Ransomware Basics
Among cyber maladies, ransomware alone is estimated to cause losses in excess of $1 billion. So what is ransomware? Ransomware is a distinct type of malware. Malware attempts to deny access to a user’s data, usually by encrypting the data with a key known only to the hacker. Ransomware directs the user to pay a ransom to the hacker, typically by way of a cryptocurrency like Bitcoin, to receive the decryption key. Some of the most common avenues of attack are phishing emails, malvertising, and network penetration. Phishing emails are emails that carry a malicious attachment or instruct recipients to click on an item that downloads malware to their computer. Malvertising is the result of visiting a site that contains infected ads. Network penetration is a very common method of exploiting a system vulnerability by the hacker.
Law Firm Sues for Coverage
In May, a Rhode Island law firm sued its insurer over coverage related to a ransomware attack. In its complaint, Moses Afonso Ryan claims its insurer, Sentinel Insurance, unjustifiably refused to provide coverage for a decrease in business caused by the attack holding its business files hostage even though the policy covers business income interruptions. According to the complaint, the firm’s computers became infected when an attorney clicked on an email attachment. The attack “took over and encrypted all of the documents and information” contained on the firm’s network. “During the three months that the documents and information . . . [were] held captive . . . the attorneys of the firm were unproductive and unable to work at a reasonable efficiency.” The firm ultimately paid $25,000 in ransom and claims it suffered a reduction of more than $700,000 in billings for the three months of interruption. Sentinel responded that it paid the firm’s policy maximum of $20,000 for losses caused by computer viruses but that it has no legal obligation to cover other ransomware losses. In particular, Sentinel claims that the policy coverage for lost business income which is being sought by the law firm applies only when there is physical loss or damage to property at the business premises. The outcome of this action merits observing, but it also underscores the significance of understanding how a potential loss could affect coverages within a policy.
Cyber Policy Coverage
So what do cyber policies add on top of a firm’s professional liability policy? Typically, a lawyers professional liability policy (LPL) may cover third-party liability claims arising from data and network security breaches, particularly when involving client information, but these usually require some alleged wrongful act in the conduct of legal services. Cyber policies, on the other hand, often cover network or data breaches with no requirement of being connected to professional services, and typically include paying for direct expenses associated with a hack. Direct costs of a firm responding to an attack are not usually covered by LPL policies. These can be significant and include forensic investigation, legal advice on responding to the attack, costs to notify affected clients, responding to potential regulatory actions, costs of ransom, and public relations. Potentially covered items under a cyber policy also include attacks involving employee information and a breach at an outsource or cloud provider involving the firm’s data. Finally, certain “network security liability risks” may not fall under an LPL but can be affirmatively covered by a cyber policy, notes Michael Born, vice president of Global Technology and Privacy Practice at Lockton Companies. These include transmission of malware from a law firm’s network to a third party and damages related to an authorized user’s inability to access the network due to the attack.
Law Firms Slow to Procure Cyber Insurance
Despite availability, law firms are not among the largest contingent of purchasers of cyber-attack policies, according to Stephanie Snyder, senior vice president at Aon Professional Risk Solutions. About 30 to 40 percent of companies have specific cyber insurance, but law firms have not been as quick to purchase, says Snyder. According to the ABA’s 2016 Legal Technology Survey Report, this is borne out by the following: “The percentage of attorneys reporting that they have cyber coverage is small, 17 [percent] overall (up from 11 [percent] in 2015). It gradually increases from 16 [percent] for solos to about 20 [percent] for midsize firms and only 15 [percent] for firms of 500+.”
According to LogicForce’s 2017 Law Firm Cyber Security Scorecard—Q1, a study that surveyed 200 firms, “every law firm assessed was unwantedly targeted for confidential data in 2016–2017.” The survey also found that cyber attacks on law firms are nondiscriminatory. The survey also found, like the ABA survey, that approximately 77 percent of responding firms did not maintain any cyber insurance coverage. Of the 23 percent of firms that carry cybersecurity insurance policies, coverage amounts ranged from $1 million to $25 million.
Ransomware is a voracious threat. According to Verizon’s 2017 Data Breach Investigations Report, which “delves into the murky world of cybersecurity,” “ransomware is big business.” It moved up from the 22nd most common form of malware in 2014 to number 5 and is the most common in “the Crimeware pattern.” As noted in the report, “[f]or the attacker, holding files for ransom is fast, low-risk and easily monetizable—especially with Bitcoin to collect anonymous payment.” In light of WannaCry and the escalating onslaught of ransomware attacks, it is critical that businesses, law firms, and attorneys assess and determine if they have adequate cyber risk protections, including cyber insurance. If not, one important aspect of a data security plan worthy of consideration is cyber insurance.