Underwriters See Rising Ransomware Threats and Liability Exposure

Ransomware is the wolf at the law firm’s door that just won’t go away. In fact, he’s getting bigger and hungrier. Ransomware attacks in recent years are more pernicious, more difficult to prevent, and more expensive to pay off.

Enter cyber-insurance, a formerly sleepy corner of the insurance world that has become enormously complex and in-demand in recent years. For good reason. Cyber-insurance carriers can help law firms learn how to minimize the opportunities for ransomware attacks and how to recover when a ransomware attack occurs. Cyber-insurance policies can also defray the costs of investigation, remediation, and litigation resulting from a ransomware attack. But cyber-insurance can be difficult to obtain, and it’s also getting expensive.

Law firms considering cyber-insurance should be prepared to undergo a searching inquiry from the cyber-insurer, a visit to the law firm’s physical premises, and interviews with firm leaders — all to convince the insurer that the firm takes data security seriously.

How Great Is the Ransomware Threat?

Ransomware attacks are increasing every year, with cybercriminals more focused than ever on professional services firms. According to the 2022 NetDiligence Cyber Claims Study, the professional services sector drew the most attention from ransomware attackers in 2021, both in terms of the number of attacks and the dollar value of losses attributable to those attacks. Professional services firms accounted for 30% of all claims in 2021, yielding $321 million in claimed losses.

The second-most-likely sector to be victimized was manufacturing (11%), followed by health care (10%), and financial services (7%.)

One reason why ransomware attackers are targeting professional services firms is because these entities — which often possess their clients’ personal information as well as sensitive financial and health information — are doubly exposed. Sophisticated ransomware attackers can both cripple the victim’s computer network and extract valuable data before leaving the scene of the crime.

Recently unsealed indictments against three Iranian nationals describe a typical ransomware attack. According to the U.S. Department of Justice, the defendants were able to access without authorization computer networks belonging to an accounting firm, two electric utilities, a county government in Wyoming, and the Georgia State Bar Association, among others. The defendants allegedly demanded cryptocurrency ransoms in exchange for returning control of the victims’ computer networks. They also threatened to sell on the black market valuable data if their ransom demands were not met.

Third-Party Claims After Ransomware Attacks

What sorts of legal claims do ransomware attacks typically spawn? The list is a long one, ruefully described by some attorneys as “the attack after the attack.”

Samantha L. Riley, a partner at Skarzynski Marick & Black LLP in New York City, recently told attendees at an American Bar Association event that ransomware victims could conceivably face the following types of legal claims:

  1. Class actions filed under privacy and consumer protection laws.
  2. State regulatory investigations and enforcement actions.
  3. Federal regulatory investigations and actions.
  4. If credit card data was compromised, financial institutions will investigate whether the ransomware victim was in compliance with the Payment Card Industry Data Security Standard (PCI DSS), which all businesses must use to secure credit card data. Fines for violations are steep.
  5. Publicly traded companies face potential enforcement actions from the U.S. Securities and Exchange Commission and from shareholders.
  6. Legal liabilities arising from vendors and clients if, due to the ransomware attack, contractual obligations were not met.

Elissa Doroff, a senior claims official at Mosaic Insurance in New York City with extensive experience in cyber-extortion claims, said that victims should refrain from publicizing data breaches until they have all the facts. “Rushed public relations messages,” she said, can do more harm than good.

“That’s where all of a sudden you see regulatory inquiries, undue scrutiny that you wouldn’t see otherwise, and class action litigation,” Doroff said. “With a really good breach response where it’s kept tight and responsive, you can stave off a lot of third-party litigation and regulatory inquires and substantial costs that you wouldn’t have otherwise.”

The sheer number of possible legal claims — and claimants — that ransomware victims potentially face can make it difficult to achieve a final disposition of all potential legal exposures. A business might settle claims with all persons whose personal information was exposed by the attack, only to be met with later-filed legal claims from banks seeking compensation for the expense of issuing new credit cards.

Ransomware victims also face legal liability from novel claims that neither they nor their insurers anticipated. For example, the City of Chicago is seeking damages from the Marriott hotel chain in the form of lost hotel tax revenues stemming from a 2018 data breach at the hotel. The city’s expert witness opined that hotel tax revenues were $1.4 million less than forecasted during the month after Marriott publicly disclosed the breach. On Sept. 8, a federal court in Maryland declined to dismiss the city’s tax claims against the hotel. In re Marriott International Inc. Customer Data Security Breach Litig., No. 19-md-2879 (D. Md., Sept. 8, 2022).

First-Party Claims After Ransomware Attacks

After addressing all of the foregoing third-party claims, ransomware victims are faced with so-called “first-party claims” in the form of losses that the victims themselves suffered as a result of the attack. These are chiefly revenue losses and increased expenses that are suffered as the victims attempt to get back on their feet in the wake of a ransomware attack.

Estimates of ransom demands vary widely, but no one would quibble with the assertion that they exceed several hundred thousand dollars on average, a figure that grows larger every year. Security services provider Sophos Ltd. says that the average ransom paid in 2021 was $812,360.

As with third-party claims, the list of specific losses that accompany a ransomware attack is long, including:

  • Business revenue losses and increased business expenses.
  • Expenses for crisis management services.
  • Expenses for data recovery and restoration of network operations.
  • Payment of ransom demands.
  • Expenses for ransom negotiators.
  • Expenses for forensic investigations.
  • Expenses for legal services and “breach coaching” services.
  • Expenses for notification and credit monitoring.
  • Expenses for public relations services.

Cyber-insurance is available to pay these bills. However, Doroff said, the process for obtaining cyber-insurance coverages has changed dramatically in recent years. The application process, she said, is “extremely more onerous” than it used to be. Applicants should expect detailed questions from the insurer about the safeguards they maintain on personal information on their computer networks. Mindful of litigation trends, insurance companies today will be asking their customers about protections around biometric information and about compliance with the European Union’s General Data Protection Regulation and the California Consumer Privacy Act.

Law firms seeking cyber-insurance should also expect to field detailed questions about the vendors they use to process and transmit client information, she said.

Beyond the application, many underwriters will want to have a phone call with a representative from the insured and a visit to the business premises.

“They’ll be meeting with the CISO [Chief Information Security Officer] and everybody else in the C-suite to really get a feel and a flavor for how seriously they take cybersecurity and how much of a budget they’re putting in for it,” Doroff said.

Tom Ricketts, a senior official in insurer Aon’s professional services cyber-insurance department in New York City, said that the job of underwriting cyber-insurance has become an extremely complex process during the past few years, in recognition of the fact that the risks themselves are complex, dynamic, and difficult to measure.

As claims and exposures have grown, so too have premiums. “The insurance industry generally is running about 130 percent loss ratio on cyber, so premiums have gone way up,” Ricketts said. Ricketts added that insurers are also becoming more selective in terms of where they are willing to issue policies and under which terms and policy limits.

Esquire Solutions Can Help

Our customers know they can depend on us to secure client information that is transmitted across our networks. Esquire Solutions maintains a state-of-the-art information security infrastructure that aligns with, and in many areas exceeds, industry standard cybersecurity practices. Esquire designed its infrastructure to provide the most secure legal services in the industry. Client data is encrypted end to end, in transmission, and at rest on workstations, laptops, servers, mobile devices, and video and audio streams, including transcript processing and delivery. Information is further secured with consistently updated, system-wide automatic threat detection and data loss prevention software.

Esquire also provides to customers and prospective customers audit reports (known as “SOC2” and “SOC3” reports) attesting to our compliance with the American Institute of Certified Public Accountants’ information security standards. SOC reports contain valuable information that law firms can use to assess the risks and internal controls associated with an outsourced service provider. Each SOC report contains a detailed description of Esquire’s information security practices, followed by an independent auditor’s opinion that those practices — as described — provide reasonable assurance that we meet the AICPA’s trust services and information integrity standards.

We’re pleased to provide this information whenever an Esquire customer is asked to document the information security practices of its deposition services vendor — whether that’s for an insurance company, a government agency, or law firm clients.