Now that global law firm DLA Piper is for the most part back up and running after days without phones and email following a massive cyberattack, the financial and business threat to law firms is clear—as is the need for good cyber insurance.
The malicious software that caused the widespread outage at DLA Piper, and a host of other well-known companies, including one computer at Baker McKenzie’s Kiev office, locked users out of their computers and asked for a $300 ransom payment. Although DLA Piper said it had no evidence that confidential information had been breached, the firm’s web blackout has constrained lawyers and required them to request deadline extensions in court cases. According to some reports, lawyers in some offices are still struggling with the effects of the cyberattack, experiencing limited access to emails and documents.
“Can you imagine being a business and not being able to access your email, your data worldwide for three days? I think that’s pretty devastating,” said Walter Andrews, head of Hunton & Williams’ insurance litigation and recovery practice. “The problem is, if you don’t get ready beforehand, it’s going to be too late.”
Law firms, like other businesses, need to prepare for cyberattacks not only with technology but financially—with a useful insurance policy, Andrews said. Unfortunately, many of those who have cyber insurance discover too late that their policies are not useful, he said.
Andrews has 30 years of experience in insurance-related issues and his practice focuses on complex insurance litigation, counseling, reinsurance arbitrations and expert witness testimony. Over the last few years, he has spent thousands of hours poring over hundreds of cyber insurance policies and helping clients find gaps in their coverage.
His comments have been edited for length and clarity.
What does the ransomware attack on DLA Piper mean to law firms and how should they prepare?
It shows no one is immune. Three things you have to do to prepare are: Hire sophisticated cyber breach counsel who can make sure you have done everything you can to ensure that a breach doesn’t happen; have a plan ready, so that if there is a breach you’re ready to act quickly and you are not wondering what to do; and have a strong, robust cyber insurance policy in place.
Why do cyber insurance policies have to be treated differently from other types of insurance?
This is a very new product, this isn’t like your home or auto policy, or malpractice insurance. These policies are still being developed—that’s why there are still gaps. Buyers don’t understand what is and is not covered. They need to retain sophisticated counsel to make sure that they understand what is and is not covered. You’ve got to make sure you have the right coverage before there is a breach—not afterward. Right now we see huge gaps in the coverage that is provided—it needs to be changed. Those who are insured may need to get an endorsement to their policy or get different coverage so that there is coverage for the risks that we’re now seeing. You’ve got to make sure that there is full coverage for all the known and unknown risks.
What do firms need to look for in a cyber insurance policy?
There are hundreds of insurance policies that purport to provide cyber insurance coverage that don’t really do so. Many cyber insurance policies really aren’t adequate because they only provide coverage for threats to your data or your system. But the cyber crooks we are seeing now aren’t making threats—they are actually coming into your system and encrypting it so you can’t access it unless you pay a ransom. That’s not covered under most policies.
Most of the policies that provide coverage for ransomware require prior approval before a ransom is paid, rather than a reasonable basis test. At an Austrian hotel, cyber crooks accessed the electronic key system and locked everyone in their rooms with ransomware. If you’re the owner of a hotel with guests locked in their rooms at 2 a.m., but the plan requires approval, what are you going to do at 2 a.m. when the insurance company isn’t available? Ask for a policy that accepts a reasonable basis test, rather than pre-approval. And see that it does not require that the problem be a threat in the future—that it also applies when you need to undo something that has occurred.
Make sure the policy includes all employee devices. The reality is that many employees work from home or on the road and face phishing risks. People are more vulnerable on their phones because they may not see a full email address. If the policy restricts to the firm computers, you may not have any coverage.
There is often a problem when you suspect there is a breach, but you don’t know, and you may have to hire a forensic investigator and a law firm to advise you whether there has been a breach. A good policy should cover that, and not only an actual breach. A lot of policies also only cover actual breaches caused by “failures of the system.” It is unclear what this means. Maybe the insured has taken the best care, but there’s still a breach. The use of the phrase “failure of the system” is overly restrictive for clients and requires an affirmative failure in order for there to be coverage. The policy should cover any breach of the system.
The policy needs to be discovery-based, not occurrence-based. You don’t want a cyber insurance policy that is occurrence-based because you don’t know when the breach occurred in many cases, and the breach may occur years before it is discovered and before the policy period. You need to make sure you have the right timing trigger for that coverage.