DLA Piper hack could cost 'millions', brokers say

DLA Piper is still recovering from last week’s cyber attack, with insurance brokers saying the resulting upheaval could lead to costs “in the millions”.

The firm, which fell victim to the ransomware attack that spread across the globe last Tuesday (27 June), is still grappling with IT problems 10 days on from the attack.

In a statement, DLA said: “We are bringing back services in a graduated way, and only as and when we can be satisfied that the appropriate safeguards are in place.”

Sources within DLA have told Legal Week that many staff have begun using their work computers again, while others are continuing to work on personal laptops while their hardware is checked over. Email is back online, but landline phones are still down, with calls being diverted to mobiles.

The firm has officially notified the Solicitors Regulation Authority of the attack, as well as other international regulators, and is working with authorities such as the FBI and the UK’s National Crime Agency to help their investigations into the matter.

The firm said it had also called in IT experts to restore its systems and safeguard client data. A spokesperson said: “We are working with leading external engineers and information security specialists, in addition to those within our organisation.”

A DLA spokesperson told Legal Week that the firm “has in place a range of different insurances relevant to this incident.”

Lawyers and brokers said that appropriate insurance would cover many of the costs associated with this kind of attack, including paying for external support, potential loss of income and the costs of getting lawyers back online.

Brett Warburton Smith, a partner at independent insurance broker Lockton, which acts for 27 of the top 100 UK law firms, said: “The total direct and indirect cost could be in the millions.”

RPC legal director Philip Tansley, who advises companies and law firms on responding to cyber breaches, added: “Cover available in the market includes mitigation expenses, which might cover, for example, the additional costs of working, such as getting people set up working remotely, and outsourcing urgent work to third-party firms.

“In terms of loss and deferral of revenue, that is a complex area. Firms should be careful that they have the right cover and if they are not sure, discuss it with their brokers and underwriters and ask them: ‘If this happened, would you cover it and how would you calculate our claim?’”

Janine Parker, head of UK professions at Paragon International Insurance Brokers, said: “Our cover would cover loss of revenue; we have a full breach response. If any of our law firms suffered a cyber attack they would have access to specialist law firms, to a PR firm, to claims for loss of income and loss of profit. If they lose a client due to an event during litigation, we would pay a percentage of a success fee they would be due under a conditional fee agreement.”

The size of policies on the market stretch up to $300m-$500m, according to Sarah Stephens, head of cyber at insurance broker JLT Group.

“You could potentially buy anywhere from $300-$500m, but generally if you are only buying it to augment the third-party liability cover in your professional indemnity [PI] policy, you are looking at the likely loss from business interruption so we would typically see policies of no more than $100m.”

The process of working out how much a breach will cost would typically begin shortly after it had been discovered.

Tansley said: “The insured, with the help of their broker, would look at the policy and work out what the business interruption claim was, which the insurer would then adjust. The alternative approach is that the insurers, knowing a large claim was on the way, would appoint an adjustor or a forensic accountant to work with the insured to establish what its loss is.”

Brokers and underwriters said that cyber insurance is becoming increasingly common throughout the legal market.

David Warr, cyber underwriter for QBE European Operations, said: “We have over 300 firms of solicitors that have purchased a cyber policy from us, covering off the whole spectrum from two-partner law firms to some of the largest law firms in the world.”

Warburton Smith adds: “Fifty percent of our top 100 clients now buy specialist cyber insurance projects and the other 50% are looking into it. We are getting calls virtually every day on the back of this [the DLA hack] because people are really concerned about it.”

However, while larger firms have tended to be more proactive in insuring themselves against cyber risks, many smaller and midsize firms still rely on their PI cover to protect them.

DAC Beachcroft partner Hans Allnutt, head of the firm’s cyber response team, commented: “The mandated wider cover of the minimum terms for solicitors’ PI may have lulled the legal industry into a false sense of security that they have insurance cover for cyber risk and data breaches. However, the minimum terms are designed to protect clients – not a firm’s own exposures to cyber risk.”

In the event of loss of client money or data, firms would typically be covered by their PI insurance, but this would not stretch to loss of revenue or the costs of remediating the problem.

Allnutt warned that cyber attacks are becoming increasingly common: “We have seen a spike in breach instructions. We are currently running at about one a week; a year ago it was one a month and we expect that to change to one every other day after the General Data Protection Regulation takes effect next year.”

And while leading law firms will now being doing everything in their power to protect themselves against falling victim to a similar incident, the reality is that even the best defended systems are still vulnerable.

Legal Risk LLP partner Frank Maher notes: “If the Pentagon can be hacked, there is not much hope for the rest of us.”