Citibank’s concerns are supported by findings of the cybersecurity firm Mandiant that says at least 80 of the 100 biggest firms in the country, by revenue, have been hacked since 2011.
What should law firms be doing to mitigate the very real — if not imminent — risk of cyber-breaches whose consequences can often be devastating both to the firm as well as to its clients?
Sharing Best Practices and Risk Information
Mounting pressure on law firms to strengthen defenses against security breaches has resulted in five AmLaw 100 and two Magic Circle firms working to create an alliance that would enable them to share information with each other about cyber-threats and efforts to reduce them. This initiative is affiliated with the Financial Services Information Sharing and Analysis Center, a financial industry forum focused on cyber-threat discussions. The core group of law firms will be encouraged to share intelligence about cyber-threats with other law firms as well as to receive information from major financial institutions about possible threats.
This is an encouraging cooperative step by the legal industry, even if its impetus appears to have come from the business community, not organically. It underscores the need for law firms to forge meaningful “partnerships” with clients and industries they serve for reasons other than economic gain. It also highlights the extent to which the IT vertical is now horizontal and is deeply enmeshed in the delivery of legal services. Whereas client data was once housed in self-contained, secure offices, it is now exposed to the ingenuity of remote hackers neither seen nor easily detected. Client confidentiality — the essence of the attorney-client relationship — is facing a new risk that is grave, pervasive, and sophisticated.
Law Firms and Cyber-Insurance
Law firms carry Lawyers’ Professional Liability (“LPL” or “legal malpractice”) coverage to provide economic protection (indemnification) for liability resulting from their services — including cyber-breaches affecting clients. But not all policies are alike, either as to policy limits, deductibles, terms, or exclusions, and this applies especially to LPL policies and cyber-security breaches. Simply put, the vast majority of major law firms do not have stand-alone cyber-security policies that would afford them maximum indemnification in the event of a breach. Instead, most rely on LPL policies that provide partial, but not complete relief in the event of a successful cyber attack.
Roger Marks, a former insurance attorney turned senior manager at a leading insurance brokerage told me recently that “significantly less than half of AmLaw 100 firms do not have stand-alone cyber-insurance coverage even though it is readily available, can also provide access to critical experts, and is inexpensive relative to what it provides.” It seems odd that law firms — who are in the business of identifying and mitigating risk — would not do all they could to mitigate the risk emanating from a cyber-breach, especially if the cost to do so is not great.
So What’s The Coverage Issue?
As so often happens when new types of exposure arise, insurance companies are ahead of consumers in developing products to cover them. Cyber-security coverage is no exception.
LPL policies generally respond to claims based upon a breach of client confidences occurring through an electronic medium the same as lost documents. The problem is that with the proliferation of cyber events, the law governing breaches has developed rapidly and can result in required actions, damages, and costs not contemplated by insurers. These include, among other things, public relations costs, business income (reputational risk or lost opportunity costs) and the considerable expense to recreate/rebuild data and programs. Also, coverage may not be provided when — as often occurs — the data was handled by a third-party IT provider rather than by the firm directly.
“Enhanced coverage” to address the heightened cyber threat is beginning to be provided by some LPL insurers including the Attorneys’ Liability Assurance Society, a “captive” mutual insurance company owned by the 235 member law firms it insures. Among the limitations are that it does not address claims brought against the firm by employees affected by a breach, governmental investigations, is limited to data in electronic format, and provides no relief for business interruption or data recreation expenses.
There is a robust marketplace for stand-alone privacy and security (“cyber”) coverage. This provides greater coverage for claims by clients (“third-party coverage) in addition to providing coverage for loss the firm may suffer outside of the client relationship (“first- party coverage”) that includes such things as business interruption and resultant economic loss, investigations, public relations as well as for claims by employees arising out of a breach. Further, the coverage often comes with pre-negotiated breach advisors, including breach coaches/counsel and forensic experts. Claims are managed by personnel experienced in cyber breaches. Roger Marks analogized stand-alone cyber coverage to kidnap and ransom insurance: “when called upon, the experts connected to the coverage can be as critical as the insurance.”
Cybersecurity has become a critical issue for legal service providers, both law firms and in-house legal departments. A recent Robert Haft survey revealed that more than 80 percent of GC’s polled responded that cyber is their number one concern in 2015. It is surprising, then, that more law firms do not invest in stand-alone cyber policies — and that more GC’s do not ask whether they maintain such coverage. It’s one more example of legal practice change and how technology — for better and, at times worse — is shaping it.