of revenue from a network outage;
  •  costs to restore compromised data or forensic investigation of a breach;
  •  public relations costs to rehabilitate the firm’s reputation; and
  •  cyber extortion.
  •  

    Because a lot of the risk is already picked up under current errors and omissions policies, many firms mistakenly think that all damages resulting from a hack are already covered.

    But because a lot of the risk is already picked up under current E&O policies, many firms mistakenly think that all damages resulting from a hack are already covered. This isn’t the case, but that perspective is starting to change.

    Bloomberg BNA:

    How does a cybersecurity insurance policy interact with other professional liability insurance which individual attorneys or the law firm may have?

    Beeson:

    As outlined above there are gaps in professional liability insurance, specifically “first party” gaps. These gaps could include loss of revenue because the firm’s network was shut down, which could hinder billing and receivables, or possibly the money a firm would have to pay out because of ransomware attack.

    The cost to restore corrupted data, which isn't included under E&O policies, would need to be addressed separately as well. Understanding all the potential coverage gaps requires an in-depth discussion with the firm’s insurance broker.

    Ultimately it really comes down to the desire of the firm and individual attorneys to address the gaps and buy the additional coverage.

    Bloomberg BNA:

    What are some of the limitations of cybersecurity insurance policies available in the market of which law firms should be particularly aware?

    Beeson:

    Cybersecurity insurance is designed to address a catastrophic loss to critical corporate assets that a law firm is looking to protect. However, certain assets such as intellectual property remain uninsurable.

    Look closely at war and terrorism exclusions. It is unclear yet if nation state attacks would be defined as acts of war or terror, and that leads to ambiguity as to if they are covered.Views on Cybersecurity Insurance for Law Firms Image

    Most importantly, be aware of what constitutes “prior acts” on a policy. This is vitally important because detecting if and when an individual or organization has hacked into a system is oftentimes difficult. In fact, FireEye says that it’s an average 205 days before malware is detected on a network from an advanced persistent threat.

    Typical cybersecurity insurance policies only cover acts from the first day that insurance is bought. Simply put, if hackers have been in a system for six months and the law firm is only three months into the policy, the damage they do may not be covered.

    The solution is to always buy “prior acts coverage” and don't accept a policy with a very limited retroactive date.