(Photo: Diego M. Radzinschi/ALM)
DLA Piper is still recovering from last week’s massive cyberattack, with insurance brokers claiming that the resulting upheaval could lead to costs “in the millions” for the firm.
The global legal giant, which fell victim to the ransomware attack that spread across the globe starting on June 27, is still grappling with information technology problems some 10 days on from the attack.
“We are bringing back services in a graduated way, and only as and when we can be satisfied that the appropriate safeguards are in place,” DLA Piper said in a statement.
Sources within the firm have told The American Lawyer’s London-based affiliate Legal Week that many staffers have started using their work computers again, while others are continuing to work on personal laptops while their hardware is checked over. Email is back online, but landline phones are still down, with calls being diverted to cell phones.
DLA Piper has officially notified the U.K.’s Solicitors Regulation Authority of the cyberattack, as well as other international regulators, and the firm is working with law enforcement authorities like the FBI and U.K.’s National Crime Agency to support their investigations into the matter.
The firm said that it had also called in IT experts to restore its systems and safeguard client data. “We are working with leading external engineers and information security specialists, in addition to those within our organization,” a DLA Piper spokesperson told Legal Week, noting that the firm “has in place a range of different insurances relevant to this incident.”
Lawyers and brokers state that appropriate insurance would cover many of the costs associated with this kind of attack, including paying for external support, potential loss of income and the costs of getting lawyers back online.
“The total direct and indirect cost could be in the millions,” said Brett Warburton Smith, a partner at independent insurance broker Lockton Solicitors, which acts for 27 of the top 100 law firms in the U.K.
Philip Tansley, a legal director with the U.K.’s Reynolds Porter Chamberlain who advises companies and law firms on responding to cyber breaches, noted that he counsels clients to make sure they have the right coverage.
“Cover available in the market includes mitigation expenses, which might cover, for example, the additional costs of working, such as getting people set up working remotely, and outsourcing urgent work to third party firms,” Tansley said. “In terms of loss and deferral of revenue, that is a complex area. Firms should be careful that they have the right cover and if they are not sure, discuss it with their brokers and underwriters and ask them ‘if this happened, would you cover it and how would you calculate our claim?’”
Janine Parker, head of U.K. professions at Paragon International Insurance Brokers Ltd., said that her company offers policies with a “full breach response,” including loss of revenue.
“If any of our law firms suffered a cyberattack they would have access to specialist law firms, to a [public relations] firm, to claims for loss of income and loss of profit,” Parker said. “If they lose a client due to an event during litigation, we would pay a percentage of a success fee they would be due under a conditional fee agreement.”
The size of policies on the market stretch up to $500 million, added Sarah Stephens, head of cyber at insurance broker Jardine Lloyd Thompson Group plc.
“You could potentially buy anywhere from [$300 million to $500 million], but generally if you are only buying it to augment the third party liability cover in your professional indemnity policy, you are looking at the likely loss from business interruption so we would typically see policies of no more than $100 million,” Stephens said.
The process of working out how much a breach will cost typically begins shortly after it has been discovered.
“The insured, with the help of their broker, would look at the policy and work out what the business interruption claim was, which the insurer would then adjust,” said RPC’s Tansley. “The alternative approach is that the insurers, knowing a large claim was on the way, would appoint an adjustor or a forensic accountant to work with the insured to establish what its loss is.”
Brokers and underwriters say that cyber insurance is becoming increasingly common throughout the legal market.
“We have over 300 firms of solicitors that have purchased a cyber policy from us, covering off the whole spectrum from two-partner law firms to some of the largest law firms in the world,” said David Warr, a cyber underwriter with QBE European Operations plc.
Lockton’s Warburton Smith said that 50 percent of his firm’s top 100 clients now purchase specialist cyber insurance projects, with many other clients now looking into doing the same.
“We are getting calls virtually every day on the back of this [the DLA hack] because people are really concerned about it,” he said.
However, while larger firms have tended to be more proactive in insuring themselves against cyber risks, many smaller and midsize firms still rely on their professional indemnity (PI) policies to protect them.
“The mandated wider cover of the minimum terms for solicitors’ PI may have lulled the legal industry into a false sense of security that they have insurance cover for cyber risk and data breaches,” said Hans Allnutt, the London-based head of the cyber response team at British firm DAC Beachcroft. “However, the minimum terms are designed to protect clients—not a firm’s own exposures to cyber risk.”
In the event of loss of client money or data, law firms would typically be covered by their PI insurance, but this would not stretch to loss of revenue or the costs of remediating the problem. And Allnut warns that cyberattacks are becoming increasingly common.
“We have seen a spike in breach instructions,” he said. “We are currently running at about one a week; a year ago it was one a month and we expect that to change to one every other day after the General Data Protection Regulation takes effect next year.”
And while leading law firms will now be doing everything in their power to protect themselves against falling victim to a similar incident, the reality is that even the best defended systems are still vulnerable.
“If the Pentagon can be hacked, there is not much hope for the rest of us,” said Frank Maher, a partner at Legal Risk LLP in Liverpool, England.
Copyright The American Lawyer. All rights reserved. This material may not be published, broadcast, rewritten, or redistributed.