Home
Insightful &
Helpful Articles

Here is what we're working on and
thinking at Hedgehog security.

Ransomware attacks can happen to anyone whether it be big or small business. This is evident as a global legal giant was hit last week and they are still recovering from it, as well as still have IT problems 10 days after the attack happened. Insurance brokers are already claiming that this attack could cost the firm millions of pounds. Cyber-attacks are crippling companies. The company which was attacked are trying to resume business as normal but until they have safeguards in place it’s going to be a very slow process. Despite the firm working with law enforcement like the FBI and UK’s National Crime agency to support their investigation, to see how this attack happened it will no doubt take them a long time to resume business as normal as well as trust from clients.
It has been said that the firm had called in IT experts to restore their systems and safeguard client data.  They worked with leading external engineers and information security specialists, these are in addition to who they already have in house. Thankfully the firm does have in place a range of different insurances relevant to this incident, the insurance would cover many of the costs associated with this kind of attack, including paying for external support, potential loss of income and costs of getting lawyers back online. “The total direct and indirect cost could be in the millions,” said Brett Warburton Smith, a partner at independent insurance broker Lockton Solicitors, which acts for 27 of the top 100 law firms in the U.K.
It is evident that companies not only need to ensure that have protection for their data but they also must need insurance to cover them if such an attack happens.
Philip Tansley, a legal director with the U.K.’s Reynolds Porter Chamberlain who advises companies and law firms on responding to cyber breaches, noted that he counsels clients to make sure they have the right coverage.
Firms need to be very careful that they have the right cover as there is a lot around. Business must speak with their brokers and underwriters to see if such an attack happened would they firstly cover it and secondly how would the claim be calculated. Many insurance brokers are offering Cyber Attack covers for business,
Janine Parker, head of U.K. professions at Paragon International Insurance Brokers Ltd., said that her company offers policies with a “full breach response,” including loss of revenue. “If any of our law firms suffered a cyberattack they would have access to specialist law firms, to a [public relations] firm, to claims for loss of income and loss of profit,” Parker said. “If they lose a client due to an event during litigation, we would pay a percentage of a success fee they would be due under a conditional fee agreement.”
The size of policies on the market stretch up to $500 million, added Sarah Stephens, head of cyber at insurance broker Jardine Lloyd Thompson Group plc.
“You could potentially buy anywhere from [$300 million to $500 million], but generally if you are only buying it to augment the third-party liability cover in your professional indemnity policy, you are looking at the likely loss from business interruption so we would typically see policies of no more than $100 million,” Stephens said.
The process of working out how much a breach will cost typically begins shortly after it has been discovered.
Cyber insurance is becoming increasingly common throughout the legal market. David Warr, a Cyber underwriter with QBE European Operations PLC, has said they have over 300 firms of solicitors that have purchased Cyber policies from them, covering from small two partner law firms to to one of the largest in the world.
It is becoming more and more common that cyber security insurance is going to become the norm, Lockton’s Warburton Smith said that 50 percent of his firm’s top 100 clients now purchase specialist cyber insurance projects, with many other clients now considering doing the same. At present, it has been found that the larger firms are being more proactive in insuring themselves against cyber risks, however many smaller and midsize firms are still relying on their professional indemnity policies to protect them.
However, Hans Allnutt, the London-based head of the cyber response team at British firm DAC Beachcroft. Has said that professional indemnity polices may have lulled legal industries into a false sense of security, that they have insurance cover for cyber risk and data breeches. The minimum terms are designed to protect clients and not firm’s own exposure to cyber risk. In the event of loss of client money or data, law firms would typically be covered by their PI insurance, but this doesn’t stretch to loss of revenue or the costs of remediating the problem.
Allnut warns that cyberattacks are becoming increasingly common. They have seen number of attacks dramatically increase. They are currently running at about one a week; a year ago it was one a month and they expect that to change to one every other day after the General Data Protection Regulation takes effect next year.
Although leading law firms will be doing everything in their power to protect themselves against an incident, the reality is that even the best defended systems are still vulnerable.