This post is directed toward those of you who fail to accurately record your time on a consistent basis throughout the day, day after day. I know it...
Hello, I'm Mark Bassingthwaighte, the risk manager here at ALPS, and welcome to another episode of ALPS In Brief, the podcast that comes to you from the historic Florence building in beautiful downtown Missoula, Montana.
Okay, today it's just me, and we're going to talk about managing cybercrime risks and really looking at the whys behind what it does in terms of obtaining cyber liability insurance. And I really want to dig into this a little deeper. I still get a lot of questions about insurance, what it does, what it doesn't do, and is it necessary, and the list goes on and on and on. So let's hit that topic.
Before we jump into some of the specifics of using insurance to manage your risk, I want to set the stage again, I always start my cyber programs with some information. Let's look at headlines from 2022.
In 2022, 255 million phishing attacks occurred in just six months. Now this is a report done by SlashNext, and they analyzed billions of link-based URLs, attachments, natural language messages in email, mobile, and browser channels over six months and that's what they found. And that's a 61% increase in phishing attacks compared to 2021. That's pretty significant. They also recorded a 50% increase in attacks on mobile devices. And I really ask that you pay attention and try to appreciate the significance of that. Cyber criminals really are moving their attacks to mobile and personal communication channels to reach employees. The big attacks right now are scams and credential theft. They're the top of the list or the desired outcome with these mobile attacks. And a lot of this will be a phishing and smishing, using SMS text messaging as the attack avenue for a phishing attack, if you will. Smishing is combining SMS and the word phishing, so that's how you get to that.
The FBI has reported that cyber criminals are tampering with QR codes in an attempt to steal victim funds. A lot of people will say, "Well, I'm not going to be that exposed to this stuff, and how frequently is this all this going on?" I got to tell you, it's getting a little crazy out there. Remember QR codes, for instance during the pandemic, particularly as things started to open back up and you go out to restaurants. And instead of handing you a menu, they'd have that little QR code, that little box that has all the dots and dashes and little squares and things in it. And you would scan that and it would take you to the menu or a webpage. Well, a lot of these can be faked. People will just create a QR code sticker and put it over.
Think at a parking lot and you go to scan something to pay your bill, your parking fee, and if you're misdirected to a site that looks like the site that you would expect to pay your parking bill for the evening, but it's not, you've just turned over your account information to somebody that doesn't have your best interest in mind. We've seen it in parking tickets, creating fake parking tickets. And again, it'll have the local parking authority logo and the little yellow envelope and they stick it on your windshield. And again, ah, good lord, I got a parking ticket. They make it very convenient to scan the code. It's not real. So we got to be careful.
We're even seeing QR codes being sent via email pretending to be a multifactor authentication process. And the emails may even mimic corporate logos, law firm logos, it could be anything. And people are falling prey to this. So it's just another crazy unusual attack vector that a lot of folks out there really aren't aware of.
There's also a report that 79 million malicious domains were flagged in the first half of 2022. Please understand what that means. 79 million fake websites. Banks, could be anything, anything at all. And again, they're going to look very, very similar to the real thing. That's 79 million opportunities for anyone at your firm, you or any other employee or attorney practicing at your firm. It's just an opportunity for them to do something innocently, naively, but it's just getting scammed, getting taken advantage of.
The final thing I'll throw at you here in 2022, the A Legal Technology Survey results reported that 27% of participating law firms reported experiencing a data breach of some kind.
So I try to share all this to get your attention, because we need to always remember that IT support isn't the last line of defense. You and whoever else has access to your office network is the last line of defense. And this has consequences, and it really does. The consequences, you really need to care because as a lawyer, you are a valuable target, particularly those of you who practice in the solo and small firm space. I know a lot of lawyers don't believe that. They just think we're not going to be on anybody's radar. It's a rural practice, as an example. Well, come on, there is no such thing as rural on the internet.
And you're considered in the so small firm space sort of the low hanging fruit because the cyber criminals know that you don't have typically the financial wherewithal and oftentimes the deep understanding of everything that could be done. I think the financial wherewithal piece is probably the bigger piece because you just can't throw the same kind of money that a company like Microsoft does around their cloud, protecting your data there as an example. So you're sort of viewed as the low hanging fruit.
And you really need to care because I got to tell you, it's only a matter of time. Robert Mueller, if you remember, the former director of the FBI, famously said, "There are only two types of companies, those that have been hacked and those that will be hacked." But almost actually at the time he said that, that kind of statement was out of date. It really should be something more like there are only two types of companies, those that have been hacked and those that don't know they've been hacked. I mean, I'm not trying to be melodramatic about it, I'm just sharing. It's not if, it really is when.
Now this presentation really isn't about all the things that you can do to prevent becoming a victim. I have lots of other materials, podcasts, CLEs, webinar, all sorts of stuff that can go there. I will share that there is a checklist, a cybersecurity checklist available, if you have any interest, on our website. Just go to the homepage and under resources, scroll down a little bit, you'll see sample forms of checklist. Check there and you'll go in and there'll be another link to checklist and the cybersecurity checklist is there, and that might be useful to you.
But I do want to discuss the risk associated with not being proactive with your cybersecurity efforts. And just as an aside, this really in terms of cybersecurity, proactive efforts, that really does need to include social engineering awareness training, even if you're just a true solo and it's you. You need to stay abreast of what's happening. So I'll just throw that out there.
Okay. Some of the risks your firm faces by someone, anyone at your firm, not doing their part. This really is an all hands on deck kind of situation. Well, let me just read some of the things that can go wrong in terms of the types of risk. I mean, we're sort of talking about the legal and financial risks, but there's legal liability to others, employees, clients, third parties, for loss, theft, or unauthorized disclosure of personally identifiable information. And there may be legal liability for the theft of client funds. Think wire fraud or business email compromise, being tricked and scammed into sending typically larger sums of money to the wrong bank and just a cyber criminal. Legal liability for the theft or loss of third party corporate information. Being subject to regulatory action for the failure to comply with state breach notification laws. Having to cover the costs of responding to and recovering from a breach. Damage to your reputation. Loss of revenue due to a breach. These are things to take pretty seriously. I mean, this can get crazy fairly quickly.
I would encourage you to pay attention to this. The typical costs of a network breach for small businesses is currently around 200,000. And I will share the device theft, think of smartphone, jump drives, laptops, et cetera. So device theft of these mobile types of things. Wire fraud and ransomware are really common problems we see for law firms in terms of the lawyers and the firms that we insure.
So as an aside, and just again keep your attention in play here, there could be a coverage problem. Think about, a lot of lawyers have fallen prey to various types of financial fraud. But let's just talk about this in the context of wire fraud, being tricked into sending money to the wrong bank because a routing number has been changed and you weren't aware that that change occurred and didn't do anything to try to catch it. And the lawyers will immediately call in and say, "This is malpractice. I got to file a claim." Well, I'm not so sure that that's the case. Theft of funds is a property loss, and malpractice actually doesn't cover property losses.
So wire fraud, theft of funds, can be in many instances an uncovered loss if the only way you're trying to ensure for that is through a malpractice policy. Read your policy. This is not unique to ALPS. These policies weren't intended or designed to cover cyber crime. Now, we'll explore that a little bit more here in a bit, but generally, I mean, that's not the purpose behind it. It's really to cover you for professional negligence in the practice of law.
Okay. Now, let's talk about the fallout. So let's assume, I'm not going to look at this never happens, but we'll see, that there is some type of breach. And I'm not talking about wire fraud here, I'm talking about a data breach so that someone really is in the system. What does that mean? How does this play? Well, you need to understand, we're going to start, if you will, with the response and system recovery. So someone needs to come in, typically a forensic team, IT forensic team, that typically is not your IT support. These folks typically know a great deal about how to protect you, but often don't have the skillset to do the forensic piece once there is a breach. That's a different group.
So they're going to come in and they need to understand the breach, try to figure out what happened and terminate it if it's still going on. There may be programs that have encrypted your system and as you try to clean that up may still be there and that can encrypt again. So they have to terminate, try to clean up. This team is going to try to figure out the who, the what, the when, the where, the how. Really understand.
Well, while all this is going on, you don't have access to your network. They need to image typically the entire network. And that's something that doesn't happen... The preserving the evidence of the crime, and it helps them evaluate and understand, and that doesn't happen in half an hour. So you're not going to have access to your systems and your data while this is going on. Now, how long can that take? It depends on the type of breach and what's going on. If it's just a lost laptop that has some passwords on it, they could probably do a remote kill and try to evaluate was that laptop and any passwords used to access the network? So that may be relatively brief. But if there is a major ransomware attack, as an example, and everything's encrypted, it could be days to even several weeks. It just depends.But we need to think through that, and how would that impact your practice? Some it may not be too bad, others, it could really be a pretty devastating event.
So once all that's done, you understand, okay, man, they're starting to build the system back. Phew, we're going to get through this. It's still not over. Every jurisdiction in the United States has their own unique breach notification law and you need to comply with these. And you need to understand too what states are in play. It's not about, well, I practice here in Florida and that's it. If in your database there's information from clients and third parties, and just the list goes on and on, of people in multiple surrounding states, you may have to comply with those state breach notification laws as well. Typically, there's some cost of notifying all the people that have been impacted by this. The cost of compliance. Do you want to pay for credit monitoring? The list just goes on and on. Reputation management, et cetera. This can get expensive. So that can be managed obviously, but I want you to hear and understand, a breach can be significant. It's not just the loss of money, whether that's a ransomware payment or wire fraud, there's lots of other things that can go on.
And you need to think about, there's all kinds of information in your files. There's just gobs of information out there. So again, don't minimize the consequences of a data breach.
Now the good news of course, and where I said I'd go with this was, that you can manage this risk with the purchase of a cyber liability insurance policy. And of course, I would always couple that with following through on cybersecurity best practices. You don't get a reference to a lot of things in that checklist. There are other proactive things you can do, making sure that there's robust security software running on all the mobile devices at work or anything that used for work. So work from home folks, if they're using personal devices, we need to protect these things. But let's focused on this insurance piece.
At the outset, I do want to share that the purchase of cyber insurance, depending on how much coverage you'd like, the type of coverage you're looking for, how big your firm is, this discussion, sort of tangential discussion on security best practices, getting back to that checklist, is important because an insurer may make it a requirement that you do certain things. You may have to have multifactor authentication in play. They're just going to be looking and asking questions about, what is your security posture? What steps have you taken? What processes are in play? Do you use out-of-band communications as an example to verify the accuracy of all wiring instructions prior to wiring funds? So there are a variety of things that can be important here.
So the accuracy of the information you provide in terms of the application going through the process is going to be very, very important. You don't mislead. Don't lie. Say, "Well, I know this is what they want to hear, this is what they want us to do, and we try, but this is our intent." If post breach an insurer learns that you in fact weren't doing all that you said you were doing on the prevention front, you may have a serious, serious coverage problem. So I do want to focus here just a side moment on these security best practices. That can be very, very significant.
But what basically does cyber liability insurance provide? What do you get for your premium dollar? It's really looking at providing coverage for the type of losses I had talked about a bit. Commonly, you're going to see these policies cover business interruption, as an example. So that would be covering the loss of income and forensic expenses sustained during the period of restoration after the breach. Now, that coverage may be contingent upon a short waiting period. Media liability. So that's things like copyright or trademark infringement, malicious defacement of a website, and liable.
Data recovery. So we're talking about the reasonable and necessary costs incurred in order to regain access to, replace, or restore data, or the reasonable and necessary costs incurred in order to determine that the data cannot be accessed, replaced, or restored. So I think ransomware as an example. And then sometimes you might even pay for a decryption key that don't do much, or you might've been impacted with wiperware and your data's just been erased and destroyed. So there's some costs in terms of trying to figure out, what can we get back and is it doable?
Privacy breach response. So that's the expenses associated with complying with relevant breach notification laws. We had talked about that. Look for a policy that includes coverage for the cost of privacy counsel, forensic investigators, and notification and credit monitoring services.
It will also provide typically, again, data and network liability. Now, these are the damages and expenses related to claims resulting from a breach of data in your control or a third party, and damages and expenses resulting from a security breach. Examples of a security breach would include unauthorized access or use of network resources, a denial-of-service attack, an insertion of malicious code, if somebody downloads something and it's maybe a key log or just tracking what's going on your network, and the transmission of malicious code from your network, so someone's using your network to harm somebody else.
Crisis management. This is the expense associated with bringing in outside experts to investigate the incident and fix the problem. And with some policies can include the cost of a public relations consultant.
Cyber extortion. This is the expense associated with investigations and paying for the return of or gaining back access to data. Now, one thing to be aware with cyber extortion, it is pretty common in the cyber insurance space that you need permission in advance from the insurer to make that ransom payment. It has to do with regulations that monies can't be paid to nation states. You don't want to pay the Iraqis, as an example, their military. And they're very involved in ransomware. So there's some issues there. But I'm just making you aware of that little side note, but typically money is available in terms of reimbursement.
Fraudulent instruction. This is a loss resulting from the transfer of funds after relying in good faith on an instruction that was a misrepresentation of a material fact. Now again, coverage may be contingent upon an out-of-band communication taking place. Again, if you're not familiar, an out-of-band communication is, let's say that the wire fraud instructions come via fax. So that's the inbound communication channel. An out-of-band communication channel means we changed the communication channel for an outbound communication in an attempt to verify the accuracy of the information that was received in the inbound communication. So incoming fax, wire instructions. I pick up the phone with a previously verified number from whoever sent the fax, and I will read the information, Hey, Sue. I just want to verify, thanks for sending over the fax, got everything. Is this information correct?"
Because these things can and have been and will continue to be intercepted and changed. So if a call comes in, it could be a deepfake audio. And I'm telling you folks, this has happened. You're not talking to who you think you're talking to so you have the information. So use a different communication channel to reach back out and confirm. That's an out-of-band communication. That's what we mean by that.
Some other benefits from cyber liability insurance. It can cover regulatory defense and penalties. These are the expenses and penalties that an insurer is obligated to pay as a result of a regulatory proceeding that arose due to a data or security... My tongue is getting twisted today. A security breach.
And finally, payment card liabilities. So it might be PCI fines, the payment card industry PCI fines, costs, expenses. An insurer is legally obligated to pay as a result of a data or security breach.
So these are some of the common coverages you will typically find in a cyber liability policy. And again, that's some pretty thorough stuff and can really help you manage the risks and get through this, in again, the event that there is a significant data breach of some type.
Now, a few things to keep in mind and just be aware of. There are going to be exclusions for war and state sponsored attacks. I would think that wouldn't be much of a surprise. But the current Russia-Ukraine war is one obvious example as to why. NotPetya, which was... It looked like ransomware. Russia released it into the wild prior to the onset of the war, but leading up to it, in an attempt to really do some serious damage in Ukraine. But it just spread and went global. And that NotPetya was what we call wiperware. It looks like ransomware, acts like ransomware, but the intent is not to hold your data ransom for some payment, the intent is to wipe your data, just get rid of everything. That's not good. And it is nasty, nasty stuff.
Also be aware that these policies cover data. They don't cover hardware. If you have a lightning strike and your server's just toast, a cyber liability policy isn't going to respond. That would be something you'd cover under your general insurance, your business owner's policy or your commercial package, whatever that might be.
Some common exclusions just to be aware of, breaches that occurred prior to the effective date of the policy. Now there's a growing move in this space to kind of be a little more liberal with that in terms of this insurance space because it just just very difficult to try to figure out when these things occurred.
But if you are breached and you know it, and you come and buy a cyber liability policy, the house is already on fire, that's not going to work. You would have to have absolutely no idea that a breach occurred. Because sometimes these people can be in your system for months and sometimes even a year or more. That's just the way it is.
Insider attacks. If somebody in your employer, another attorney in the firm, just makes bad decisions for whatever reason and does a lot of damage, again, insider attack, that's not going to be covered.
And some policies, think about what I'm about to share here, phishing scams are often not covered or maybe subject to a sublimit. And really what that's talking about and getting to is yet again, wire fraud business email compromise. It's the loss of funds. Other examples might be someone who stripped it and buying a bunch of gift cards to pay something. Turning over credit card information.
You might ask if there's a social engineering endorsement available that might pull some of this back in. And again, if there is coverage under the policy, typically it's a sublimit and it's not going to be as high as the general limits of the overall cyber liability coverage that you might purchase. So for example, let's say you buy $250,000 in coverage, the sublimit on these kinds of theft of funds might be just 10% of that, so 25 grand. You could also look at getting some coverage under a crime policy, and that's probably the most effective way to try to get this covered. But every carrier is going to be different. I'll come back to that here in a moment.
Also, an attack resulting from a failure to correct a known vulnerability. So if you are continuing to use outdated systems because hey, Windows 8 still works wonderfully, even though you know that it's no longer supported and there's no security patches and up where, as a result of that, you're not keeping systems current and patched and there's a breach. If you're using unpatched systems, outdated systems, that may void coverage for anything. So you need to just be aware.
There are different types, different ways I guess to say, to get into this. A lot of malpractice carriers have what I would say an add-on. It's sort of in part.... Maybe the best way to say is it's some type of cyber endorsement to a malpractice policy. And that's not bad, don't get me wrong. It's better than nothing. But understand these endorsements, these add-ons, often come with lower limits and less broad coverage. And part of the reason that that's the case is due to limited, and at times even no, underwriting being involved in that cyber insurance piece. You can opt in. Sometimes it just is automatically there depending on the carrier. So again, it's important to have some type of cyber coverage, but I need you to understand if you're not really reading these policies, these endorsements, and really understanding what they do and don't do, you might be running with some assumptions. I really prefer to see a freestanding cyber policy.
And just as a aside real quick. I shared that this add-on and the automatic, if you will, endorsement is in some malpractice policies. You'll also see that at times in some business owner package policies as well. But again, the same issue is in play. It's not as austere. Just not as broad. Limits aren't going to be as high. So I would encourage you to look at standalone coverage.
How much? Boy, that is a tough one. I would say in the solo and small firm space, I would want to at a minimum be looking at a quarter to half a million, and understanding that we're talking about the expenses and consequences of a data breach as opposed to theft of funds. I'm going to look at theft of funds perhaps at a higher amount separately, just depending on how much money you're moving through your accounts.
And also, just as an aside, some of the cyber policies, even the standalone policies, will cover theft of your funds, but not theft of client funds. So if money is accidentally wired, firm money wired to a wrong vendor making a payment or some sort out of the operating account, okay, cyber will cover that. You wire 850,000 of client funds out, the cyber policy may not cover that at all. So you really need to ask and look into this. Because it's again another reason to look at a crime policy or a crime endorsement and see what you can do there. You may need to have several different policies in play even to get to this total that whatever you're looking at.
If you can get to a million, even better. But again, I don't know enough about your individual practices and firms in terms of how valuable is the data. How much do we have here? That's something you're going to have to maybe talk with an underwriter or a marketing person with, business development person, with your insurer, to really gets a better ideas of what to do there.
The final thing I want to throw at you is just know that these policies differ, at times substantially, between insurers. So it's worth at times shopping the market a little bit. Prices can be quite variable as well. A lot of the variability goes with just what coverage is being offered. If you have a policy that's going to cover your money and client money as an example, that's going to be more expensive than a policy that doesn't cover any loss of funds in terms of wire fraud and these phishing scams. So again, you have to make sure you're comparing apples to apples.
But know that this is a very dynamic market relative to life insurance and lots of other... They've been around for decades and decades. This is new stuff. And the risks are changing almost daily. It's very difficult for an insurer to really understand what their exposure's going to look like two or three years down the road, based on what the risk analysis is today. Who knows? AI as an example. How is this going to change things? How significant will deepfakes become? They are already in play, so please... But I'm just trying to share, can you appreciate how challenging it is? An insurer has to set premium on an unknown risk. It's changing and evolving very quickly. So that's why you will experience and see great differences perhaps in coverage, differences in premium, et cetera. So it's really worth sitting down and talking with someone about how to move forward and what might be best for your situation.
So that's really all I have on cyber liability. I hope you found something of value. And I like at times to go back and say, "What are the takeaways here?" And the biggest takeaway for me, if I'm sitting in your shoes, if you already have not done so, I strongly encourage you to consider adding cyber liability insurance to your insurance portfolio. In my mind, I just honestly have seen too much. And I truthfully can say I've been involved post breach with a number of firms in a number of different situations, and more than a few really never recovered. The financial hit was just too much, and that was that. So I want to make sure, my hope is that you hear, that there's some learning that we can obtain from the experiences of others. So I'll leave it at that.
Again, I'm Mark Bassingthwaighte. If you ever have a need, desire, concern that you want to talk about, please don't hesitate to reach out. My email is email@example.com. You do not need to be an insured to visit with me. There's no cost. I'm hired to be a risk manager for the bar at large. I'm hired to be your risk manager. So if there's ever anything I can do on cybersecurity, explaining insurance, and a lot of lawyers have questions about legal malpractice insurance and other types of coverage, happy to talk. Ethics, malpractice avoidance, [inaudible 00:41:54], whatever, I'm here. That's it. Bye-bye all.
Authored by: Mark Bassingthwaighte, Risk Manager
Since 1998, Mark Bassingthwaighte, Esq. has been a Risk Manager with ALPS, an attorney’s professional liability insurance carrier. In his tenure with the company, Mr. Bassingthwaighte has conducted over 1200 law firm risk management assessment visits, presented over 600 continuing legal education seminars throughout the United States, and written extensively on risk management, ethics, and technology. Mr. Bassingthwaighte is a member of the State Bar of Montana as well as the American Bar Association where he currently sits on the ABA Center for Professional Responsibility’s Conference Planning Committee. He received his J.D. from Drake University Law School.
We are thrilled to announce that as of December 1st, 2023, The New Hampshire Bar Association (NHBA) has named ALPS Insurance as an endorsed provider...
16 min read
A Brief Statement of Correction from Mark: “During this podcast I stated that under the Corporate Transparency Act, BOI reports were to be filed...
9 min read
A lawyer was waiting on a fax with all the information she needed to complete a wire transfer. Fax received, money sent. What she didn’t know? Her...
9 min read
There are two types of businesses – those that have been hacked and those that don’t know they’ve been hacked. This may sound like hyperbole, but...