Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...
Law firms are prime targets for hackers but cybersecurity insurance for law firms has never been clear-cut.
Bloomberg BNA Privacy & Data Security News Senior Legal Editor Jimmy H. Koo posed a series of questions to Lockton Companies Senior Vice President and Cyber Risk Practice Leader Ben Beeson on must-have coverage areas and limitations of cybersecurity insurance policies available in the market.Bloomberg BNA:
What is so special about law firms that hackers are compelled to target them?Ben Beeson:
Law firms are targets for two reasons principally. Firstly, they hold sensitive confidential corporate information on behalf of their clients. Depending on the adversary, this could be information that a criminal might use to short a company’s stock or perhaps steal trade secrets for competitive advantage.
Secondly, law firms can often be the path of least resistance. It isn't unusual for the law firm’s defenses to be weaker than that of the client whose information they hold.Bloomberg BNA:
Are there particular hacking tactics or special vulnerabilities for which law firms should be on the lookout?Beeson:
According to FireEye, 95 percent of targeted stealth attacks known as APTs (Advanced Persistent threats) use a technique known as “Spear Phishing.” The hacker will often trawl social media sites such as LinkedIn and Facebook to build up a profile of the targeted associate or partner.
More often than not the individual is sent an e-mail from whom they believe to be a trusted third party such as a colleague, a friend, or their immediate supervisor. Typically the e-mail will require the individual to click on a link, which will then allow the hacker to download malware and penetrate the firm’s network.Bloomberg BNA:
For law firms looking for cybersecurity insurance policies, what are some of the must-have coverage areas?Beeson:
Cybersecurity insurance for law firms has never been clear-cut. Errors & Omissions (E&O) or professional liability insurance protects against breach of contract or negligence allegations by clients for such things as non-performance. Within those policies typically lies coverage for a breach of security or privacy.
You would expect an E&O policy to pay for that. Some areas that cybersecurity insurance covers above and beyond an E&O policy include:
Because a lot of the risk is already picked up under current errors and omissions policies, many firms mistakenly think that all damages resulting from a hack are already covered.
But because a lot of the risk is already picked up under current E&O policies, many firms mistakenly think that all damages resulting from a hack are already covered. This isn’t the case, but that perspective is starting to change.Bloomberg BNA:
How does a cybersecurity insurance policy interact with other professional liability insurance which individual attorneys or the law firm may have?Beeson:
As outlined above there are gaps in professional liability insurance, specifically “first party” gaps. These gaps could include loss of revenue because the firm’s network was shut down, which could hinder billing and receivables, or possibly the money a firm would have to pay out because of ransomware attack.
The cost to restore corrupted data, which isn't included under E&O policies, would need to be addressed separately as well. Understanding all the potential coverage gaps requires an in-depth discussion with the firm’s insurance broker.
Ultimately it really comes down to the desire of the firm and individual attorneys to address the gaps and buy the additional coverage.Bloomberg BNA:
What are some of the limitations of cybersecurity insurance policies available in the market of which law firms should be particularly aware?Beeson:
Cybersecurity insurance is designed to address a catastrophic loss to critical corporate assets that a law firm is looking to protect. However, certain assets such as intellectual property remain uninsurable.
Look closely at war and terrorism exclusions. It is unclear yet if nation state attacks would be defined as acts of war or terror, and that leads to ambiguity as to if they are covered.
Most importantly, be aware of what constitutes “prior acts” on a policy. This is vitally important because detecting if and when an individual or organization has hacked into a system is oftentimes difficult. In fact, FireEye says that it’s an average 205 days before malware is detected on a network from an advanced persistent threat.
Typical cybersecurity insurance policies only cover acts from the first day that insurance is bought. Simply put, if hackers have been in a system for six months and the law firm is only three months into the policy, the damage they do may not be covered.
The solution is to always buy “prior acts coverage” and don't accept a policy with a very limited retroactive date.
All Bloomberg BNA treatises are available on standing order, which ensures you will always receive the most current edition of the book or supplement of the title you have ordered from Bloomberg BNA’s book division. As soon as a new supplement or edition is published (usually annually) for a title you’ve previously purchased and requested to be placed on standing order, we’ll ship it to you to review for 30 days without any obligation. During this period, you can either (a) honor the invoice and receive a 5% discount (in addition to any other discounts you may qualify for) off the then-current price of the update, plus shipping and handling or (b) return the book(s), in which case, your invoice will be cancelled upon receipt of the book(s). Call us for a prepaid UPS label for your return. It’s as simple and easy as that. Most importantly, standing orders mean you will never have to worry about the timeliness of the information you’re relying on. And, you may discontinue standing orders at any time by contacting us at 1.800.960.1220 or by sending an email to firstname.lastname@example.org.
Put me on standing order at a 5% discount off list price of all future updates, in addition to any other discounts I may quality for. (Returnable within 30 days.)
Notify me when updates are available (No standing order will be created).
This Bloomberg BNA report is available on standing order, which ensures you will all receive the latest edition. This report is updated annually and we will send you the latest edition once it has been published. By signing up for standing order you will never have to worry about the timeliness of the information you need. And, you may discontinue standing orders at any time by contacting us at 1.800.372.1033, option 5, or by sending us an email to email@example.com.
Put me on standing order
Notify me when new releases are available (no standing order will be created)