Introduction

Cybersecurity is a critical issue for law firms, and one that is not going away. According to a recent study, 80% of the largest firms in the US experienced a malicious breach last year; with an average of 10,000 network intrusion attempts detected daily amongst these 200 firms. With the average cost of a successful malware attack on a law firm at $5 million (the average cost per record at $141), it is evident that cybersecurity must be dealt with at senior management level to prevent the financial and reputational damage of a cyber event.

Specific Concerns/ Risks

Legal firms remain a favourite for cyber criminals due to the colossal amount of sensitive data that they store. This data is of high worth to hackers who can sell it on the dark web or use it for extortion purposes. Law firms often hold trade secrets and other sensitive information about corporate clients, including details about undisclosed mergers and acquisitions that if leaked could be used for insider trading. Due to the importance of the data held on file, firms are exposed to legal issues relating to client confidentiality and the determination of cyber criminals to get their hands on this exceedingly valuable data.

Many law firms are now characterised by international structures, leading to increased cyber exposure and the need for succinct company regulations. Often employees are unaware of the numerous risks that are faced throughout the network and are equally unaware of the level of granularity around the processes and controls in place to address those risks. Failure to train staff properly increases the likelihood of employees responding to social engineering and phishing e-mails which can result in leaked data, system interruption and failure, high ransom demands and, significant reputational damage.

The implications for effected clients of a law firm following a data breach are far reaching as it could affect an ongoing legal case and put a client at an unfair disadvantage. For example, a client’s leaked intellectual property may be seen by a competitor, or the breach could provide a back door into a client’s systems. Often cybercriminals are targeting businesses that give them access to larger enterprises with more valuable data to steal. Legal firms certainly fit this criterion, further highlighting them as popular targets.

Data regulation and compliance should be fully updated and integrated into law firm’s IT systems. Unfortunately, many law firms do not have an internal audit function, and if they do it is often made up one individual who covers the entire network. This can lead to out of date systems and processes, leaving the firm exposed to potential breaches, compliance failures and malicious third parties. Additionally, international companies must ensure that employees are aware of international data protection regulations such as the General Data Protection Regulation (GDPR), and US state specific data protection regulations. With all 50 U.S. states having their own breach-notification laws, this forces law firms and other companies to navigate a patchwork of different rules; facing potential regulatory fines and embarrassment for those failing to comply.

Types of Cyber Claims

In March 2016, two of the largest law firms based in New York suffered data breaches. Both of the firms specialised in patent and intellectual property law; representing Wall Street Banks and Fortune 500 companies in everything from lawsuits to multibillion- dollar merger negotiations. This sparked suspicions that the perpetrators were hackers using the breached data for insider trading on the stock market.  In the same month, 48 US law firms were targeted specifically by Russian cyber criminals looking for M&A activity to harness for insider trading. A comprehensive cyber policy would cover the notification costs to affected clients, provide immediate incident response (including PR costs) and cover the business interruption and reputational damage costs to name a few.

In 2017 one of the world’s biggest law firms was hit with a Petya cyber-attack that restricted employees’ access to emails and documents. For two days following the attack, the telephones and e-mails of 3600 lawyers in 40 countries were locked out. While the firm managed to recover some of its systems, it never regained complete access to emails sent or received before the ransomware struck; and some staff also permanently lost access to vital and confidential documents, causing significant and ongoing business interruption and reputational damage. Had the firm purchased a cyber insurance policy, a 24-hour incident response team would have been on hand to offer advice to deal with the attack and if necessary, would have paid the bitcoin ransom.

In early 2017, a popular website building site was hacked that affected numerous US based law firm websites. The hackers discovered a vulnerability that enabled them to bypass authentication systems and edit the contents of website pages. Law firms saw their pages defaced with offensive messages and many had years’ worth of content deleted. The reputational damage to the firm was significant, as was the business interruption cost.

Risk Transfer

Comprehensive cyber insurance not only offers financial support following a breach, but also includes risk mitigation support to prevent the attack happening in the first place. Considering the high-risk landscape in which Legal firms are operating, it is essential that cyber risk management is treated as a top priority.  A Safeonline Cyber policy offers first and third-party coverage, to ensure that the law firm is comprehensively protected. Additionally, it includes complementary pre and post breach services and can be tailormade to provide the best cyber solution to fit the differing requirements of the legal sector.  The coverage includes cyber and multimedia sections, including coverage for cyber extortion, data breach response and crisis management, business interruption and extra expense as well as data recovery and defence costs.

As cyber attacks become increasingly prevalent in the legal sector, all firms must prepare to face these potential risks. Using insurers as allies will help firms to operate with confidence.