Cyber hackers are targeting law firms with increasing frequency, according to a recent article in Bloomberg BNA titled, “Views on Cybersecurity Insurance for Law Firms.”
Law firms are viewed as prime targets for cyber attacks because they hold sensitive, confidential information on client transactions and frequently have weaker security defenses than the clients they represent.
Even the country’s most prestigious “white shoe” law firms are at risk, as evidenced by news in March, 2016 of computer hacks at Cravath Swaine & Moore LLP and Weil Gotshal & Manges LLP. Both firms represent Fortune 500 companies and Wall Street banks in mergers, acquisitions, and bet-the-company litigation.
Law enforcement officials at the Manhattan U.S. Attorney’s Office and the Federal Bureau of Investigation are investigating the alleged security breaches to determine if confidential data was accessed for use in insider trading schemes.
Other unidentified law firms also were breached in similar attacks, according to news reports, and future attacks are anticipated.
Managing partners at insurance defense law firms serving as panel counsel will want to pay attention to this increased risk of cyber threats for two reasons.
First and foremost, the law firm that serves as panel counsel needs to protect confidential client data. Whether they defend insurance carriers in matters ranging from auto claims to sensitive legal malpractice litigation, law firms need to insure that the litigation management files in their possession are secure. This is particularly important in an environment where attorneys can access active case data from laptops, mobile phones, tablet devices, and in cloud-based storage systems maintained outside the law firm.
Secondly, cybersecurity claims are destined to represent new panel counsel opportunities now and in the future. Accounting firm PwC predicts that the market for cyber insurance market will triple in size to $7.5 billion in annual premiums by 2020. A downside is that some insureds may resist the increasing costs of premiums and growing use of restrictive policy provisions.
Forms of Cyber Attacks
Approximately 95 percent of cyber-attacks, known in the industry as advanced persistent threats (APTs), use a method known as “spear phishing.” Often this takes the form of an official-looking email that appears to originate from an otherwise trusted source, and then asks the recipient to respond with sensitive data or to take action by clicking on a link.
As hackers are becoming more sophisticated, they are targeting groups of co-workers (perhaps identified via LinkedIn) within law firms, corporations and banks. The hackers lure unsuspecting victims by sending emails that appear legitimate, often by referring to active matters that may have been gleaned from news and public records sources.
Emergence of the Cybersecurity Insurance Market
Traditionally, traditional commercial general liability and property insurance policies have not included cyber risks as part of their coverage terms. This market void has resulted in an emergence of cybersecurity insurance as a stand-alone line of coverage. But this type of insurance has never been clear-cut for law firms. Professional liability or Errors & Omission (E&O) insurance may protect against negligence allegations brought by clients or a breach of contract, according to the Bloomberg BNA article.
Cybersecurity insurance may compensate for a portion or all of the financial effects of a hack. Policies for cybersecurity insurance, which may provide first or third-party insurance coverage, have emerged in the United States market in part due to the increased adoption of data breach notification laws.
Background on the Growth of Cybersecurity Insurance
Commonly referred to as information technology security, cybersecurity insurance focuses on the protection of computers, networks, programs and data from unintended or unauthorized access, change, or destruction. Since the Internet has become the underlying infrastructure of society, data systems are particularly difficult to protect. Vulnerabilities pose both physical and cyber threats to society.
Cyber risk management is such a concern that in recent years the Department of Homeland Security National Protection and Programs Directorate has reached out to key stakeholders to address this issue.
Coverage & Limitations
As leading retailers like Target and Home Depot have learned, insurance policies designed to cover a breach of privacy or security may still result in coverage gaps such as loss of revenue, the cost of restoring corrupted data, and reputational harm.
Cybersecurity policies may cover liability and costs of customer notification of the breach, credit monitoring for clients, forensic investigations, and legal defense fees in addition to regulatory fines. It is not uncommon for law firms to be under the mistaken impression that professional liability or E&O insurance will cover all damages that result from a hack.
Cybersecurity insurance covers matters above and an E&O policy may include cyber extortion, loss of revenue resulting from a network outage, as well as public relation costs incurred to rehabilitate the firm’s reputation.