The Evolving Risk Landscape for the Legal Community
Lawyers and law offices face unique insurance risks, such as the chance of errors and omissions (E&O) in delivering legal advice. These exposures have historically made their insurance needs distinct, and brokers, agents and carriers have responded with tailored policies and coverages. In our modern world, cyber risk is redefining these needs, and the insurance industry must again develop customized products for the legal community.
Many of the exposures faced by lawyers remain challenging, but a robust market of competitive insurance products exists to transfer them, as do best practices for preventing or reducing losses. Cyber risk, however, has only been insurable since the ‘90s and is evolving daily. As technology gives law practices greater ability to manage resources, scale operations, and service clients, it also opens new doors for hackers and opportunities for employee error.
Legal professionals – who rely on technology to conduct business efficiently AND hold large databases of highly sensitive confidential information – once again find themselves at higher risk than most, especially considering recent privacy legislation in various states. To protect themselves, lawyers are employing security software and cyber governance, but must also leverage insurance products that both enhance these initiatives and provide a safety net for unanticipated ‘black swan’ events.
From 2016 through 2018, cyber incidents increased by 81% according to the Chubb Cyber Index. In the same period, companies with less than $10M in revenue have seen cyber incidents increase by 254%. More than half of all cyberattacks – 62% in 2016 – are directed at small and medium-sized businesses, whose smaller IT budgets make them more likely to run outdated or unpatched software, lack proper password hygiene, transmit unencrypted data, or fail to properly secure endpoint devices.
With cybercrime damages projected to reach $6 trillion annually by 2021 – more than double the same figure from 2015 – law offices, particularly smaller ones, cannot assume they’re not a target. In its 2019 Legal Technology Survey Report, the American Bar Association (ABA) said 26% of respondents reported experiencing some sort of security breach, up 18% from 2017. Perhaps this isn’t surprising given only 44% of respondents use file encryption, 38% use email encryption and 22% use whole / full disk encryption. Only 33% said their firm has a cyber liability insurance policy.
In 2017, one-third of law firms with 10-99 lawyers suffered a cyber breach, compared to just 23% of firms with 500 or more lawyers. Yet two years later, the ABA survey found only 11% of solo practitioners, 23% of firms with 2-9 attorneys and 35% of firms with 10-49 attorneys had a breach response plan. However 65% of firms with over 100 attorneys maintain such a policy and 92% require security and cybersecurity training, compared to just 41% of solo practitioners.
Still, nothing guarantees protection from cybercriminals. Recently, the North Carolina State Bar has received reports of wire fraud in real estate closings, with losses up to $200,000. One member received an email from the purported seller of a property requesting a wire transfer. Despite the use of two-level confirmation practices, hackers had accessed the seller’s email and learned the steps necessary to verify a transaction, then called to confirm the instructions as required.
In 2017, hackers accessed the email of a small law firm and requested a $580,000 wire. Posing as an employee, the hacker claimed a client needed the funds quickly, but he was out of the office and couldn’t authorize it. The wire was completed, and courts later held that the request was made by an authorized employee of the firm and the bank could not be liable for “a mistake by the sender that could be neither known nor anticipated by the bank.”
Lawyers are also targeted for incriminating information on others. In 2016, a hacker cited income inequality as the motivation for releasing 11.5 million documents – the Panama Papers – taken from the email servers of law firm Mossack Fonseca. Some records showed evidence of fraud, tax evasion and evasion of international sanctions by offshore entities, wealthy individuals and public officials. Security experts noted Mossack Fonseca was running a three-year-old version of its content management software and outdated plugins and did not segment their email and web servers.
Today, agents, InsurTechs and carriers are introducing innovative ways to protect lawyers. Cybercrime policies reimburse the loss of monies or securities via computer, wire or social engineering fraud. First party coverages pay legal fees, regulatory fines and notification expenses if client records are fraudulently accessed, while third party coverages pay for legal liability for network security failures that create such access, prevent authorized use of computer systems, or transmit malicious code. Business interruption coverage replaces lost income if a law office cannot provide critical services and can sometimes reimburse future lost business from customer attrition.
Protections also exist for invoice manipulation, where an actual, but fraudulent, invoice is paid, while betterment clauses pay for upgraded security software after an incident. Events like power outages or human error can be covered, as can preventative shutdowns to thwart a known cyber threat or to add system patches. And lawyers who are required by contract to add clients as additional insureds can find forms that do this automatically.
Recognizing the interplay of technology, governance and insurance, many of these policies also offer loss mitigation and remediation services and insights into cyber risk best practices, including password managers, network security assessments and employee training, and the advice of an incident response coach after a loss. InsurTechs are also leveraging AI, machine learning, smart contracts and blockchain to improve enrollment and claims processes.
Today, many lawyers are upgrading technology and governance to address cyber exposures. But more than 100 law firms have reported data breaches in 14 states since 2014. No software or training can prevent all cyberattacks. Only with robust cyber insurance can those in the legal profession truly manage the impact of cybercrime.
Kirsten has 25+ years of cross-sector experience in risk intelligence, information management, and policy expertise. As CEO of big data and cybersecurity companies, she has led the strategy and development of next-generation analytics and attack detection methodologies. She’s served on committees developing cyber policy for the intelligence community, collaborated on information studies for federal agencies, and presented national security and critical infrastructure concepts at industry events.
Get the good stuff
Get regular hits of insurance inspiration delivered to your inbox.