All strategies to combat cyber risk involve purchasing cyber insurance. Our program provides primary coverage, but we recommend that you contact a skilled cyber broker to tailor your coverage to meet the needs of your firm, including possible excess options. If you do not already have a broker for cyber, we have listed several on our website who specialize in cyber insurance: Brokers selling commercial insurance for law firms.

The most common cyber risks that law firms face are ransomware, social engineering fraud, and data breach. Incidents related to these risks can result in serious consequences to law firms and their clients.


Ransomware occurs when a fraudster takes an organization hostage (quite literally) by encrypting and disabling access to business-critical systems and data until a ransom payment is made, often in bitcoin. The professional services industry is the second most targeted, behind only the consumer discretionary industry.

Social engineering fraud

Social engineering fraud occurs when a fraudster succeeds in having a lawyer, for example, transfer client funds to the fraudster based on an intentionally misleading representation of facts. Although far less sophisticated than ransomware attacks, it is also a leading cause of law firm cyber insurance claims. These attacks typically involve some combination of business email compromise (of the law firm or a client), email spoofing, or invoice manipulation.

Common social engineering techniques

Invoice manipulation occurs when a client the firm may be dealing with is tricked into paying an invoice from the firm that they believe is legitimate but has actually been manipulated to appear real. The client then refuses to pay the firm’s legitimate account when it comes. It can also occur in reverse – when a firm employee pays an invoice from a vendor that has been manipulated and sent to the firm by a cyber-criminal. Invoice manipulation is devious. Unlike run-of-the-mill phishing attacks, invoice manipulation takes time observing an organization’s billing and payment processes and habits with third parties.

Look-alike domains are domain names that closely resemble the domain name of a trusted website, for example by swapping letters around or substituting common characters. In this day and age, most of us are weary about clicking links that we don’t trust, and so look-alike domain names are designed to make it non-obvious that a link or message is coming from a malicious domain or sender. In advance of a social engineering attack, it is common to see criminal actors registering domains similar to the victim’s to ultimately phish the victim, or to perpetuate funds transfer fraud or business email compromise.

Email spoofing is the creation of an email with a forged sender address. Criminals spoof emails in the hopes of duping the recipient (i.e., the victim) into thinking the email originated from a trusted source. In the context of funds transfer fraud it is a technique that is used to spear phish, impersonating the email of a CEO/executive, vendor, or customer in an effort to trick the victim into wiring funds, or purchasing and sharing gift card PIN numbers.

Data breaches

Data breaches occur when sensitive information from a law firm is provided unwittingly to a third party. Any business that stores data on a network is at risk for a cyber attack. A breach can be particularly costly and operationally devastating for lawyers who are responsible for maintaining privilege over client information. Firms can also be subject to regulatory fines and reputational damage on top of other claim costs.

How to prevent claims

Ensure RDP ports are protected and unused ones are closed. Remote Desktop Protocol (RDP) allows users to access their office desktop and computing resources remotely. While convenient, especially in the age of working from home, it can also make businesses extremely vulnerable to ransomware attacks if not configured properly. Open RDP ports is the most common cause of ransomware attacks. If you must use RDP access, secure it behind a virtual private network and multi-factor authentication.

Cyber incidents are costly and incredibly disruptive for any business. However, most cyber incidents and security failures (particularly the ones targeting small businesses) are preventable. The most effective methods to mitigate cyber risk are all no-cost or extremely low-cost to implement.

Coalition’s top five recommendations to mitigate cyber risk are as follows:

  1. Multi-factor authentication Turn on multi-factor authentication (MFA) for all business-critical services including corporate email accounts, VPNs, financial accounts, and any other application where sensitive information is stored. While it is nearly impossible to prevent phishing entirely, using MFA can stop criminals in their tracks.

    MFA is common across technology platforms these days and should be used across all business email accounts and other key business software. Usually through brute-force attacks (criminals trying multiple username and password combinations in quick succession) or through stolen credentials from the dark web (people reusing username and password combinations), criminals can quickly gain access to business email accounts without this extra piece of security. Once in, the criminal can reroute money to fraudulent bank accounts, or create a ransomware event or major privacy breach.

  2. Routine backups Regularly back up your systems and information, and store backups in an “offsite” location. Offsite doesn’t have to mean physically offsite, but in a location that is not connected to your main business network. This will make it far more difficult for a criminal hacker to delete or encrypt your backups.
  3. Password management Encourage employees to use a password manager (e.g., Lastpass, 1Password, or the password managers built into web browsers like Chrome or Safari). Using strong, unique passwords for each of the services you use can help prevent common criminal techniques such as “brute forcing” or “credential stuffing.”
  4. Email security Implement basic email security measures including SPF, DKIM, DMARC, and an anti-phishing solution. Email is the single most targeted point of entry into an organization for a criminal hacker, and the implementation of these email security measures can be done quickly, and for free.

    Using these protocols will improve the information you receive from Coalition on your dashboard. Sender Policy Framework (SPF) can prevent domain spoofing. It enables your mail server to determine when a message came from the domain that it uses. DomainKeys Identified Mail (DKIM) ensures that the content of your emails remains trusted and hasn’t been tampered with or compromised. Domain-based Message Authentication, Reporting and Conformance (DMARC) ties the first two protocols together with a consistent set of policies.

  5. Wire transfer verification Implement a dual-control process when making funds transfers. Today, it is no longer safe to assume that email is a secure means of communication. Call the intended recipient of the transfer before you make it to confirm any wire instructions provided — and make sure you have an accurate phone number!