Hackers Working for Lucrative Cyber Attack Industry See Law Firms as Rich Targets
1.19.2024
With their vast trove of intellectual property and business intelligence, law firms are rich targets for hackers working for the lucrative cyber-attack industry.
“Law firms are not seen as the most tech-savvy industry and there may not even be a technology staff at smaller firms,” Mike Mooney, partner and senior vice president at USI Affinity in Newtown Square, Penn., told lawyers gathered at a panel discussion on cyber risks held at the New York State Bar Association’s Annual Meeting in New York City. “Mix that all together and lawyers and law firms make prime targets.”
Mooney and Michelle Merola, an attorney with Hodgson Russ in Albany, warned lawyers about the evolving and increasingly sophisticated threats posed by the cyber-attack industry. “It is not a Nigerian prince sending out an email anymore,” said Mooney, noting it is a billion-dollar industry that frequently involves organized crime. Added Merola: “This is not a young person sitting in a basement. People are working on their techniques. This is business.”
The panel, “Real World Cyber Risks for Attorneys,” was sponsored by the association’s Torts, Insurance and Compensation Law Section and Trial Lawyers Section. Brian Rayhill, the section’s chair and head of his own law firm opened the panel discussion.
Attorneys whose clients entrust them with large amounts of sensitive and personal information face unique liability risks. “Confidentiality is a big problem for lawyers, even if they have backed up their data,” said Merola, noting that the stolen data can expose lawyers to malpractice claims. Malpractice insurance was not written to cover the losses and possible liabilities stemming from a cyber-attack that leaks sensitive data. In fact, malpractice policies can now state that liability claims stemming from cyber-attacks are limited to $25,000. “That is affirming that they (insurance carrier) will only give you the $25,000,” said Mooney.
“You would blow through $25,000 in a week,” Mercola added. They advised lawyers to ask their insurance carriers if their coverage includes exposure to cyber risks.
Attorneys can use the cyber insurance application process as a valuable risk assessment tool to help correct security deficiencies. “You can discover your vulnerabilities,” said Mooney, adding the coverage does not have to be purchased. Insurance carriers will carry out a non-invasive scan of the firm’s technology system to assess its exposures, determining, for example, if the firm’s sensitive data can be found on the dark web.
“It is better to jump through more hoops now than paying claims down the road,” Mooney noted. If a law firm does secure coverage and sustains a cyber attack, the insurance carrier will resolve the problem that created the technology breach. “You can be scared to death and not practice law anymore. Or you can protect yourself,” said Mooney, adding that managers must consider the time, and billable hours, a security breach costs a firm and its clients. “It is not going to be a fun day at the office if you have a security breach.”
Insurance carriers normally offer $1 million in a stand-alone policy, which would be sufficient for a small legal firm. Limits can reach up to $50 million, or even $100 million, Mooney said. A $1 million limit would probably carry a $1,800 annual premium, but prices vary depending on a firm’s size, risk and exposure.
Mooney said he finds law firms typically fall into one of three categories. “Those which have a risk and choose to correct it, those which discover a risk and choose not to correct it, and the people that scare me the most . . . those who don’t know what they don’t know,” he said.
