Insurance companies are among the growing chorus of those who say it’s not a matter of if your law firm will get hacked, it’s a matter of when. And that has given rise to more carriers offering cybersecurity insurance.
“If I could convince people of one thing, it’s that security by anonymity is false. It’s not your typical hacker in a basement wearing a hoodie that’s trying to get into small law firm’s systems,” Patrick Brown, Lawyer’s Mutual Director of Information Security told me in a recent interview. “It’s really bots circulating out there. It’s any home appliance, computer, tablet or smartphone connected to the Internet that gets infected with malware that goes around looking for unlocked doors.
One of the common things we see is a firm will want cyber coverage, but what they’re really asking for is protection from the wire fraud scams that have become so prevalent in the last five or six years. A standard cyber insurance policy is a breach policy that covers first and third-party calls associated with the aftermath of a data breach,” said Brown. “If coverage for funds transfer fraud is desired, some carriers require dual authorization for all wires over $25K.
If a criminal tricks an attorney or one of the firm’s employees into voluntarily giving away your money, your client’s money or sensitive information, such as a spoofed phishing e-mail from a colleague it’s called ‘social engineering fraud’. This is not covered by most cybersecurity insurance policies. It really comes down to a matter of training.
I tell law firm clients to train their employees not to click on everything that looks interesting. I recommend this training be done with your staff at least weekly in small bite-sized chunks; just a few minutes per week, and then performing simulation tests to track which staff members are absorbing the material properly and which staff members are presenting a risk to your firm.
I recommend vulnerability tests and penetration tests to score your practice cybersecurity and fill the gaps. Penetration tests can typically be done in the $5,000 to $15,000 range depending on the size of the firm and the time spent on each IP address/system.
Most insurance carriers will require a law firm to have basic cybersecurity, which they should already have in place such as using complex passwords. They should be changing their passwords every couple of months, not using the same passwords anywhere else. Enable multi-factor authentication. Encrypt everything; websites, storage, backups, email and keystrokes. Use commercial antivirus software and email. Avoid free software or free services such as Gmail, Yahoo, AOL, etc. Perform backups as often as possible and test them.
Some law firms may be depending on the vendors of practice management software to keep things secure. Hopefully they’ve implemented encryption on, at the very least, their mobile devices. But it’s not the vendor’s responsibility, it’s the law firm’s.
Do Balancing Analysis
“While the sky is the limit in terms of what you can spend on cybersecurity, it often comes down to dollars and cents. How sensitive is the information you are protecting and what is the damage caused by a breach versus the cost and inconvenience of taking the necessary security measures? You have to do that balancing analysis for your client’s data,” said Brown.
“Most small companies like law firms who have had a cyberattack go out of business within six months because they’ve had a loss of trust and a loss of reputation with their clients. In the event of a breach, the cost per record is $200 for the forensics, the recertification and everything else. Firms may have records going back 30 or 40 years. High volume firms such as real estate, personal injury and criminal defense firms could have tens of thousands of clients and millions of dollars in costs just responding to the breach,” Brown told me.
Even if they have insurance, the policies for small firms cap out at one to two million dollars. It’s so important to spend a little money up front to reduce the number of breaches,” said Brown. “It seems that some small firms are still reluctant to purchase cyber insurance policies that cost somewhere in the $ 2,000 range. That’s a lot of money for some small firms. The average cost for a breach is half a million dollars; so, it’s $2,000 now or half a million dollars later.”
Clearly your best defense from a cyberattack is a three-prong approach that includes training, prevention and cyber insurance.