Risk: Cyber policies – what do insurers require?

In recent years, cyberattacks have become increasingly sophisticated, with threat actors constantly finding new ways to exploit vulnerabilities and avoid detection.

Cyber insurance is a relatively recent form of insurance that, in general terms, covers losses relating to damage to computer systems and networks. Cover extends in some policies to incidents involving media as well as data breaches.

As cyberattacks continue to increase in complexity, professional service firms are now required to have specific controls in place in order to qualify for cyber insurance cover. Such controls are deemed to be the mandatory minimum standards by many cyber insurers. This means that law firms can find themselves struggling to obtain cyber insurance unless (and until) they’ve adopted these minimum standards.

From a risk management perspective, these minimum standards should be reviewed and considered by all law firms, regardless of whether they intend to apply for a cyber insurance policy or not. The requirements are typically based on the current threat environment, meaning that they might be regarded as some of the most effective controls to mitigate many of the known and commonly exploited weaknesses.

We have outlined a list of the common risk controls below. These are either the minimum standards for the cyber insurance market or highly recommended. The list is not exhaustive and specific minimum standards will obviously vary from insurer to insurer. Also, the list is likely to change as cyber risks develop over time and the nature of cyber claims changes.

While a lot of the terms discussed are technical in nature, this article is intended as a guide to current industry standards and firms should take advice from IT or cybersecurity specialists if they wish to implement anything recommended here.

1. Multi-factor authentication (“MFA”) and access management

This means that the law firm must ensure that both employee and all other third-party access to the network is secured using push-based multi-factor authentication (usually a code generated on a separate device or a facial recognition app).

Further, access by any third party ought to be closely monitored, also ensuring the ability to record and close the connection at any time. If Remote Desktop Protocol (a protocol developed by Microsoft which provides a user with a graphical interface to connect to another computer over a network connection) is used, connections should be via a virtual private network only, in addition to the MFA requirements. The Remote Desktop Protocol should not be externally facing.

Push-based MFA should also be in place for all administrator accounts, with access to any critical information and remote access to emails.

2. Privilege access management

A dedicated privilege access management (“PAM”) tool should be in place to manage all usage of administrator and privilege accounts. Access to PAM should use MFA and ideally be linked to a change control system. Local administrative accounts should be disabled, and domain administrator accounts should not have access to the internet or any email. All administrator users’ activity should be monitored and logged. Service accounts should be reduced to a minimum and ideally managed by the PAM tool. In the absence of a dedicated PAM tool, permanent administrator accounts should be kept to a minimum, utilising complex and separate (and frequently rotated) login credentials.

3. Network segregation

Network segregation between critical and non-critical information should be in place, with further segregation between business units or geographical locations to prevent any lateral network movement. Any operational technology should be kept entirely separate from the IT network, with internet and external access blocked. Any legacy or end-of-life software and hardware should be kept segregated from the wider network with no internet or external access, with a plan in place to decommission any end-of-life assets.

4. EDR and network monitoring

Insurers will often require that firms use endpoint detection and response or managed detection and response across 100% of endpoints, including laptops, desktops and servers, with an endpoint protection platform highly recommended. Any information from these services should be fed into a security information and event management system which is monitored 24/7 by a security operations centre either internally or externally. Regular network penetration testing and vulnerability scanning is also required, with any issues remediated in a timely fashion.

5. Data backups

Regular backups should be immutable, encrypted and subject to vulnerability scanning, and should be tested regularly for their integrity. Backups should also be physically and logically separated from the network and, if using a cloud or online service, subject to MFA with access limited only to specific administrator accounts.

6. Planned responses

Incident response, business continuity and disaster recovery plans for recovery from cyber events with specific responses to ransomware attacks and data breaches should be in place, updated, and rehearsed regularly.

7. Employee awareness and education

Firms are often required to ensure employee security awareness training plans (including regular phishing simulations) are in place and deployed regularly. Protocols should be in place regarding the safe use of portable devices, limited use of public wi-fi, and security controls around videoconferencing.

8. Patching

Finally, firms are often expected to ensure all patches are implemented in a timely manner. Critical patches as defined by the Common Vulnerability Scoring System, or CVSS scoring, should be implemented as soon as possible, ideally within 72 hours of the patch release, highs within seven days and mediums/lows as business permits.

Support from the Society

We live in an increasingly interconnected world where reliance on technology has become routine. The digitisation of business has created huge opportunities for law firms but has also brought the need for a diligent focus on cybersecurity.

The Law Society of Scotland has provided resources to help firms, such as the “Guide to Cybersecurity” which outlines some of the key threats and provides basic tips for best practice. The Society has also partnered with Mitigo, a cybersecurity specialist that provides resources and guidance. Any law firm wanting to enhance their security controls should reach out to IT and cybersecurity specialists such as Mitigo.

Insurance

Subject to its terms and conditions, the Master Policy itself will typically respond to any situation involving loss of client account funds that were in the control of the law firm, regardless of whether that loss has been caused by a cyberattack or fraud.

However, there are situations where a cyber incident will lead to first party costs and, generally, these will not be covered under the Master Policy. Examples include where there is a data breach event or a ransomware attack. In these circumstances, a well-written cyber policy can help to protect a firm when an incident occurs. As highlighted above, however, insurers have been raising the bar for minimum controls for all professional service firms and this can make it difficult to obtain cyber insurance cover.

The benefits of cyber hygiene protocols

While additional underwriter scrutiny might add further complexity and necessitate greater internal resources to provide the requisite degree of comfort to insurers, this scrutiny also offers opportunities for law firms to strengthen their defences through implementing these controls.

In other words, as the frequency and severity of attacks continue and as professional service firms continue to expand their digital footprints, the greater focus by insurers on cyber hygiene protocols could be viewed as a welcome opportunity to increase cyber resilience.

The list of minimum standards is not comprehensive and there might be different and additional requirements in the years ahead as the threat landscape evolves. That said, the current list is certainly worthy of analysis now. Like all businesses, law firms will want to ensure that they have the necessary safeguards in place, as the dangers of cyberattacks increase.