As cyber-insurance becomes a more common risk protection tool, law firms need to educate themselves about policies and what might be best for them
Most operational and risk management professionals are acutely aware that cybersecurity is a burgeoning business issue, especially in the professional services and legal arena. However, digesting the details can be a challenge, mostly because many of the related topics are highly technical, and in most instances, understandably not in the wheelhouse of those in leadership positions in the legal profession.
Functional specifics such as penetration tests, monitoring sites, security awareness training, multi-factor authentication, disaster recovery planning and backups, anti-virus protection, password management, are not and should not be in the vernacular of most legal practitioners. Indeed, these deep technical topics are better left for specialists in the security field.
Yet, some security decision points are primarily business or risk-management oriented. And a certain level of understanding by law firm leadership is important, given, for example, the ethical and professional rules of conduct governing attorney-client relationships.
To that end, one emerging area in the security space that law firms should now consider is cyber-insurance, and the most common types of cyber-insurance include:
- Event management — This coverage is designed for transactional costs associated with a security event, costs such as breach counsel, forensic services, data remediation, notification expenses, and more.
- Network interruption or other loss of revenue — As the name suggests, this module covers top-line losses and other additional expenses relating to outages.
- Extortion — This coverage applies to expenses related to when one hires a negotiator to interface with hacker or other bad actor, or the literal payment of a ransom (which is not recommended, but that’s a different topic).
- Media liability — This area covers libel, copyright or trademark infringement, slander, defamation, and related media risks.
- Security & privacy — This coverage type applies to liabilities to third parties — clients, business partners, etc. — related to the breach or theft of confidential data or the transmission of malware via their networks to said third parties.
Why is the cyber-insurance market so disrupted?
Anything relatively new also tends to be somewhat unsettled and dynamic in nature as standard conventions are developed. It’s no difference for cyber-insurance — yet the need is there. Quarterly ransomware run rates have seen increases in the range of 100% to 450% over various quarters since Q1 2019, according to a recent study by Aon. Not unexpectedly, there is a corresponding uptick noted in ransomware payments as well.
Indeed, the considerable uptick in these types of incidents far outweighs the counterbalancing fact that the industry is seeing cost reductions driven by a decrease in certain types of privacy and data breach incidents during the same period. Still, there are many underlying reasons the professional services sector is a prime target for cyber criminals, with all law firms, unfortunately, in the crosshairs of bad actors.
What is the outlook for 2023?
Cyber-insurance renewal rates smoothed a bit in 2022, but the sharp uptick in victims during the first part of this year, coupled with the Clop ransomware violations highly contributed to the increase and somewhat offset that positive trend. Market conditions, not surprisingly, continue to be turbulent.
“The cyber insurance market has been changing rapidly, seeing much higher rates and tighter security controls in the last few years,” says Dustin Bolander, vice president of operations and technology at FifthWall Solutions. “As losses decrease in 2023, we’re seeing most insurers take a cautious approach to changes. Law firms are one of the most at-risk industries for cyber-incidents, so cyber-insurance will continue to function as informal regulation for the legal profession.”
In fact, the expectation of more and more cyber-criminals entering the fray in the professional services space creates considerable turbulence and a speculative environment of sorts in the cyber-insurance industry.
How is the application process changing?
The targets set for law firms and other corporate clients by insurance underwriters are sighted on a higher bar than in the past. Key expectations have become more challenging and complete in three main areas:
Security — This includes tactics such as multi-factor authentication, the creation of domain administration groups and service account restrictions. and securing remote access. Rotating administrative passwords or creating a culture of one-time use credentials are also close cousins to these controls. Many of these restrictions are common in today’s typical law firm, others a bit less so. Yet, these are all best practices designed to restrict access or raise the bar for authentication.
Monitoring — This includes technologically oriented activities — such as endpoint protection and monitoring; frequent patching of equipment such as servers, computers, devices, and more; and email filtering — all the types of activities designed to protect against virus, malware, and other bad code from entering an environment. The developing areas of SIEM (Security Event and Incident Management) and SOC (Security Operations Centers) offered by third parties that serve the legal sector are other newer trends in the monitoring realm.
Preparation — This includes primarily administrative steps such as disaster recovery and backup planning and testing, creating incident response plans, conducting penetration tests and vulnerability scans, and executing phishing and cyber-awareness training for employees.
The industry also observes that certain types of vulnerabilities, such as poor email configuration, leaked credentials, and public access ports, greatly contribute to the typical successful cyber-attack.
“While the insurance market is a more hospitable place for law firms in 2023, insurers are still asking detailed questions about cybersecurity measures,” says Tom Ricketts, senior vice president and executive director at Aon. “We recommend starting your insurance renewal process very early — four to six months ahead of the renewal date to ensure that you have time to negotiate with insurers and to implement security measures that could positively impact the availability or cost of insurance.”
In terms of how law firms can best work with insurance brokers, industry expert Lynn Watson, Director of Security, Risk & Compliance at law firm Dinsmore & Shohl, notes the importance of a strong partnership with an insurance broker. “Navigating cyber-insurance certainly is not getting any easier,” Watson explains. “Finding a good broker and working with them throughout the year to leverage their ongoing insight and exposure to issues, should be a priority. And integrating suggestions is essential for businesses looking for effective insurance cover.”
Overall, the legal profession is experiencing sea changes, most notably in how the number of activities required to secure affordable cyber-insurance rates has dramatically increased in the past few years, especially for law firms with relatively limited technology staffs and resources.
For those law firm executives tasked with securing cyber-insurance for their firm, please be mindful that the increase in cyber-threats and other macro-factors may inject further uncertainty and defense-oriented technology and administrative policy challenges into the process of obtaining cyber-insurance for years to come.