When we were children, our mothers told us to “eat a good breakfast,” “always eat your vegetables,” and “get plenty of exercise.” As we grew older, their advice focused on more important life choices such as “don’t do drugs,” “don’t exceed the speed limit,” and “don’t hang out with the wrong crowd.” Our mothers didn’t dispense this advice just to make our lives more difficult. To the contrary, this advice was offered in hopes we could avoid the inevitable ill consequences that arise from not following such advice.
But, now we’re in the business world, and as title executives, we encounter things our mommas never taught us. So, we must draw from all legitimate available resources in structuring our business dealings for best possible outcomes. In this blog, we’ll cover some cybersecurity tips and best practices advice our mothers could never have anticipated.
Advice your momma never gave you
While our moms provided a plethora of guidance for our personal lifestyles, lawyers, industry regulators, judges, and other professionals are whom we must look to as sources of behavioral business advice. Even then, despite our best efforts, we must anticipate and prepare for consequences resulting from any missteps or situations beyond our control.
In light of the recent “misdirected wire transfer scams” and “ransomware attacks,” it’s important we seek sound advice to avoid becoming a victim of cyber criminals. PYA Information Technology Principal Barry Mathis, a former CIO, CTO, senior IT audit manager, and IT risk management consultant says, “Accepting a verbal confirmation that your systems are patched and up-to-date is an unacceptable form of management. Senior leadership should require vulnerability scans and reports that show the status of all devices in the network. It’s not just about ransomware, it’s about the vulnerability of the device. When it comes to cybersecurity, a single hole could sink the entire ship.” Mathis recently authored a blog, “‘WannaCry’— Actions Your Healthcare IT Professional Wants You to Take Now,” for healthcare providers that offers some important tips also applicable to other industries.
Another recent blog, “8 Steps to Avoid Being the Victim of the Next Ransomware Attack,” from Morrison & Foerster LLP, offers good advice that title agencies and law firms should employ to minimize this risk, including:
- Making sure software patches are routinely applied.
- Using only supported operating systems and other software, if possible.
- Using anti-malware and anti-virus software tools and services.
- Backing up critical data.
- Training employees to spot phishing emails.
- Creating a cross-functional incident response plan.
- Practicing response to a ransomware attack in a table-top exercise in order to “hit the ground running” when this type of event occurs.
- Establishing or enhancing relationships with law enforcement and other critical partners.
A slightly longer list of recommendations appears in a free, easy-to-follow e-book written by attorney Brian Focth, “12 Steps for Cybersecurity: A Guide for Law Firms.” None of these suggested actions are particularly difficult to implement, and just like following your momma’s lifestyle advice, you would be much better off taking these simple steps.
Simple, eh? Despite our best efforts, we’ll likely stray from well-reasoned business advice and fail to perform one or more recommended actions. But, even more troubling, is that even 100% completion of each recommended action is no guarantee that a cyberattack won’t happen. And for that, we must prepare for any consequences. In this business context, cyber-insurance coverage is one of your best defenses.
Protecting against inevitable consequences will require some investigation
The challenge is that while most businesses already have “professional liability” and “general commercial liability” policies in place, most don’t know what is actually covered or excluded under those policies. Remember that, although you paid a premium for protection against a series of different risks, you can only be sure that the risks you want covered are in fact covered by carefully reading each policy. Here’s another piece of advice worth following: “Read your policies before you have a loss incident.”
This is where some business advice is really needed. Many business owners ask, “If I read an insurance policy, what should I look for?” A helpful blog on this topic, “No More Tears: Insurance Coverage For The ‘WannaCry’ Ransomware Attack,” was recently published by Tyrone R. Childress, Richard DeNatale, and Jason B. Lissy, all lawyers with the Jones Day law firm. The blog notes that of the approximately 70+ cybersecurity insurance carriers offering cybersecurity policies, none are the same. As a result, any policy you have, and any that you are proposing to secure, should be carefully evaluated to ensure coverage of the specific risks for which you are concerned. Many of the policies will not address specific risks, or will exclude coverage for certain risks, but insurers point out that, in most cases, these policies can be customized to meet your needs through available endorsements that add coverage or delete exclusions.
My advice is to become familiar with the variety of both first-party and third-party coverages that carriers offer so you know what to look for and what to ask for if it is not covered. A great resource for understanding and evaluating the types of coverages and policies available is an article, “Cyber Insurance for Law Firms,” written by Jeffrey A. Franklin, Esq., in the May/June 2016 issue of GPSolo, an American Bar Association publication.
Overlooked benefit to implementing recommended cybersecurity measures
Finally, you must remember that policy premiums vary, based upon the carrier’s assessment of its risk of loss. Just like a life insurance carrier is going to charge more for a person with diabetes and high blood pressure, a cyber insurance carrier is going to charge more for those who can’t provide proof of having: timely applied software patch updates, conducted adequate staff training for detecting phishing attacks, or implemented security safeguards such as use of strong passwords. Your ability to demonstrate that your office exercises industry Best Practices, like those covered in Pillar 3 of ALTA Best Practices, will have a significant impact on what you pay for needed coverage.
If you are serious about doing all you can to avoid becoming a victim of cybercrime, adopting and actually implementing the procedures outlined in Pillar 3 of ALTA Best Practices is the best tactic you can employ. However, even this can’t ensure you won’t become a victim. Securing a broad-based cyber insurance policy providing protection against financial loss is your next best hedge against this ever-present risk. However, you can maximize these efforts by achieving a certification of compliance through a qualified, independent third party. By taking this additional step, you can earn a substantial discount on the premiums charged by the cyber-insurance carrier and use this discount to defray the cost of the certification. In the end, successfully completing an assessment for compliance with ALTA Best Practices can not only demonstrate the desirability of your firm to lenders, but help you substantially minimize the cost of protection and any actual financial loss that will arise when a cyber-attack on your firm inevitably occurs.
In conclusion, there are three excellent reasons you should consider securing a Best Practices certification of compliance:
- You can minimize many of the dire consequences that naturally arise from failing to completely follow good industry advice.
- You can achieve substantial savings on the costs of cyber insurance.
- Your momma would be proud of such a decision.