Given the significant financial exposure, law firms will look to their insurance coverage to help mitigate risk. The good news is that a number of different types of insurance policies may be responsive. Depending on the nature of the risk, policies including those covering crime, cyber, directors and officers, errors and omissions or other professional liability risk, and property damage may be brought to bear.
The threats to law firms include the direct theft of funds, data breaches of sensitive client information (including those by so-called hacktivists), malware attacks, phishing attacks, and ransomware attacks. Law firms are also at risk from the inside as disgruntled employees or the inadvertent loss of a computer or blackberry can put sensitive client data at risk. These risks threaten law firms’ bottom lines and also expose firms to reputational risks. By way of example, the firm of Mossack Fonseca, which opened in 1977 and was one of the largest firms in the corporate services industry, was forced to shut its doors after a recent devastating data breach that exposed its high-profile clients’ secrets to the world.
Attacks on law firms and lawyers are becoming increasingly common as law firms are viewed as “soft targets.” In one example, a cybersecurity firm was asked to attack a prestigious law firm’s computer systems. According to the CEO of the cybersecurity firm, “in less than 48 hours we had full control of the network, all assets including servers and shares, and all of the users’ mailboxes.”1 When asked to probe the computer systems of one of the world’s leading technology companies, it took the cybersecurity firm three weeks to access the company’s systems and obtain data on mergers and acquisitions. According to the CEO, “we could have gotten that very same data in just a couple of hours if we had targeted the lawyers.”2
Unfortunately, they are not always avoided. In February 2014, Thirty Nine Essex Street, a prestigious barristers’ chambers in London, was attacked by hackers who compromised the firm’s website in an effort to access information about the firm’s clients in the energy sector. In July 2015, the website of the Permanent Court of Arbitration was attacked during the pendency of the China-Philippines’ boundary dispute arbitration. It was reported that the website was implanted with malicious code that posed a risk to individuals (likely lawyers) who visited a specific page on the website devoted to the boundary dispute.
As lawyers, it seems like hardly a day goes by without receiving a suspicious email. The emails take many forms but generally seem to entail phony requests from firm management for money, sham new client inquiries, or invitations to download suspicious documents from questionable links. These emails are intended to aid unseen, outside forces in obtaining funds, information, or access. Luckily, at least in the authors’ experience, these efforts are generally thwarted.