As the latest unprecedented cyber-attacks targeted more than 150 countries, including crippling the NHS here in the UK, the rising threat of attack and being properly protected should be paramount to organisations.
The most recent high profile cyber-attacks caused havoc globally and NHS trusts experienced major disruption for several days leading to cancelled operations and clinic appointments and diverted ambulances.
The unprecedented ransomware breach, which froze computers across the health service also hit large organisations such as Telefónica, Deutsche Bahn and FedEx as it rapidly spread around the globe.
Governments globally should treat the cyber-attack as a “wake-up call” said Microsoft.
The cyber-attack shines a spotlight on the threat facing organisations and highlights the necessary need to have adequate cyber security protection in place says Chris Fitzgerald, development manager at QPI Legal, specialist Professional Indemnity Insurance Broker to the legal profession.
The company is calling for organisations, including the firms of solicitors it works with, to ensure they have adequate cyber security protection in place should they suffer a security breach and advises how best to mitigate the rising risk of a cyber-attack.
Fitzgerald explained often standard insurance cover will not protect businesses against cyber crime and as the latest global breaches exposed, attacks are more common than many may expect. He highlighted how:
- Cyber risks can include negligent employees, hackers, malware, stolen or lost computers and mis-sent emails.
- Government statistics show cyber-attacks have increased by 60% since 2011 costing smaller businesses on average between £35K and £65K.
- Solicitors and accountants are particularly vulnerable because of the sensitive and often valuable information they hold.
Organisations are at rising risks from ransomware, deployed in the recent global cyber-attacks, which security experts have warned is the fastest growing form of computer virus which threaten to delete your files unless you pay a ransom.
Like most computer viruses it finds its way into a device by taking advantage of a security hole within less secure software or by tricking somebody into installing it.
Most recent figures from a Government commissioned survey reveal one in five British businesses has been hacked by cyber criminals in the past year.
The survey found only 24 per cent of the 1,200 firms surveyed had security measures in place to guard against hacking and in response the British Chamber of Commerce urged firms to be proactive about protecting themselves from such cyber attacks, advice Fitzgerald echoed as he provided insight into the growing threat and how organisations can better protect themselves.
He said: “Cyber exposures are an increasing risk to all businesses. However there is a degree of naivety evident as quite a common response we receive from organisations when we start talking to them about cyber insurance is ‘well we have an IT department which provides firewalls, password protection and device software encryption of data’.
“That effectively ignores the fact ransomware is on the rise. Recent statistics revealed there are something like 5,000 different versions of ransomware floating around in the global economy at the moment and ransomware is a constantly evolving and more sophisticated threat to businesses.
“Having an IT department doesn’t reflect statistics we’ve seen that 35% cent of data breaches are caused by human error. The classic example is where an organisation will tell their staff ‘whatever you do if you receive an email which has an attachment that you are suspicious about don’t open it, notify IT and we will deal with it accordingly, delete the email’.
“We’ve actually seen one of our own solicitor clients where 30 staff did that but unfortunately two staff opened the attachment to the email, which then led to a ransomware being introduced to the firm’s system and caused them a lot of problems.
“The other major issue which can get around IT security is social engineering. We’ve actually seen one of our clients, who had the head of their internal finance department, an ex senior banker, who was actually duped over the phone to effectively release the particular firm’s login details to their online banking facilities. They lost something in the region of £600,000 as a result.
“Risks are also posed by telephone phishing and we’ve had a client whose telephone system was hacked. The hackers then linked the telephone lines to a premium rate line overseas somewhere and when the client got their telephone bill they were somewhat surprised to find that they were being asked to pay £22,000 more than they normally paid for their quarterly bill!”
Fitzgerald highlighted how having adequate cyber protection cover in place would protect businesses from these modern day security threats.
The specialist insurance broker warned organisations can unwittingly be at risk from cyber-attack when employing the services of third party service providers to host their email, host their website or host their own data on their behalf.
Fitzgerald urged orgnisations to comprehensively check up on what actual security measures those third party organisations have in place, what the terms and conditions actually state with the organisations that are hosting data/information for them and also what, if any, insurance cover is in place?
He stressed these are pertinent, automatic questions that businesses should be asking.
He added: “These questions are important because most organisations will have some sort of email hosting, website hosting and some data cloud provision of some description.
“In my experience the terms and conditions of those service providers will limit their exposure to direct losses.
“So there is no protection should a business have significant downtime due to a cyber-attack and there will be a limitation of liability, which is typically a multiple of the fee paid to that organisation over the last 12 months, which could be small when compared to the potential losses a business could suffer or it could actually be limited to a degree of service credits or service provision in the future.
“It demonstrates a degree of ‘naivety’ because we deal with quite a lot of solicitors who specialise in cyber claims and when I mention outsourced third party service providers, that was one of the things they hadn’t even considered themselves.
“Prior to joining QPI I did an in-depth study of several individual insurers offerings to determine, in my opinion, who provided the most comprehensive cover and that particular insurer was CFC Underwriting and that’s who we’ve arranged our own facilities for in relation to cyber insurance for solicitors.
“One of the problems with cyber insurance is that there isn’t any commonality in terms of the scope/extent of the cover. For example certain insurance companies have what’s called a retroactive date of inception. That means you’re only covered for issues that manifest themselves on the day or after the day you take out the insurance cover.
“So if you’ve got an embedded problem, which then manifests itself after you have taken out the insurance cover, it is highly unlikely you’ve got any protection in place because the problem existed, but was unknown to you, at the time you took the insurance cover out.
“Certain policies have an aggregate policy limit in respect of all claims which could be made under the policy within any given 12 month period of insurance. With certain policies you have to ask for arrangement of optional extensions and you have to specifically ask for cover to be applied for the activities of outsourced third party providers.”
Rise of Friday Afternoon Fraud
The methods being deployed by criminal hackers is becoming ever more sophisticated and they are increasing the ways they are causing security breaches meaning businesses must remain ever vigilant.
“Cyber criminals are hacking into telephone systems, hacking into email accounts and that’s a typical problem for solicitors who undertake conveyancing, residential conveyancing activities. It is what’s typically referred to as ‘Friday afternoon fraud’ where a solicitors’ email account is hacked and the fraudsters tell them to send monies, they pretend to be the solicitor acting at the other end of the transaction for the purchaser or seller and purport to be that firm of solicitors and tell them that they have changed their bank details so can they please send all funds to the new bank details.
“It’s an increasingly common fraud. Most conveyancing tends to complete towards the end of the month and if you’ve got 30 – 40 conveyancies all completing on a Friday afternoon and all the funds to transfer, you can just imagine the stress, the hive of activity within a solicitors firm to get all these transactions completed.
“The fraudsters are fully aware of that and that’s why they ‘exert’ pressure to get these things completed quickly and unfortunately some firms won’t undertake certain checks, using a separate telephone number or mobile number to their standard office line, to ring the bank to check on the bona fides of the accounts where they have just been asked to send monies to.
Simply Steps To Stay Secure
“We would say two things to firms to help proactively protect themselves. You need to train your staff to not accept those email instructions and undertake separate investigations, such as ringing the bank concerned to check out on the bona fides of the account but use a mobile telephone number and not the general office number, just in case the telephone system has been hacked itself.
“The second thing we always suggest to firms undertaking conveyancing is to change your terms and conditions within your retention letters. Ensure it states categorically you will not accept email or telephone instructions on the change of bank accounts either in relation to the individuals buying or selling a house or indeed the conveyancing solicitor at the other end of the chain.
State you’ll only accept written confirmation of a change of bank or the person coming in with details of their new bank arrangements and evidence of their identity.
“I think social engineering techniques will become increasingly sophisticated to try and dupe people into releasing information. Before making the telephone calls they do quite a lot of research to find out as much about the organisation/individual concerned and they start releasing that information into conversations to demonstrate authenticity to get people’s guards down.”
Cyber Security Within The Legal Profession
“QPI is trying to promote is a one stop shop solution for clients. We work with a specific cyber security company that specialises in dealing with solicitors so they can provide in-house training, they can provide boardroom training, they can provide accreditation to Lexel and ISO standards.
“It’s providing cyber essentials plus standards to demonstrate those organisations are far better aware of the risks and have appropriate systems in place to mitigate their exposure to those risks.
“We work collaboratively with an organisation that can provide all those services and we also work with a firm of solicitors who have significant experience of dealing with profession indemnity claims against solicitors as well as cyber claims against solicitors. We work with them as they have significant experience of knowing what issues can be collated by the Solicitors Regulation Authority (SRA) if a firm of solicitors client account has been hacked and money stolen, the pressure the SRA can put on a particular firm of solicitors to replenish the money stolen from the client’s account as a matter of urgency.
“It’s a USP for QPI because we also recommend that this solicitors firm go in and do a review of an organisation’s terms and conditions with outsourced third party suppliers in relation to hosting of emails hosting of websites and hosting of confidential data.
Future Rising Risks
“My personal prediction is I think social engineering types of techniques will become more sophisticated as hopefully firms become more wary of risks to their telephone systems being hacked, their emails being hacked, instructions being given to send monies to new bank accounts set up.
“However I still think there will be significant exposure for the human error element.
“Statistics I’ve seen in terms of data breaches indicate that 37% of data breaches are caused by malicious or criminal attacks 28% are caused by a problem with a particular system within an organisation and the balance of 35% are caused by operational or human error. People just do silly things or don’t think what are the consequences of their actions?
“The primary responsibility is for organisations to train and educate their staff in terms of what can happen, what are the consequences of a data breach or hacking and ultimately I can see firms going out of business because they don’t have the appropriate insurance in place.”
“One of the key protections of cyber insurance is to find out what actually happened in terms of incident response, IT forensics, legal assistance, breach of notification costs if there has been a large data breach and PR costs to enable the organisation’s name, brand, reputation to be protected as far as possible. That sort of incident response is critical.
“We see insurance policies which have inner limits for those kinds of incident responses, which could be as low as £25,000 and that to my mind is far too low to provide appropriate protection to an organisation.”
He warned of the commercial consequences if an organisation doesn’t take security breaches seriously – the potential long-term damage is not just financial but damage to reputation and ultimately customer confidence.
“Repercussions can include reputational damage. We have a client who was accused of sending funds to an incorrect account. The professional indemnity insurers got involved and provided significant legal help and support to ensure that they weren’t regarded as being found negligent.
“So they were protected from the point of view of not being held responsible for the loss the client incurred, which was something in the region of £350,000. But the firm concerned estimated they have lost something like £100,000 worth of work or lost business due to damage to their reputation. They didn’t have any cover in place for that lost business nor indeed any PR consultancy fees to protect their business reputation, their brand, their image.
“Other insurance policies don’t provide cover for the cost of rectifying damage caused to a system by ransomware being attached to or introduced to a system. They don’t provide cover for business interruption losses as a result of an organisation not being able to trade, losing work in progress because their system has been hacked.
They don’t provide cover for reputational damage or loss of income from loss of business due to reputational damage.”
Essential Protection Checks
“Firms should check their policy’s T&Cs. Certain insurance polices for example will only give cover for defined categories of ransomware and ransomware is expanding experientially so you would have to then question the validity or the common sense approach of arranging cover with an insurer that has that limitation.
“Certain insurers will have warranties attached to their policies in relation to things i.e. that data is encrypted, that a set number of security systems are in place.
“An organisation should have a risk review in place which may sound a common sense approaches but if people don’t do that or fail to update it, update those processes and procedures and they suffer a loss then they wouldn’t be insured under the insurance policy concerned.
“One of the plus facts with using CFC is they provide a cyber risk management portal which provides risk management tools and training. So once an organisation is insured with CFC they have made available to them a wealth of valuable information as to how they can protect themselves.
“That’s one of the reasons why we selected CFC because of the breadth of the insurance cover they provide but equally importantly they have been involved within this space since 1999. They operate in over 60 countries providing insurance to over 40,000 businesses. They have a significant amount of experience of how to sort things out when something goes wrong. It’s very important to have an incidence response facility in place so that people can react very, very quickly.”
Help At Hand
QPI’s one stop shop approach, recommending service providers who can carry out an analysis of a firm’s security, how good, how bad it is, and how they can train their staff alongside providing services to constantly keep businesses up to date with threats as new threats emerge or as additional ransomware comes onto the market.
“We can then sit in the middle to provide the comprehensive insurance protection including the incidence response facilities, the risk management portal facilities that CFC provide and at the other end of the spectrum we can introduce businesses to a specialist firm of solicitors who are on the insurer panels for most of the solicitor professional indemnity insurance providers in this country and also on the panel of a number of insurers, including CFC, when it comes to dealing with cyber claims.
“So they can see what actually has happened at the coalface and they can provide firms with advice as to how to deal with things if they are unfortunately the subject of one of these ransomware type scenarios but equally review all their terms and conditions with any third party outsourced service providers to make sure they stack up to scrutiny and do provide some protection should the outsourced third party service provider fail to do what they should be doing.”
Words Of Warning
When it comes to Personal Indemnity (PI) cover QPI has found some solicitors assume if their bank accounts are hacked not only is the client account loss covered under their PI policy but that any loss of funds from their office account is covered under their PI policy.
However that’s not the case and in actual fact their own monies aren’t covered by the PI policy because the PI policy is only there to protect third parties who lose money.
Fitzgerald added: “Another aspect is if we assume that someone is insured for losses taken from the client’s account, another issue they need to think about is how large an excess do they have and how quickly can they fund that excess?
“They should also consider how quickly will their insurer actually respond to put money back into the client’s account and if the insurer concerned considers there may have been some collusion from internally within the firm, the insurer then may carry out an investigation that could take several months. In the meantime the SRA will no doubt be putting pressure on that organisation to replace funds immediately.
“If money is taken from the office account and it is not insured how will a particular firm cope in terms of its cash flow? It is potentially breaching its banking covenants or funding arrangements if it hasn’t got any money to pay bills or fund work in progress.
“The cost of the insurance is relatively small and insurance will start at £600 for a £1 million fee income firm for half a million pounds worth of cover and that cost would increase by another £750 if a firm wants the protection of comprehensive crime protection, the extortion cover, the social engineering cover, the telephone hacking type cover.
“Companies don’t appreciate the comprehensive nature of the cover that is available and from that most don’t realise how little it does actually cost and the extent of cover that will provided should they suffer a loss.
“If a firm of solicitors is the victim of a cyber crime that can be regarded as a breach of the SRA code of conduct and leave them open to enforcement action. To effectively bat away any enforcement action the solicitor concerned will need to demonstrate that they acted responsibly but also had the necessary systems and processes in place to actually deal with these cyber crime events.
“Without cyber insurance being in place it is highly unlikely they will be able to do that because they won’t have access to the organisations who can provide the incident response services such as the legal services, forensic accounting and forensic IT investigations services.
“Organisations should look at level protection they need. At QPI we would ask the what if questions. For example if you were hacked and ransomware introduced to your system how long would it take you to find out the nature of the ransomware, get the ransomware removed from your system, tell your client what’s going on?
“How long would it take you to deal with any regulatory issues that could come your way from the Information Commissioner if there is the potential for a data breach and or the SRA – how would you deal with all these issues and what negative impact could they have on your business going forward?
“The cyber insurance we can provide through CFC is extremely comprehensive so we would have a conversation with organisations saying here are some real life examples of what our clients have suffered from, if this happened to you what would be the consequences to your business?”