Posts

Let’s face it, the past several months have been rough on everyone. COVID-19 has radically disrupted our everyday lives, changed the way we do business and drastically increased the number of times we all say “strange” and “unprecedented.” One group that’s been thriving in the COVID-19 world, however, are Cyber Criminals. With the rush to implement “work from home” protocols, security has by and large taken a back seat to operational survival and Cyber Criminals have positioned themselves well to take advantage of this new reality. Poorly configured remote desktops, home “Wi-Fi” networks, a host of new applications and employees forced into the strange new land of remote working all add up to a perfect Cyber Storm. Luckily it’s not all gloom and doom and there are things you can do to help make your firm more resilient to Cyber Attacks.

As we take a closer look at Cyber Risk, it is helpful to consider two questions when thinking about these threats:

  • Do you have a Cyber Incident Response plan?
  • Will you survive a Cyber Attack?

Our friends Mike and Ben will make cameos later on to illustrate the importance of these two questions when determining your firm’s resilience in the face of Cyber Threats.

A good place to start is by examining “What’s at Risk” for your firm. Typically this can be broken down into three categories: Data, Disruption and Dollars.

Data

a) Corporate Data: Every law firm is different, which means the type and volume of information will vary greatly from firm to firm. Personal Injury attorneys may have sensitive health information and medical records, M&A attorneys may have sensitive deal information, real estate and trust attorneys may have sensitive financial information in their files, etc. Think about the information your firm collects, stores and processes.

b) Employee Data: Regardless of what type of law you practice, every firm has employees. Think about all the information you take in when onboarding an employee: Name, Address, Phone Number, Social Security Number, Bank Account information for Direct Deposit, background checks, etc. As an employer it is your legal responsibility to protect this information.

c) Data in Transit: Data is at Risk while it is on your firm’s computers, while it is in transit (faxes, emails, texts) and finally, when it resides on a third party’s network. Many organizations believe that by utilizing a third party to store information they are absolving themselves of all responsibility for what happens after the transfer. However, the truth is much more complicated. Data Privacy Law states that the owner and/or collector of information maintains responsibility for that data, and the liability cannot be transferred via contract.

Disruption

While the bulk of the discussion regarding Cyber Risk has historically focused around Data Breaches, (with good reason: they’re dangerous and tremendously expensive to deal with) the mass proliferation of Ransomware has now catapulted Business Disruption to the top of the list for concerned firms across the world.

Dollars

Pretty straightforward. Cybercriminals are after your money AND your clients’ money.

____________________

Now that we’ve identified “What’s at Risk” for your law firm, let’s dive into “How Breaches Occur.” There are three main Cyber Threat Vectors: Outside Attackers, Insider Threats and Third Party Incidents.

Outside Attackers

Hackers. Typically depicted in a hoodie and gloves in a dark room (not ideal for typing), Hackers deploy malicious software, commonly referred to as “Malware,” in order to corrupt legitimate computer code for the hackers’ own purposes. A few different types of outside attacks are:

a) Ransomware: Ransomware is a specific type of malware that is designed to encrypt key files and/or systems, with an accompanying ransom demand in order to provide the decryption key. The newest and most costly form of Ransomware in the Cyber world today is called “Maze” Ransomware. A new twist on Ransomware, the group behind Maze, exfiltrates sensitive information, publishes the name of your firm online, then demands a ransom payment which (supposedly) guarantees that the Cyber Criminals will not publish all of your sensitive information online.

b) Keyloggers: Keyloggers are a type of Ransomware that when downloaded (via an errant click on a website, email attachment, etc.) quite literally logs the key strokes of your computer as you type. Keyloggers are typically used to pick up usernames and passwords which can then be used across various networks to inflict harm.

c) DDoS: Distributed Denial of Service attacks are brute force attacks designed to overwhelm a target with a flood of requests. Cyber criminals compromise and harness the power of various internet connected devices (computers, copiers, security systems, baby monitors, refrigerators, microwaves, etc. and yes, we’re serious about refrigerators), then direct that computing power at a single target, flooding the victims with billions or potentially trillions of requests per second until the targeted organization is completely overwhelmed and shut down.

d) Business Email Compromise: Business email compromise is exactly what it sounds like. A hacker gains access to your email or a vendor’s email and utilizes that email to fraudulently induce various parties to transfer money or sensitive information.

Insider Threats

As we’ve found, not all attacks come from the outside. Employees are also a large driver of Cyber Losses.

a) Malicious or Disgruntled Employees: One of the best examples of the damage a malicious insider can cause comes from a professional services firm in the UK. The story goes like this: Firm hires a new employee to perform data entry and data integration, employee works from 9-5pm and at 5pm leaves work and brings all their data from work home with them to their significant other who is a hacker, said hacker uses this information to commit wide scale insurance fraud.

b) Careless employees and Honest Mistakes: Phishing and Social Engineering attacks are designed to trick employees into disclosing sensitive information, transferring money to a bad actor or clicking on a link or attachment that provides the entry point for a malware payload. Lost and compromised devices such as laptops and mobile phones have also proven to cause huge losses to a variety of organizations and some Cyber Insurance carriers contain exclusions for the losses arising out of lost devices that are unencrypted.

Third Party Incidents

Everyone has had the story of the Target breach beaten repeatedly into their head at this point, but for a quick recap: a third-party contractor that did business with Target was compromised by a bad actor. The bad actor then used the third-party contractor as an entry point to infiltrate Target’s systems, ultimately resulting in the massive theft of credit card information belonging to Target’s customers and enormous financial losses for Target itself. While the chances are your firm is not the size of Target, it is helpful to use this example as a lens through which to view the third-party “Hub and Spoke” security issue. Think of your firm as the “Hub” in this scenario, with all the third party vendors you use every day as the “Spokes.” Your firm is doing a great job with cybersecurity due diligence and purchases Cyber insurance. In essence, the “Hub” is protected. Are all of your “spokes” (cloud providers, billing services, credit card processors, software vendors) protecting themselves the same way? How are you validating or contractually mandating them to do so?

____________________

Solutions:  Cybersecurity + Cyber Insurance = Cyber Resilience

Finally some good news. While the Cyber world can be a scary place, the good news is there are actions you can take to help prepare your firm for Cyber Incidents.

Cybersecurity

There are a TREMENDOUS number of Cybersecurity solutions out there, so many, in fact, that sometimes we’re tempted to throw our hands up and say “Where do I even start?” While this is by no means an exhaustive list, these are some of the easiest to implement and effective steps your firm can take right now to harden your firm’s Cyber Risk posture:

  1. Firewalls and Anti-Virus Software: Will this prevent your firm from being compromised? Not necessarily. Does it help protect you? Yes. Think about this from the analogy of a burglar looking to rob a house. The firewall or anti-virus is a fence around the property. Does a fence prevent every burglary? Absolutely not. Does it make it a little bit harder? Yes.
  2. Strong Passwords and Password Management: Everyone reading this probably just rolled their eyes, but the bottom line is that a huge number of Cyber Incidents could be thwarted by stronger passwords and password management. There are a ton of good vendors out there that can help!
  3. Back-Ups: Make sure you are backing up your information. There are a variety of different ways to do this and a proper discussion of back-ups would require an article unto itself. Oftentimes folks are lulled into a false sense of security because “everything is backed up” only to find their back-ups have been compromised or they haven’t tested them in 10 years. The bottom line, however, is that back-ups are important. Make sure you back up your data in one way or another.
  4. Employee Training: The vast majority of Cyber Incidents involve the human element at some point in the process. Training employees to be on the lookout for suspicious emails or behavior within the company will go a long way in creating a company culture that takes Cyber Risk seriously.
  5. Multi-Factor Authentication: Enabling multi-factor authentication (using two or more pieces of information to validate a user) is an incredibly simple way to harden your defenses. The leader of the Cyber Practice at a large Insurer recently shared that about 1/3 of their recent claims could be prevented by properly implementing Multi-Factor Authentication.
  6. Patching: Remember all of those little notifications that pop up and tell you that an update is available? Those are important! It means that someone found a vulnerability AND they also found a way to patch that vulnerability.
  7. Constant Testing and Updating: Once you’ve established cybersecurity protections, back-ups, incident response plans, etc. make sure you test them!

Cyber Insurance

A lot has changed in the Insurance world over the past 5-10 years and nowhere is that more evident than in the world of Cyber Insurance. Before we get into the specifics of Cyber Insurance, let’s understand what Cyber Insurance is at a high level:

Cyber Insurance is a risk transfer mechanism that shifts the financial burden of a Cyber Incident from an organization to an Insurer.

Okay, that sounds nice but what does it do?

First Party Coverage

  1. Cyber Incident Response: Carriers have partnered with a wide-variety of law firms, forensics teams and PR experts to provide immediate and effective response to a Cyber Incident. The Incident Response portion of a Cyber Policy provides access to and funding for:

    a) Data Breach Coach: A law firm specializing in responding to Cyber Incidents.
    b) Forensics Teams: Your “boots on the ground.” These folks will determine: What happened? Is it still happening? What do we do now?
    c) Notification Costs: Do we have to notify anyone? If so: Who? How? When? What will be our message? The “Where” is also crucial, as there are currently 50 different state guidelines for data breach notifications and the laws apply to the affected individual rather than the affected organization, so you could have one breach that triggers multiple state reporting guidelines.

  2. Extortion/Ransomware Coverage: Provides coverage for Ransom payments and expenses arising out of a Ransomware threat.
  3. Digital Data Recovery: Covers the cost to restore, replace, recreate, re-collect or recover Digital Data from records that have been corrupted, stolen or destroyed.
  4. Business Interruption: Covers loss of Income (net profit before taxes) and extra expenses that a business suffers to an interruption or degradation in service cause by a Cyber Incident. Note: Business Interruption due to Cyber Incidents is now widely excluded under traditional Insurance Policies.
  5. Cyber Crime: Theft of funds or securities is technically covered under Crime Insurance, however there is a clear overlap between Cyber and Crime in this case. It is crucial to understand how your Cyber and Crime coverages interact to ensure that you are covered for a Cyber Crime loss.

Third Party Coverage

  1. Privacy/Network Security Liability: Covers defense and settlements for third party liability claims arising out of:
    a) Actual/alleged failure of Network Security
    b) Actual/alleged failure to protect Personal, Protected or Confidential Info
    c) Actual/alleged failure to prevent the transmission of malicious computer code
  2. Regulatory Proceedings: With the ever-expanding list of Data and Privacy Regulations (HIPAA, CCPA, BIPA, GDPR to name a few), coverage for regulatory actions and investigations has never been more important.
  3. Payment Card Industry (PCI) Fines and Penalties: Coverage for losses which an organization is legally obligated to pay as a result of the insured actual or alleged failure of Network Security or failure to properly handle, protect, dispose of Payment Card Data.
  4. Media Liability: Coverage from claims pertaining to an organization’s display of Media Content on their website, in printed material or Media content posted by or on behalf of an organization on any social media site.

Benjamin Franklin and Mike Tyson: Cyber Experts

“Failing to plan is planning to fail” – Benjamin Franklin

“Everyone has a plan until they get punched in the mouth” – Mike Tyson

Although these two probably didn’t have a tremendous amount in common, we have brought them together here because their sage words help frame the approach your firm should take to Cyber Risk.

Make a plan! Fortify your defenses with cybersecurity best practices, develop an internal response plan for a Cyber Incident, and transfer the financial cost of an Incident to an insurer who will also bring in an external Cyber SWAT team to get you back up and running ASAP.

Test your plan! Plans look nice on paper, but as our friend Mike reminds us, when things get real, plans tend to go out the window. Make sure you test your plan and everyone involved knows their roles and responsibilities.

The Cyber World can be a scary place but there are lots of ways to help make it safer for your firm. The worst thing you can do is to do nothing; take action today. And if you ever find yourself overwhelmed or scared, just imagine Ben Franklin and Mike Tyson talking you through all of this… That should help!

____________________________________________________________________________

Written By: Adam Abresch | Acrisure National Cyber Risk Practice Leader

As the Cyber Risk Practice Leader at Acrisure, (parent company of AHERN), Adam is responsible for designing custom Cyber, Crime and Technology solutions for Acrisure clients across the globe. Adam is also a guest lecturer at Fordham University, Hofstra University and leads Cyber Liability education for over 250 Acrisure Partner Agencies throughout the country.

Adam is a frequent speaker and thought leader on Cyber Risk, including featured presentations at NetDiligence, the Professional Liability Underwriters Society (PLUS) Cyber Conference and the New Jersey and New York City Bar Associations. A proud Tarheel, Adam graduated from the University of North Carolina at Chapel Hill and maintains a Certified Insurance Counselor (CIC) designation, Cyber COPE Insurance Certification (CCIC) from Carnegie Mellon/ Chubb and was the recipient of NetDiligence’s 2019 Toby Merrill Rising Star Award.

____________________________________________________________________________

Substantial portions of this work appeared in the November 2020 issue of Orange County Lawyer magazine (Page 40). The views expressed herein are those of the Author(s). They do not necessarily represent the views of the Orange County Lawyer magazine, the Orange County Bar Association, The Orange County Bar Association Charitable Fund, or their staffs, contributors, or advertisers. All legal and other issues must be independently researched. Reprinted with permission.

It is our pleasure to extend to you a warm invitation to our upcoming virtual HR Leaders Compliance Summit in early February!

This year’s event is an expanded virtualization of a longstanding on-site gathering of Acrisure Agency Partner offices and the transformational Human Resources professionals they support. Over the course of this summit, you will hear from numerous subject matter experts that specialize in various HR-related disciplines including labor regulations, employee benefits trends, and human capital management best practices. Coming off the heels of 2020, we think you will find the agenda to be timely, relevant, and impactful.

We are also extremely excited to welcome Annie Duke as our keynote speaker on February 9, 2021. In addition to being a nationally recognized bestselling author and the only woman to have won the World Series of Poker Tournament of Champions, Annie is a respected decision strategist and business thought leader. Her background and expertise lend a valuable and unique series of insights to the challenges facing HR leaders and their organizations today.

Below is a general overview regarding topics that will be covered, as well as our keynote speaker. To view the detailed agenda, or for more information on how to register, please click here.

Here’s to a prosperous year of partnership in 2021!

 

When Cyber Attacks like data breaches and hacks occur, they can result in devastating damage. Businesses suffering from a Cyber Attack can suddenly find themselves in the position of having to deal with business disruptions, lost revenue and litigation.

Unfortunately, since the start of the COVID-19 outbreak, there has been a 400% increase in Cyber Attacks, resulting in 4,000 Cyber Attacks every day.
(Source: Federal Bureau of Investigations)

It is important to remember that no organization is immune to the impact of Cyber Crime. This webinar will show how Cybersecurity and Cyber Insurance work together to make organizations more resilient to Cyber Risks.

        TITLE | What’s a Risk? Cyber Threats During COVID-19
        PRESENTER | Adam Abresch, CIC, CCIC, CLCS | Acrisure Cyber Practice Leader
        DATE | Wednesday, October 28th, 2020
        TIME | 11AM to 12PM PDT
        COST | FREE!

By attending this webinar, you will learn:

-What’s at risk for your business

-How these attacks are occurring

-What these attacks can cost a company

(Please Note: This webinar does not count towards MCLE credit.)

AHERN Insurance Brokerage is a proud agency partner of Acrisure, a top 10 global insurance broker. Our relationship with Acrisure allows us to provide our clients access to policies, resources, and expertise often outside the reach of stand-alone agencies. Along with competitive pricing, our service is backed by dedicated, local customer service.

Cyber threats are rapidly evolving and there are a plethora of ways in which attackers can access networks. As protectors of sensitive information, it’s important that law firms are conscious of IT security and take steps to protect themselves from threats.

To learn more about how cyber threats can affect your law firm and steps you can take to mitigate your risk, please register for our webinar, “Cyber Threats – How to Make Your Firm Resilient to Cyber Risk.” In this webinar, you will learn about:

TITLE: Cyber Threats: How to Make Your Firm Resilient to Cyber Risk
PRESENTER: Adam Abresch, CIC, CCIC, CLCS
DATE: Tuesday, September 15, 2020
TIME: 11:30AM to 12:30PM PST
COST: FREE for Golden Gate ALA Members ($18 for Guest of a Golden Gate ALA Member)

In this FREE webinar, you will learn more about:

• The Numbers behind Cyber Risk
• What’s at Risk for your firm
• The Cost of a Cyber Breach
• The Solution

You will also receive a Cyber Risk Exposure Scorecard to better understand where you may be vulnerable to the new reality of cyber criminals.

Cyber awareness and protection is becoming essential for law firms of all sizes and areas of practice. We hope you can join us for a very informative hour!

_______________________________________________________________________________________

As the Cyber Risk Practice Leader at Acrisure, Adam is responsible for designing custom Cyber, Crime and Technology solutions for Acrisure clients across the globe. Adam is also a guest lecturer at Fordham University, Hofstra University and leads Cyber Liability education for over 250 Acrisure Partner Agencies throughout the country.

Adam is a frequent speaker and thought leader on Cyber Risk, including featured presentations at NetDiligence, the Professional Liability Underwriters Society (PLUS) Cyber Conference and the New Jersey and New York City Bar Associations. Adam graduated from the University of North Carolina at Chapel Hill and maintains a Certified Insurance Counselor designation (CIC), Cyber COPE Insurance Certification from Carnegie Mellon/Chubb and was the recipient of NetDiligence’s 2019 Toby Merrill Rising Star Award.

 

AHERN Insurance Brokerage and Acrisure Compliance Solutions are excited to present the third edition (Sept-Dec) of our webinar series calendar for 2020. These webinars are open to anyone interested in learning more about these topics. Registration links to each webinar are linked below.

 

Navigating the Complex Landscape of Wellness Programs

Wellness programs encompass a wide variety of benefits and present a particularly challenging set of regulations and requirements for employers. During this webinar, we’ll cover common features of wellness programs, highlight important compliance considerations, and offer tips for tackling some of the trickiest issues.

Speaker: Deborah Hyde, JD

September 17, 2020

2:00 pm EST

 

Timely ADA Issues for Employers

The ADA continues to evolve as one of the more complicated components of Human Resources made even more difficult for employers as a result of the pandemic. This webinar will analyze some of the difficult traditional areas of the ADA to administer, as well as some novel issues that only exist as a result of the COVID-19 pandemic.

Speaker: Jeremy Hertz, JD

October 15, 2020

2:00 pm EST

 

2020 ACA Reporting: Preparations for ALEs and Sponsors of Self-Insured Coverage

As employers begin preparing for another year of ACA reporting under Internal Revenue Code Sections 6055 and 6056, we will provide an overview of the reporting requirements, detail the mechanics of the reporting process, cover state-specific reporting requirements, and discuss IRS actions related to these obligations. This webinar is suitable for both experienced employers and employers new to the reporting process.

Speakers: Deborah Hyde, JD and Colleen Gole, JD

November 19, 2020

2:00 pm EST

 

HR Considerations for 2021

2020 was a rollercoaster for employers and Human Resources departments as a result of the COVID-19 pandemic. Heading into 2021 there are many issues both immediate and well into the future that will be impacted by the pandemic. However, traditional Human Resources initiatives and strategies are still just as important as they have ever been. This webinar will address both pandemic-related concerns heading into the New Year as well as more traditional initiatives that HR departments should be considering moving forward.

Speaker: Jeremy Hertz, JD

December 17, 2020

2:00 pm EST

Last month, another major cyberattack on a law firm made headlines once again. A cybercriminal ring stole a huge cache of data from a major media and entertainment law firm. The hacker group initially demanded a $21 million dollar ransom for the stolen private documents, which then doubled to $42 million. This was a law firm with on-site IT support and sophisticated safe guards that now has their name splashed across the news creating a publicity nightmare, reputational free-fall and sleepless nights for all of their clients.

While blockbuster data breaches against household names tend to make the news, attacks against smaller organizations are now so frequent that they are no longer newsworthy. In the most recent Verizon Data Breach Investigations Report, for example, 58% of victims were categorized as small businesses.

Cyber threats are rapidly evolving and there are a plethora of ways in which attackers can access networks. As protectors of sensitive information, it’s important that law firms are conscious of IT security and take steps to protect themselves from threats.

                          TITLE: Cyber Threats: How to Make Your Firm Resilient to Cyber Risk
                          PRESENTER: Adam Abresch, CIC, CCIC, CLCS
                          DATE: Thursday, June 25, 2020
                          TIME: 12PM to 1PM PST
                          COST: FREE for SDCBA Members ($25 for Non-Members)

In this FREE webinar, you will learn more about:

• The Numbers behind Cyber Risk
• What’s at Risk for your firm
• The Cost of a Cyber Breach
• The Solution

You will also receive a Cyber Risk Exposure Scorecard to better understand where you may be vulnerable to the new reality of cyber criminals.

Cyber awareness and protection is becoming essential for law firms of all sizes and areas of practice. We hope you can join us for a very informative hour!

_______________________________________________________________________________________

As the Cyber Risk Practice Leader at Acrisure, Adam is responsible for designing custom Cyber, Crime and Technology solutions for Acrisure clients across the globe. Adam is also a guest lecturer at Fordham University, Hofstra University and leads Cyber Liability education for over 250 Acrisure Partner Agencies throughout the country.

Adam is a frequent speaker and thought leader on Cyber Risk, including featured presentations at NetDiligence, the Professional Liability Underwriters Society (PLUS) Cyber Conference and the New Jersey and New York City Bar Associations. Adam graduated from the University of North Carolina at Chapel Hill and maintains a Certified Insurance Counselor designation (CIC), Cyber COPE Insurance Certification from Carnegie Mellon/Chubb and was the recipient of NetDiligence’s 2019 Toby Merrill Rising Star Award.

AHERN Insurance Brokerage is honored to have received the STAG ONE™ Agency designation from our partner carrier, The Hartford.

AHERN’s own Summer Gorsica, AHERN Vice President, was recently selected to throw out the first pitch at a San Diego Padres game! The prestigious honor of throwing out the first pitch was a result of Summer and AHERN being designated as a STAG ONE™ Elite Insurance Agency by The Hartford.

STAG ONE™ is an exclusive Small Commercial Rewards & Recognition program designed by The Hartford to recognize their most highly-partnered Small Commercial agents.  Being designated as a STAG ONE™ agency goes beyond production numbers; it’s about Hartford’s strongest partnerships, trust, and development of long-term mutual beneficial initiatives.

Summer has been pivotal in building the AHERN/Hartford relationship and is a big reason for AHERN earning the prestigious STAG ONE™ designation. Summer represents what STAG ONE™ is about – a strong representative for The Hartford and the local insurance industry, and was therefore nominated and selected to throw out the first pitch at The Hartford’s STAG ONE™ Suite Night event. And…. she threw a perfect pitch!! Congratulations, Summer!

 

Summer Gorsica getting some pre-pitch pointers from the San Diego Padres team.

 


Summer Gorsica warming up her arm as Robert W. Smith, Acrisure Executive Vice President – West Region, looks on.

 

Pictured from Left to Right:
Robert W. Smith, Acrisure Executive Vice President – West Region; Gabriel E. Yu, AHERN Vice President; Summer J. Gorsica, AHERN Vice President; Tamara L. Bartels, AHERN Vice President

We are pleased to announce that our monthly Benefits & HR webinars have been approved for Professional Development Credits (PDCs) with the Society for Human Resource Management (SHRM).  For participants that have their SHRM-CPSM or SHRM-SCPSM Certifications, they will be able to earn 1 PDC by attending our webinars.  The PDC information will be emailed to participants within 48-hours following our webinars.

Please click here to download the Benefits & HR Webinar Series January through April 2018 calendar.