Let’s face it, the past several months have been rough on everyone. COVID-19 has radically disrupted our everyday lives, changed the way we do business and drastically increased the number of times we all say “strange” and “unprecedented.” One group that’s been thriving in the COVID-19 world, however, are Cyber Criminals. With the rush to implement “work from home” protocols, security has by and large taken a back seat to operational survival and Cyber Criminals have positioned themselves well to take advantage of this new reality. Poorly configured remote desktops, home “Wi-Fi” networks, a host of new applications and employees forced into the strange new land of remote working all add up to a perfect Cyber Storm. Luckily it’s not all gloom and doom and there are things you can do to help make your firm more resilient to Cyber Attacks.
As we take a closer look at Cyber Risk, it is helpful to consider two questions when thinking about these threats:
- Do you have a Cyber Incident Response plan?
- Will you survive a Cyber Attack?
Our friends Mike and Ben will make cameos later on to illustrate the importance of these two questions when determining your firm’s resilience in the face of Cyber Threats.
A good place to start is by examining “What’s at Risk” for your firm. Typically this can be broken down into three categories: Data, Disruption and Dollars.
a) Corporate Data: Every law firm is different, which means the type and volume of information will vary greatly from firm to firm. Personal Injury attorneys may have sensitive health information and medical records, M&A attorneys may have sensitive deal information, real estate and trust attorneys may have sensitive financial information in their files, etc. Think about the information your firm collects, stores and processes.
b) Employee Data: Regardless of what type of law you practice, every firm has employees. Think about all the information you take in when onboarding an employee: Name, Address, Phone Number, Social Security Number, Bank Account information for Direct Deposit, background checks, etc. As an employer it is your legal responsibility to protect this information.
c) Data in Transit: Data is at Risk while it is on your firm’s computers, while it is in transit (faxes, emails, texts) and finally, when it resides on a third party’s network. Many organizations believe that by utilizing a third party to store information they are absolving themselves of all responsibility for what happens after the transfer. However, the truth is much more complicated. Data Privacy Law states that the owner and/or collector of information maintains responsibility for that data, and the liability cannot be transferred via contract.
While the bulk of the discussion regarding Cyber Risk has historically focused around Data Breaches, (with good reason: they’re dangerous and tremendously expensive to deal with) the mass proliferation of Ransomware has now catapulted Business Disruption to the top of the list for concerned firms across the world.
Pretty straightforward. Cybercriminals are after your money AND your clients’ money.
Now that we’ve identified “What’s at Risk” for your law firm, let’s dive into “How Breaches Occur.” There are three main Cyber Threat Vectors: Outside Attackers, Insider Threats and Third Party Incidents.
Hackers. Typically depicted in a hoodie and gloves in a dark room (not ideal for typing), Hackers deploy malicious software, commonly referred to as “Malware,” in order to corrupt legitimate computer code for the hackers’ own purposes. A few different types of outside attacks are:
a) Ransomware: Ransomware is a specific type of malware that is designed to encrypt key files and/or systems, with an accompanying ransom demand in order to provide the decryption key. The newest and most costly form of Ransomware in the Cyber world today is called “Maze” Ransomware. A new twist on Ransomware, the group behind Maze, exfiltrates sensitive information, publishes the name of your firm online, then demands a ransom payment which (supposedly) guarantees that the Cyber Criminals will not publish all of your sensitive information online.
b) Keyloggers: Keyloggers are a type of Ransomware that when downloaded (via an errant click on a website, email attachment, etc.) quite literally logs the key strokes of your computer as you type. Keyloggers are typically used to pick up usernames and passwords which can then be used across various networks to inflict harm.
c) DDoS: Distributed Denial of Service attacks are brute force attacks designed to overwhelm a target with a flood of requests. Cyber criminals compromise and harness the power of various internet connected devices (computers, copiers, security systems, baby monitors, refrigerators, microwaves, etc. and yes, we’re serious about refrigerators), then direct that computing power at a single target, flooding the victims with billions or potentially trillions of requests per second until the targeted organization is completely overwhelmed and shut down.
d) Business Email Compromise: Business email compromise is exactly what it sounds like. A hacker gains access to your email or a vendor’s email and utilizes that email to fraudulently induce various parties to transfer money or sensitive information.
As we’ve found, not all attacks come from the outside. Employees are also a large driver of Cyber Losses.
a) Malicious or Disgruntled Employees: One of the best examples of the damage a malicious insider can cause comes from a professional services firm in the UK. The story goes like this: Firm hires a new employee to perform data entry and data integration, employee works from 9-5pm and at 5pm leaves work and brings all their data from work home with them to their significant other who is a hacker, said hacker uses this information to commit wide scale insurance fraud.
b) Careless employees and Honest Mistakes: Phishing and Social Engineering attacks are designed to trick employees into disclosing sensitive information, transferring money to a bad actor or clicking on a link or attachment that provides the entry point for a malware payload. Lost and compromised devices such as laptops and mobile phones have also proven to cause huge losses to a variety of organizations and some Cyber Insurance carriers contain exclusions for the losses arising out of lost devices that are unencrypted.
Third Party Incidents
Everyone has had the story of the Target breach beaten repeatedly into their head at this point, but for a quick recap: a third-party contractor that did business with Target was compromised by a bad actor. The bad actor then used the third-party contractor as an entry point to infiltrate Target’s systems, ultimately resulting in the massive theft of credit card information belonging to Target’s customers and enormous financial losses for Target itself. While the chances are your firm is not the size of Target, it is helpful to use this example as a lens through which to view the third-party “Hub and Spoke” security issue. Think of your firm as the “Hub” in this scenario, with all the third party vendors you use every day as the “Spokes.” Your firm is doing a great job with cybersecurity due diligence and purchases Cyber insurance. In essence, the “Hub” is protected. Are all of your “spokes” (cloud providers, billing services, credit card processors, software vendors) protecting themselves the same way? How are you validating or contractually mandating them to do so?
Solutions: Cybersecurity + Cyber Insurance = Cyber Resilience
Finally some good news. While the Cyber world can be a scary place, the good news is there are actions you can take to help prepare your firm for Cyber Incidents.
There are a TREMENDOUS number of Cybersecurity solutions out there, so many, in fact, that sometimes we’re tempted to throw our hands up and say “Where do I even start?” While this is by no means an exhaustive list, these are some of the easiest to implement and effective steps your firm can take right now to harden your firm’s Cyber Risk posture:
- Firewalls and Anti-Virus Software: Will this prevent your firm from being compromised? Not necessarily. Does it help protect you? Yes. Think about this from the analogy of a burglar looking to rob a house. The firewall or anti-virus is a fence around the property. Does a fence prevent every burglary? Absolutely not. Does it make it a little bit harder? Yes.
- Strong Passwords and Password Management: Everyone reading this probably just rolled their eyes, but the bottom line is that a huge number of Cyber Incidents could be thwarted by stronger passwords and password management. There are a ton of good vendors out there that can help!
- Back-Ups: Make sure you are backing up your information. There are a variety of different ways to do this and a proper discussion of back-ups would require an article unto itself. Oftentimes folks are lulled into a false sense of security because “everything is backed up” only to find their back-ups have been compromised or they haven’t tested them in 10 years. The bottom line, however, is that back-ups are important. Make sure you back up your data in one way or another.
- Employee Training: The vast majority of Cyber Incidents involve the human element at some point in the process. Training employees to be on the lookout for suspicious emails or behavior within the company will go a long way in creating a company culture that takes Cyber Risk seriously.
- Multi-Factor Authentication: Enabling multi-factor authentication (using two or more pieces of information to validate a user) is an incredibly simple way to harden your defenses. The leader of the Cyber Practice at a large Insurer recently shared that about 1/3 of their recent claims could be prevented by properly implementing Multi-Factor Authentication.
- Patching: Remember all of those little notifications that pop up and tell you that an update is available? Those are important! It means that someone found a vulnerability AND they also found a way to patch that vulnerability.
- Constant Testing and Updating: Once you’ve established cybersecurity protections, back-ups, incident response plans, etc. make sure you test them!
A lot has changed in the Insurance world over the past 5-10 years and nowhere is that more evident than in the world of Cyber Insurance. Before we get into the specifics of Cyber Insurance, let’s understand what Cyber Insurance is at a high level:
Cyber Insurance is a risk transfer mechanism that shifts the financial burden of a Cyber Incident from an organization to an Insurer.
Okay, that sounds nice but what does it do?
First Party Coverage
- Cyber Incident Response: Carriers have partnered with a wide-variety of law firms, forensics teams and PR experts to provide immediate and effective response to a Cyber Incident. The Incident Response portion of a Cyber Policy provides access to and funding for:
a) Data Breach Coach: A law firm specializing in responding to Cyber Incidents.
b) Forensics Teams: Your “boots on the ground.” These folks will determine: What happened? Is it still happening? What do we do now?
c) Notification Costs: Do we have to notify anyone? If so: Who? How? When? What will be our message? The “Where” is also crucial, as there are currently 50 different state guidelines for data breach notifications and the laws apply to the affected individual rather than the affected organization, so you could have one breach that triggers multiple state reporting guidelines.
- Extortion/Ransomware Coverage: Provides coverage for Ransom payments and expenses arising out of a Ransomware threat.
- Digital Data Recovery: Covers the cost to restore, replace, recreate, re-collect or recover Digital Data from records that have been corrupted, stolen or destroyed.
- Business Interruption: Covers loss of Income (net profit before taxes) and extra expenses that a business suffers to an interruption or degradation in service cause by a Cyber Incident. Note: Business Interruption due to Cyber Incidents is now widely excluded under traditional Insurance Policies.
- Cyber Crime: Theft of funds or securities is technically covered under Crime Insurance, however there is a clear overlap between Cyber and Crime in this case. It is crucial to understand how your Cyber and Crime coverages interact to ensure that you are covered for a Cyber Crime loss.
Third Party Coverage
- Privacy/Network Security Liability: Covers defense and settlements for third party liability claims arising out of:
a) Actual/alleged failure of Network Security
b) Actual/alleged failure to protect Personal, Protected or Confidential Info
c) Actual/alleged failure to prevent the transmission of malicious computer code
- Regulatory Proceedings: With the ever-expanding list of Data and Privacy Regulations (HIPAA, CCPA, BIPA, GDPR to name a few), coverage for regulatory actions and investigations has never been more important.
- Payment Card Industry (PCI) Fines and Penalties: Coverage for losses which an organization is legally obligated to pay as a result of the insured actual or alleged failure of Network Security or failure to properly handle, protect, dispose of Payment Card Data.
- Media Liability: Coverage from claims pertaining to an organization’s display of Media Content on their website, in printed material or Media content posted by or on behalf of an organization on any social media site.
Benjamin Franklin and Mike Tyson: Cyber Experts
“Failing to plan is planning to fail” – Benjamin Franklin
“Everyone has a plan until they get punched in the mouth” – Mike Tyson
Although these two probably didn’t have a tremendous amount in common, we have brought them together here because their sage words help frame the approach your firm should take to Cyber Risk.
Make a plan! Fortify your defenses with cybersecurity best practices, develop an internal response plan for a Cyber Incident, and transfer the financial cost of an Incident to an insurer who will also bring in an external Cyber SWAT team to get you back up and running ASAP.
Test your plan! Plans look nice on paper, but as our friend Mike reminds us, when things get real, plans tend to go out the window. Make sure you test your plan and everyone involved knows their roles and responsibilities.
The Cyber World can be a scary place but there are lots of ways to help make it safer for your firm. The worst thing you can do is to do nothing; take action today. And if you ever find yourself overwhelmed or scared, just imagine Ben Franklin and Mike Tyson talking you through all of this… That should help!
Written By: Adam Abresch | Acrisure National Cyber Risk Practice Leader
As the Cyber Risk Practice Leader at Acrisure, (parent company of AHERN), Adam is responsible for designing custom Cyber, Crime and Technology solutions for Acrisure clients across the globe. Adam is also a guest lecturer at Fordham University, Hofstra University and leads Cyber Liability education for over 250 Acrisure Partner Agencies throughout the country.
Adam is a frequent speaker and thought leader on Cyber Risk, including featured presentations at NetDiligence, the Professional Liability Underwriters Society (PLUS) Cyber Conference and the New Jersey and New York City Bar Associations. A proud Tarheel, Adam graduated from the University of North Carolina at Chapel Hill and maintains a Certified Insurance Counselor (CIC) designation, Cyber COPE Insurance Certification (CCIC) from Carnegie Mellon/ Chubb and was the recipient of NetDiligence’s 2019 Toby Merrill Rising Star Award.
Substantial portions of this work appeared in the November 2020 issue of Orange County Lawyer magazine (Page 40). The views expressed herein are those of the Author(s). They do not necessarily represent the views of the Orange County Lawyer magazine, the Orange County Bar Association, The Orange County Bar Association Charitable Fund, or their staffs, contributors, or advertisers. All legal and other issues must be independently researched. Reprinted with permission.