Here are three startling statistics:
1. Who’s at Risk
When asked, 66 percent of firms admitted that they were the victims of either a data breach or a phishing attack at their firm. The impact of these attacks varied by firm. Some simply suffered a basic nuisance attack, and others had their systems crippled and were threatened by hacking criminal elements.
2. Who Has Financial Protection
While some law firms may have some limited coverage in their professional liability, general liability or crime coverage, only 38 percent have any meaningful cyber coverage that can be found in a stand-alone cyber liability insurance policy. This statistic resonates in our national client base as well. Despite warning law firms for nearly five years about this emerging and serious risk, a minority of law firms are buying this very inexpensive coverage.
3. Who Is Ready for the Inevitable
It is becoming more and more evident that all firms need to prepare for the day that they are the victim of a cyberattack, so we asked attendees how many firms have a cyber response plan to execute after such an event. Only 20 percent of the firms reported that they have a cyber response plan in place.
As prudent financial managers of our firms, we need to do a much better job. We need to be ready. Cyber and phishing risks are not going away, and if anything, they are becoming a more serious risk in the future. So what can you do now in your firm?
Have a serious discussion at your next partners meeting about this. Your partners need to be more attuned to client demands in this area for risk management and insurance. If not, they risk seeming out-of-step to their clients’ ongoing business environments. The partners need to understand that their firm, despite you and your amazing IT and security staffs, is vulnerable to attack and will likely eventually be a victim too.
Work with your broker to assess and insure this risk properly. An alarming number of firms (as demonstrated above) have no cyber coverage, and even worse, some law firms have purchased woefully insufficient coverage, with an endorsement to their professional liability policy or a bare-bones standalone cyber policy. The only thing worse than having a loss without insurance is having a loss with an insufficient policy that misled your partners into a false sense of security.
Prepare a cyber response plan. Much like a disaster recovery plan, your cyber response plan details what you would do when impacted by a cyber event. Common steps in a plan include calling your insurance broker (include all contact details in all steps, as you may not have access to your data when these plans are implemented), contacting your data breach coach (this is the lawyer/firm that will advise through the process), and calling your forensic and IT consultants. Your plan should also detail the short- and long-term steps, like assessing any public relations needs, legal liabilities and regulatory actions. You can find a sample detailed plan in the session materials from my Annual Conference session, LI22: What You Need to Know Now about Cyber Liability Insurance. Feel free to email me for a copy. I’ve also covered steps on selecting cyber liability insurance in this previous column.
The good news is that law firms have come a long way with education in general, but as the data shows, we have a lot more ahead of us to adequately prepare for today’s cyber risk. The bad guys are increasing their efforts against law firms. By understanding these numbers, you can make sure that your firm isn’t the next victim.