Twenty years ago the federal government designated October as Cybersecurity Awareness Month, part of an early effort to promote a wider appreciation of computer-related threats to business and government operations and to encourage everyone to adopt meaningful measures to mitigate those threats.
It’s no secret that the legal community’s initial cyberthreat response was, well, discouraging. As recently as 2020, just 43% of law firms encrypted client data, 39% used two-factor authentication to secure their computer networks, and only 29% used intrusion detection technologies. Not only were most law firm networks poorly secured, only a small percentage of them possessed the capacity to even detect a network intrusion. These lawyers were flying blind in a very old plane.
The American Bar Association commented at the time that the situation “cries out for a much more robust response by the profession to the challenges at hand.”
Today the legal profession can be proud of its recent efforts to raise awareness of the threats posed by cybercriminals to law firm operations. The ABA, state bar associations and attorney regulatory bodies have all been working hard to improve law firm data security practices – through educational programs, best practice guidelines, ethics opinions, and modest tweaks to lawyer ethics codes in some jurisdictions. These self-regulatory efforts are taking place alongside a palpable sense of urgency created by data breach legislation, regulatory scrutiny, class action litigation, and devastating fall-out from data breaches and ransomware attacks on law firms.
And this year, the ABA House of Delegates approved Resolution 609, which listed numerous measures law firms can take to improve cybersecurity in day-to-day operations. When it comes to cybersecurity, real progress is occurring within the legal profession. Unfortunately, practicing lawyers are on the receiving end of so much information regarding data security there’s a real risk that some will tune it out altogether, or suffer the dreaded “paralysis by analysis,” or make hasty, careless delegations of critical obligations to third parties.
We don’t want to contribute to that. This year, for Cybersecurity Awareness Month, we’re asking lawyers to consider a single topic: cyber insurance. Do you have cyber insurance? Does your policy cover all reasonably foreseeable cyber losses, or just some of them?
Common Gaps in Cyber Insurance Coverage
Each year cyber insurance carriers become more sophisticated and knowledgeable about the risks that cybercriminals pose to law firm operations. With several years of experience under their belt, cyber insurance carriers know how to evaluate a law firm’s defenses against cyberattacks. Moreover, cyber insurance coverages and exclusions change over time to reflect new threats and claims exposure.
A recent survey by Delinea, Closing the Cyber Insurance Gap: 2023 State of Cyber Insurance Report, identifies the leading reasons why insurance carriers did not provide coverage for cyber losses suffered by their insureds. According to a survey of 300 businesses and law firms, cyber insurance coverage was most often denied for the following reasons:
- Lack of security protocols in place (43%)
- Internal bad actor (38%)
- Human error – misconfiguration, lost cell/laptop (38%)
- Acts of war (33%)
- Did not follow compliance procedures (33%)
- Acts of terrorism (32%)
- Not reporting to insurance company first (31%)
With the exception of “acts of war” and “acts of terrorism,” all of the leading factors contributing to denials of cyber insurance coverage are under the control of law firm leaders. Implementing reasonable data security measures, having an incident response plan in place, and screening/training law firm employees are all critical responsibilities for modern law firms.
A second critical revelation from the Delinea study is the extent to which cyber insurance policies did not cover losses commonly suffered by law firms victimized by cybercriminals. Survey respondents reported that the following types of losses were the most likely to be covered by their cyber insurance policies:
- Data recovery/backup (54%)
- Additional security controls (53%)
- Incident response services (45%)
- Impact on partners and customers (45%)
- Regulatory fines (41%)
- Lost revenue (41%)
- Legal fees (40%)
- Ransomware negotiations & payment (40%)
A little more than half of respondents said that their cyber insurance carrier would pay for all or some of the costs associated with “incident response.” However, big-ticket items such as lost revenue, government fines, attorneys’ fees, and ransomware payments were covered to a significantly lesser extent.
Lessons Learned, Further Reading
We see three top takeaways from the Delinea cyber insurance survey.
First, the cyberthreat landscape and cyber insurance market are dynamic. Close attention to both are critical. Law firms will be rewarded for comprehending current cyberthreats as well as the fine print in their cyber insurance policies.
Second, the job of mitigating losses from cyberattacks is a shared obligation between the law firm and its insurance carrier. Law firms can do a lot on their own – through best practices, wise technology investments, and keeping abreast of evolving threats – to minimize cyberthreats and maximize the likelihood they’ll have coverage in the event of an attack. The Delinea survey makes clear that law firms with lax cybersecurity practices face a real risk of losing cyber insurance coverage.
Third, there should be a general awareness that cyber insurance will not necessarily cover all of the losses emanating from a cyberattack. If coverage for a certain category of loss is important to the law firm, it should be specifically negotiated and included in the cyber insurance contract.
When she introduced Resolution 609 earlier this year, Adriana Luedke, a member of the ABA Cybersecurity Legal Task Force, placed responsibility for law firm cybersecurity vigilance squarely on lawyers’ shoulders.
“Lawyers’ own behavior and knowledge are critical in this area,” Luedke said. “In this environment of increasing threats, it is key to learn and take action.”
We haven’t forgotten our earlier stated intention to promote awareness, not information overload. However, the following resources are worth reviewing to acquire a basic understanding of cybersecurity issues as they pertain to law firm operations.
- Computer Security Incident Handling Guide (NIST Special Publication 800-61), National Institute of Standards and Technology. A leading publication in the field.
- Incident Response Plan Basics, Cybersecurity and Infrastructure Security Agency
- Prevention and Response: A Two-Pronged Approach to Cyber Security and Incident Response Planning, ABA Center for Professional Responsibility
- Are We Taking Data Security Seriously Enough?, Esquire Deposition Solutions
- ABA Urges Lawyers to Raise Their Cybersecurity Game, Esquire Deposition Solutions
- Assessing Cyber Insurance Coverage for Data Breach Losses, Esquire Deposition Solutions