It’s late in the afternoon and an all-night rush to meet a deadline looms ahead. Then a message pops up on your screen, letting you know you’re the victim of a ransomware attack: “Oops,” it says, “your files have been encrypted!”
The ransom is nothing — the equivalent of one billable hour or less, probably. But the hours or days you’re locked out of important files can quickly add up, costing you thousands of dollars in lost revenue.
This, of course, isn’t just a hypothetical. Last Friday, tens of thousands of people, if not more, found themselves in exactly this situation as the WannaCry cryptoworm spread rapidly across the globe. If you were spared, and most of us in the United States were, it was largely a result of dumb luck — a researcher in Britain managed to put a halt to the malware just before it spread across the Atlantic.
This time, the barbarians were stopped at the gate. But we won’t be so lucky again. New versions of the ransomware program are already emerging, minus WannaCry’s Achilles’ heel.
When the Attack Comes, Will Your Insurance Be There?
Lawyers who fall victim to a future ransomware attack may turn to their cyber liability insurance policy. Such policies have becoming increasingly popular among legal professionals in recent years — so popular, indeed, that the American Bar Association recently started offering its own attorney cyber insurance.
Most cyber liability insurance plans would cover a ransomware attack on their face, according to Brian C. Focht, a civil litigation attorney with Stiles Byrum & Horne LLP in Charlotte, North Carolina, and author of the Cyber Advocate blog. But “whether coverage is denied for other reasons or whether coverage is limited — that’s another matter entirely,” he adds.
Most ransomware attacks are fairly low cost, with the IT services usually required to resolve them falling below the deductible. The WannaCry hackers, for example, demanded a mere $300 payment. Some ransomware victims, if they’re able to decrypt their files or neutralize the attack early, don’t even bother to file a claim with their insurer.
But when damages, particularly lost business revenue, begin to grow, the issues become more complicated, as a recent lawsuit between a Rhode Island law firm and its insurance carrier demonstrate. Moses Afonso Ryan, a 10-attorney firm in Providence, recently filed suit against its insurance carrier, Sentinel Insurance Co., over losses sustained during a ransomware attack — not just the initial $25,000 ransom the firm paid, but hundreds of thousands of dollars in lost billable hours. The firm’s computers became infected with ransomware last year after one of its attorneys fell victim to a phishing attack, opening an email attachment that allowed malware to spread throughout the firm’s network.
For three months, MAR was locked out of its files, as the firm’s outside computer experts struggled to restore MAR’s systems and the firm scrambled to obtain enough Bitcoin to pay off the hackers. During those months, MAR’s attorneys were rendered “unproductive and unable to work at a reasonable efficiency,” according to the firm’s complaint. Year-over-year billings dropped by over $700,000.
Yet when MAR filed a claim with Sentinel, coverage was denied. MAR’s policy, its suit states, included provisions for both losses to business income and losses stemming from computer fraud. The business losses provision covered actual losses sustained due to a suspension of operations caused by direct physical loss or damage to property. The computer fraud provision limited liability to an aggregate of $20,000, however, less even than MAR paid in ransom.
According to MAR, the policy entitles it to full compensation for its business losses stemming from the ransomware attack. Sentinel disagrees.
The insurer has refused to pay more than the $20,000 allowable under the computer fraud provision which, it argues, is the relevant provision covering damages caused by a computer virus. “The policy form speaks for itself,” Sentinel contends.
Know What You’re Signing Up For
“There’s a very critical thing that everyone, not just lawyers, who buys a cyber liability insurance policy needs to know,” Focht says. “It’s that there is no standard uniform policy like in almost every other kind of major insurance.”
“In my personal and professional opinion, no law firm should buy cyber liability insurance policy without having an attorney present who is experienced both in insurance coverage and cybersecurity.”
“That’s because of exactly what you see happening in the Rhode Island case,” he explains. “One of the most critical aspects of cybersecurity is understanding and being aware of the vulnerabilities and that’s where law firms are at a huge disadvantage.”
Increasing Litigation, But Also ‘Phenomenal Opportunities’
Cyber insurance litigation, such as that between MAR and Sentinel, is bound to grow in the future, Focht estimates, as cyberattacks increase and insurers and insured fight over coverage.
“Most of the litigation is going to arise out of fundamental misunderstandings by the insured into what is covered. Which is exactly why any lawyer, law firm, small business, or big business looking to get a policy needs to have an attorney to actually tell them what the policy means.”
Focht also sees an opportunity for insurers to influence the behavior of the insured, lawyers or otherwise, by incentivizing good cybersecurity practices. Insurers could, for example, reduce rates for clients who adopt strong cybersecurity policies and plans and follow those up with mandatory employee training. “There is a phenomenal opportunity for insurance carriers now to induce incredible improvements in cybersecurity from their insured simply because it’s incentivized,” he explains.
When insured attorneys do fall victim to a cyber attack — and these days, it is a question of when, rather than if — their first call should be to their cybersecurity or IT manager, if they have one, Focht says.
The second call should be to their insurer.
“They have experts lined up to handle all this stuff,” from cybersecurity specialists, to PR teams, to connections in law enforcement. “That’s why you get this insurance.”
This post was authored by Casey C. Sullivan, Esq., who leads education and awareness efforts at Logikcull. You can reach him at casey.sullivan@logikcull.com or on Twitter at @caseycsull.