chevron-down Created with Sketch Beta.

Litigation News

2013-2018

Increasing Ransomware Attacks Serve as a Reminder to Consider Cyber Insurance

Daniel S Wittenberg

Summary

  • In the face of growing cyber risks, procuring cyber insurance is an increasingly important business decision. 
  • This area is becoming the insurance industry’s fastest growing product and is expected to reach $7.5 billion in annual sales by 2020.
Increasing Ransomware Attacks Serve as a Reminder to Consider Cyber Insurance
boonchai wedmakawand via Getty Images

Jump to:

Cyber attacks are on the rise. Their destructiveness is increasing. Cyber crime costs increased by a factor of four from 2013 to 2015 and are expected to quadruple again through 2019. In the face of growing cyber risks, procuring cyber insurance is an increasingly important business decision. This area is becoming the insurance industry’s fastest growing product and is expected to reach $7.5 billion in annual sales by 2020.

In fact, earlier this year, the ABA began offering cyber liability insurance to lawyers and law firms. “Cyber insurance coverage is a valuable and practical member benefit for lawyers offered through the ABA Insurance portfolio,” says Linda Klein, the ABA president under whom this product rolled out. “As the number of cyber breaches increases everywhere and throughout all industries, it is critical that lawyers and law firms that rely on vast amounts of electronic data are protected,” Klein adds.

Ransomware Attacks on the Rise

Prescient in its timing, the unveiling of this new offering was followed just a few months later by the global WannaCry ransomware attack. While cyber-crime insurers largely avoided costly claims from recent attacks, it is expected that the next events may significantly affect insurers. “It would only need a combination of WannaCry’s wide reach and Petya’s destructive force to cost cyber insurers something like $2.5 billion, or a full year of gross premium income in the market,” says Graeme Newman, chief innovation officer at CFC Underwriting.

A month after WannaCry, another ransomware attack struck big law. DLA Piper, a target among a number of organizations, including Merck & Co. Inc., had to shut down while it attended to the event. Much like WannaCry, the recent attack requested a $300 bitcoin payment to obtain a decryption code to unlock the organization’s materials. “Law firms are certainly attacked by ransomware on a regular basis,” says Adam Cohen, a managing director with data security expertise at the Berkeley Research Group, “but I don’t know of anyone being shut down like this.”

Ransomware Basics

Among cyber maladies, ransomware alone is estimated to cause losses in excess of $1 billion. So what is ransomware? Ransomware is a distinct type of malware. Malware attempts to deny access to a user’s data, usually by encrypting the data with a key known only to the hacker. Ransomware directs the user to pay a ransom to the hacker, typically by way of a cryptocurrency like Bitcoin, to receive the decryption key. Some of the most common avenues of attack are phishing emails, malvertising, and network penetration. Phishing emails are emails that carry a malicious attachment or instruct recipients to click on an item that downloads malware to their computer. Malvertising is the result of visiting a site that contains infected ads. Network penetration is a very common method of exploiting a system vulnerability by the hacker.

Law Firm Sues for Coverage

In May, a Rhode Island law firm sued its insurer over coverage related to a ransomware attack. In its complaint, Moses Afonso Ryan claims its insurer, Sentinel Insurance, unjustifiably refused to provide coverage for a decrease in business caused by the attack holding its business files hostage even though the policy covers business income interruptions. According to the complaint, the firm’s computers became infected when an attorney clicked on an email attachment. The attack “took over and encrypted all of the documents and information” contained on the firm’s network. “During the three months that the documents and information . . . [were] held captive . . . the attorneys of the firm were unproductive and unable to work at a reasonable efficiency.” The firm ultimately paid $25,000 in ransom and claims it suffered a reduction of more than $700,000 in billings for the three months of interruption. Sentinel responded that it paid the firm’s policy maximum of $20,000 for losses caused by computer viruses but that it has no legal obligation to cover other ransomware losses. In particular, Sentinel claims that the policy coverage for lost business income which is being sought by the law firm applies only when there is physical loss or damage to property at the business premises. The outcome of this action merits observing, but it also underscores the significance of understanding how a potential loss could affect coverages within a policy.

Cyber Policy Coverage

So what do cyber policies add on top of a firm’s professional liability policy? Typically, a lawyers professional liability policy (LPL) may cover third-party liability claims arising from data and network security breaches, particularly when involving client information, but these usually require some alleged wrongful act in the conduct of legal services. Cyber policies, on the other hand, often cover network or data breaches with no requirement of being connected to professional services, and typically include paying for direct expenses associated with a hack. Direct costs of a firm responding to an attack are not usually covered by LPL policies. These can be significant and include forensic investigation, legal advice on responding to the attack, costs to notify affected clients, responding to potential regulatory actions, costs of ransom, and public relations. Potentially covered items under a cyber policy also include attacks involving employee information and a breach at an outsource or cloud provider involving the firm’s data. Finally, certain “network security liability risks” may not fall under an LPL but can be affirmatively covered by a cyber policy, notes Michael Born, vice president of Global Technology and Privacy Practice at Lockton Companies. These include transmission of malware from a law firm’s network to a third party and damages related to an authorized user’s inability to access the network due to the attack.

Law Firms Slow to Procure Cyber Insurance

Despite availability, law firms are not among the largest contingent of purchasers of cyber-attack policies, according to Stephanie Snyder, senior vice president at Aon Professional Risk Solutions. About 30 to 40 percent of companies have specific cyber insurance, but law firms have not been as quick to purchase, says Snyder. According to the ABA’s 2016 Legal Technology Survey Report, this is borne out by the following: “The percentage of attorneys reporting that they have cyber coverage is small, 17 [percent] overall (up from 11 [percent] in 2015). It gradually increases from 16 [percent] for solos to about 20 [percent] for midsize firms and only 15 [percent] for firms of 500+.”

According to LogicForce’s 2017 Law Firm Cyber Security Scorecard—Q1, a study that surveyed 200 firms, “every law firm assessed was unwantedly targeted for confidential data in 2016–2017.” The survey also found that cyber attacks on law firms are nondiscriminatory. The survey also found, like the ABA survey, that approximately 77 percent of responding firms did not maintain any cyber insurance coverage. Of the 23 percent of firms that carry cybersecurity insurance policies, coverage amounts ranged from $1 million to $25 million.

Ransomware is a voracious threat. According to Verizon’s 2017 Data Breach Investigations Report, which “delves into the murky world of cybersecurity,” “ransomware is big business.” It moved up from the 22nd most common form of malware in 2014 to number 5 and is the most common in “the Crimeware pattern.” As noted in the report, “[f]or the attacker, holding files for ransom is fast, low-risk and easily monetizable—especially with Bitcoin to collect anonymous payment.” In light of WannaCry and the escalating onslaught of ransomware attacks, it is critical that businesses, law firms, and attorneys assess and determine if they have adequate cyber risk protections, including cyber insurance. If not, one important aspect of a data security plan worthy of consideration is cyber insurance.

Resources

    Authors