Industry case study from Paragon LawSelect: From cover to cyber cover
This article was also featured as an industry case study in the LPM cybersecurity supplement in November 2016. To read the issue in full, download the supplement.
In the eyes of cybercriminals, law firms are attractive hubs of both sensitive client data and money – which is why many firms are threatened by cyberattack on a daily basis. According to Ewan Lockhart, London office managing partner at Davies and Partners, his firm is no exception.
“We’re forced to be ever-vigilant against opportunistic thieves looking to steal sensitive information and a bombardment of fraudulent emails. Though we haven’t had an information breach ourselves, we hear of legal businesses that have been wiped out by stolen funds, exposed business secrets or ruined reputations.” He adds that Davies and Partners has spent the past 25 years building a prominent national reputation, but it would only take minutes for that to be dashed on the internet’s rocks.
Lockhart says law firms can take precautions against cyberattack, such as effectively training staff in information security, but many cybercriminals are organised, extremely well-funded and ultimately one step ahead of less tech-savvy legal professionals.
“Cyberattack is an ever-evolving threat, and as an industry we can’t predict how we’ll be targeted next. Today, it’s more a matter of when rather than if a legal business will be breached.”
To protect itself in the event of a catastrophic digital breach, Davies and Partners has taken out CyberCrime and DataProtect (CC&DP), a cyber insurance product from Paragon Insurance Brokers – giving itself full first-party information security coverage and, perhaps more importantly, peace of mind.
Lockhart says that traditional insurance policies only cover the costs of a cyber breach to a small extent. Davies and Partners’ professional indemnity insurance, for example, covers client funds and payments into fraudulent accounts. But the level of coverage offered by traditional insurance simply isn’t comprehensive enough to deal with the frightening costs of cyber fraud. “
If the firm makes a payment to a fraudulent account on behalf of the business, rather than the client, it’s not covered by PII. Those could be large transfers of as much as £300,000.”
But funds lost from a fraudulent bank transfer can pale in comparison to the fines issued for a data protection breach.
“A data protection breach brings liability upon us. When the EU General Data Protection Regulation comes into effect in May 2018, that will rise to 4% of the firm’s global turnover – in our case that could be as much as £360,000.”
Lockhart says that comprehensive cyber insurance covers these losses, as well as the less obvious costs of a cyberattack. Davies and Partners’ coverage includes the costs to engage public relations assistance in the event of security breach, hiring specialists and investigators to assess and repair IT system damage, and the loss of business income if systems or data assets were lost, corrupted or inaccessible as a result of a security breach.
But one of the most important coverage cyber insurance offers that traditional insurance doesn’t, according to Lockhart, is breach notification costs.
“If a cyberattack occurs, we want to be able to contact our clients as soon as possible to make sure that they’re protected and are made aware of the situation.”
Coverage also extends to a variety of cyberattack scenarios, including cyber extortion, disgruntled employees leaking information or sabotaging systems and corporate espionage, which traditional insurance policies don’t necessarily cover.
Calm in the storm
But Lockhart says there are two significant non-financial benefits of having a comprehensive cyber insurance package.
The first is maintaining and improving client perception of the firm. “Davies and Partners has built a superb reputation for providing clients with professional, efficient and high-quality legal services – we want to preserve that reputation by assuring clients that we’re prepared for cyberattack, and that they’re covered if the worst should happen.”
The second benefit is the peace of mind it provides the firm’s staff, because if the worst should happen, Davies and Partners’ CC&DP insurance gives them access to a crisis management team – who have specialist expertise to help manage all aspects of the cyber event and successfully notify regulators and the Information Commissioner’s Office.
“We have trained our staff well and have a crisis management plan established in the event of a breach, but if we’re struck by a new and unpredictable form of cyberattack, the cyber crisis team are on hand to guide us through it.”
Cyber insurance also enables staff to work to their full potential, unburdened by the fear that they might inadvertently cause a cyber catastrophe.
“Like strategic bombing in warfare, cyberattack has the potential to freeze your workforce who become petrified of unwittingly enabling a cyber breach. The first step in preventing freeze is to train your staff in information security – so they know what to do and what to avoid. The second step is taking out a cyber insurance policy – so they know that while a cyber breach may be terrible and they need to be ever-vigilant, if it occurs they’re covered.”
Paragons of safety
Lockhart says that Davies and Partners purchased cyber insurance from Paragon Insurance Brokers because of its long-standing relationship with the firm.
“We took out PII with them and they’ve provided us with directors and officers insurance. I feel they’re extremely professional, well-informed, and we are readily willing to accept their advice.”
But more than that, Davies and Partners chose CyberCrime and DataProtect because of its extensive coverage, adaptability and Paragon’s expertise in information security.
“I met with Paragon, went through their product and felt that it was the best fit for our legal business. It’s a product that they’ve been developing for quite some time – and they keep it meticulously up to date as the cyber landscape evolves.”
The information security landscape is constantly changing as cybercriminals develop ever more sophisticated ways of penetrating a legal business’s defences. According to Lockhart, cyber breach is inevitable, but cyber insurance covers expenses incurred – which traditional insurance policies simply don’t. Lockhart says Paragon is incredibly professional and well-informed, and that CC&DP is comprehensive, adaptable and evolving cyber cover that responds to the ever-changing cybercrime landscape