Why cyber insurance is critical for legal organisations
Maintaining trust and security is a major concern for most professional service organisations and is especially true for those in the legal industry. Many legal firms prioritise data privacy and cybersecurity to help avoid costly breaches and incidents that could damage their reputation or way of doing business.
Legal organisations operate based on competency, trust, and confidentiality. As part of the duty of competent representation, lawyers are ethically bound to become and remain technologically competent, which includes keeping up with changes in technology or data protection laws that may affect their practices. Legal organisations are also bound to protect client privilege and confidentiality. A breach or security incident that is handled improperly can have major implications that go beyond direct expenses and cross into cyber liability and in some cases professional liability territory, underscoring the importance of strong security controls and cyber insurance.
How bad could one small security incident be?
£113,000¹
Average cost of a cyber claim for legal organisations
53%²
Percentage of cyber attacks originating from email inbox
£138,400¹
Average ransomware loss for legal businesses
Unique exposures for legal companies
How essential technologies can create cyber risk
Client portals
These platforms enable lawyers to securely share documents, messages, and invoices with clients. Unauthorised access of a client portal could compromise sensitive information and lead to additional cyber events.
Customer relationship management (CRM) systems
CRM systems are used to support business development activities. Containing client data and confidential corporate information, CRM systems could be compromised and leveraged for malicious purposes, resulting in a data breach.
Document management systems
These software platforms are used to store and handle a large volume of shared files. However, a compromise could expose sensitive data and cause serious disruptions due to the volume and potentially sensitive nature of the information in these systems.
eDiscovery tools
These tools can save time and effort when reviewing large volumes of information, but the potentially sensitive nature of the data means unauthorised access could have data privacy and business interruption implications.
Business email compromise (BEC) is a frequent cause of cyber insurance claims for legal organisations, which can trigger data breaches, funds transfer fraud, business interruption and even reputational damage.
Law practice management software
These systems are used to manage operations, such as scheduling, billing, and payments. A breach could cause serious disruption and expose payment information, corporate confidential data, and client data.
How sensitive data can increase business liability
Corporate confidential data
Corporate law firms may have access to internal operations data, intellectual property, or trade secrets. Mishandling or leaking corporate confidential data can cause significant damage to the data owner.
Financial data
Collecting and processing financial information requires adherence to industry standards. Mishandling or unauthorised disclosure of financial data can cause direct harm to clients and even trigger industry and regulatory investigations.
Personally identifiable information (PII)
PII is any data that can potentially identify a specific person. PII can be used to launch cyber attacks or gain access to networks to initiate attacks. Organisations that mishandle PII or fail to respond to a data breach appropriately can be subject to fines, penalties, and other financial damages.
Sensitive employee information
PII is any data that can potentially identify a specific person. PII can be used to launch cyber attacks or gain access to networks to initiate attacks. Organisations that mishandle PII or fail to respond to a data breach appropriately can be subject to fines, penalties, and other financial damages.
For more insights, download our complete guide:
Business impacts for legal companies
What to expect after a cyber incident
Direct costs to respond
Responding to a cyber event typically requires numerous direct costs, also known as first-party expenses. If a legal organisation experiences a BEC and sensitive data is involved, it can trigger a need for additional legal counsel, forensic investigation, victim remediation, and notification. Simple investigations can cost tens of thousands of pounds, while more complex matters can increase costs exponentially.
Liability to others
The evolving data privacy landscape can be difficult to navigate, and many law firms can face new and unexpected exposures after a cyber event. Even with strong contracts, policies, and best practices in place, a data breach or security failure can trigger liability to third parties and expose an organisation to regulatory investigations and legal action from victims.
Business interruption and reputation damage
A cyber event that impacts essential technology can have a significant impact on a legal organisation's ability to operate and can be highly visible to clients, customers, and other stakeholders. Every hour of disruption can lead to direct loss of revenue and inhibit a law firm’s ability to support clients, negatively impacting client retention and acquisition.
Cybercrime
Beyond ransomware and data breaches, cyber events can result in financial theft for a law firm or its clients — often without an actual breach. If an attacker dupes someone in the billing department to alter payment instructions, a legal organisation can lose tens or hundreds of thousands of pounds almost instantly. Attackers can also gain access to email accounts and send fraudulent invoices or payment instructions to clients, customers, and other third parties.
Recovery and restoration
After a cyber event, resuming operation is no easy task. If an attacker damages or destroys essential technology, data, or physical equipment, a legal organisation may need to bring in external support or purchase new equipment to re-secure systems. Full remediation, restoration, and recovery can take a significant amount of time, when possible, and may require purchasing new software, systems, and consultants to rebuild the network.
CYBER INSURANCE BUYER’S GUIDE
Choosing the right cyber coverage for your business
Cyber insurance is an essential aspect of modern risk management, offering coverage for the losses associated with data breaches, cyber extortion, business interruption, and other cyber-related incidents.
Coalition created a Cyber Insurance Buyer's Guide to help businesses navigate the complex cyber insurance market and confidently select the right coverage for their business.
Already a policyholder?
Log in or activate your Coalition Control account, Coalition's policyholder risk management platform1, to manage your business’s risk profile.
1 Dollar figures adjusted to British Pounds
2 Coalition Inc 2023 Cyber Claims Report
Coalition’s products are underwritten by Allianz Global Corporate & Specialty SE (A.M. Best A+ rating), Navigators Insurance Company UK Branch, trading as ‘The Hartford’ (A.M. Best A+ rating), and Lloyd’s of London (A.M. Best A+ rating).
