In 2023, Law Firms are Facing More Attacks than Ever Before
Cyber criminals are more active than ever before. They are now armed with the knowledge and experience to effectively target new industries that were previously untouched. Previously, cyber victims included the obvious “big targets” such as retail, payment card industry, financial, and government. New attack techniques have enabled cybercriminals to get creative in their approach and find revenue in entirely new industries.
Law Firms are now at an all-time high risk for cyber criminal activity. In fact, the 2021 Tech Report from the American Bar shows that ~25% of respondents have experienced a cybersecurity breach, with this percentage increasing greatly depending on the size of the firm. (American Bar)
In order to counteract this threat, most law firms have insurance policies in place that cover events such as a data breach or cyber attack. There is a catch to this coverage – it requires extensive cybersecurity controls to be in place. In fact, the following tools are just a small example of the required practices listed by most cyber insurance firms: multi-factor authentication on all email, endpoint detection and response tools, managed detection and response team monitoring security tools, sensitive data control, and remote access security. If the person reading this is a senior partner or stakeholder at a law firm and knows that one of the above controls is missing or lacking, you may be at serious risk of failing to adhere to basic cyber hygiene. It’s critical that law firms with cyber liability insurance enforce the security measures outlined in the application for coverage.
How do I enforce cyber liability insurance compliance at my law firm?
Assess: Start with a third-party IT and cybersecurity assessment. Without knowing where your firm currently sits, it’s impossible to truly gauge vulnerabilities, risks, and coverage. Insurance is just one small part of a cybersecurity model. While the applications for insurance will contain questions and metrics to gauge basic security, an assessment is the best way to guarantee your posture has been properly evaluated. Insurance forms also ask about any recent assessments.
Foster: Fostering a culture of cybersecurity and the so-called “Human Firewall” is essential for any law firm. In fact, according to a 2020 report by IBM’s "Cost of a Data Breach Report", 23% of security incidents were caused by human error. (IBM). Implement managed phishing training, through which a security team will test your users with actual attacks and provide additional training should they click a link. In addition, look into holding cybersecurity lunch and learns. A professional can train users on cybersecurity awareness and create an internal dialogue.
Implement: One of the most important methods of ensuring that cyber liability insurance requirements are followed is the implementation of the required solutions outlined in the applications. While every firm differs, there are generally a core set of solutions required for basic compliance. At the very top of the list is Endpoint Detection and Response (EDR). EDR is a more advanced endpoint security tool that protects your firm’s laptops, desktops, and servers. A security team, called a managed detection and response (MDR) team, watches the EDR and investigates suspicious activity that could lead to compromise.
Protect: The core target for cyber attacks against law firms is the client data. By obtaining sensitive client information, attackers can leverage this information in order to threaten the firm. Cyber Insurance providers know that these are common targets and ask a series of questions that ensure a firm is properly securing this data. Controls such as data encryption, backup security, and even data-loss prevention(DLP) solutions are becoming required standards. These topics are usually complex and can impact the availability of the secured data. The last thing a firm wants to happen is the unintentional encryption of your firm’s most important data, making it unusable. Hiring a third-party resource that deals with data compliance and security is a best practice that can help meet insurance requirements.
Enforce: You must inspect what you expect. Ultimately a firm will only achieve security compliance by performing thorough audits of policies and maintaining adherence to these policies. Without the administrative policies in place to guide the technical implementation, security will be unguided and adhoc and disorganized. Creating policies, roadmaps, and plans of action are all practices that cyber liability insurance requires. A Virtual CIO or CISO that understands the industry is a cost-effective way to develop a plan helmed by an experienced consultant.
Why are Cyber Liability Insurance Requirements Harder to Meet Every Year?
Imagine applying for coverage on a 1960’s car without modern protection and no seatbelts, driven by a new driver. The rates would be astronomical (if the car and driver were covered at all). This is the equivalent of a majority of law firms’ cybersecurity posture, and insurance has taken notice and drastically increased requirements. It’s up to the stakeholders and senior partners to ensure their firm complies with these requirements. Achieve compliance by: assessing the IT of your firm, fostering a culture of security awareness, implementing monitored security services, protecting your sensitive information, and enforcing policy compliance with audits.