Product Family


Claims Manager, Cyber

In June 2017, a massive cyberattack shut businesses and agencies across the globe out of their systems. Companies and government entities in 65 countries, including the US, were reporting locked systems and ransom demands by the hackers who had launched the Petya ransomware attack. Banks, airports, power grids as well as large companies were impacted. Global law firm DLA Piper, Danish shipping company Maersk and US, pharmaceutical company Merck were among the companies that announced its systems had been compromised.  

It was the second cyberattack in just over a month: the WannaCry cyberattack in May 2017 targeted computers in at least 150 countries. In that attack, the UK’s healthcare system was compromised, forcing a work stoppage at hospitals across the UK when staff and medical teams could not access patient data. Telecommunications companies, auto manufacturers, and FedEx in the US also experienced interruptions that impacted operations. Early reports set losses from the WannaCry attack at $4 billion.i

While the costs of the Petya attack are not yet known, estimates released at the end of June put worldwide losses at $8 billion. Even as insurers are tallying the most recent attacks, underwriters are estimating the next Wannacry attack could be a $2.5 billion hit to insurers.ii  But, according to new research by Lloyd’s and Cyence, a cyber risk analytics modelling firm, a major global cyber-attack could have even bigger potential possibly triggering as much as $53 billion of economic losses, equal to those from a catastrophic natural disaster like 2012’s Superstorm Sandy.

What is certain is how lucrative ransomware attacks are for hackers: cybersecurity experts say hackers are bringing in over $70,000 a month from such breaches.iii Law firms increasingly are becoming the focus of ransomware attacks. As Petya spread across the world, employees arriving to work at US-based law firms were welcomed by ransom messages on their monitor screens.

The Next Cyber Victims

Small to mid-sized law firms are an increasingly attractive target because it may be easier for hackers to compromise their computer systems.

Unlike large corporations that have incident response plans in place, small to mid-sized law firms are less likely to have developed sophisticated incident response plans. In addition, at smaller firms, senior management may not see cyberattacks and ransom demands as a real threat. As a result, many firms operate without an incident response plan.

Further, where most large corporations have dedicated IT teams to ensure regular system updates and patches, as well as to detect intrusion attempts, smaller firms are less likely to have the financial means to have an IT department, staffed with full-time professionals, devoted to securing company systems.


Using insurers as allies in the fight can help smaller firms face these cyber threats with confidence.

Without an incident response plan or a robust IT department, the impact of a cyberattack on a law firm could be devastating. According to a NetDiligence report, 87% of cyber claims come from organizations with less than $2 billion in revenue. The ransom demanded for hackers to restore access to companies in the latest WannaCry and Petya attacks: $300 in Bitcoin currency (at this writing, 1 Bitcoin was equivalent to $2,342.56 US).

Loss of billings, productivity, and administrative time can cost even more than the ransom itself, which is likely to be a nuisance amount. A Providence, RI-based law firm recently filed suit against its insurer for a 2015 attack against the firm. In the suit, the firm claims an additional $700,000 in losses.

Hackers may exploit information contained in employee files, confidential business information, client business files, and even payroll information for client companies and the law firms themselves. Hackers can tie up a firm’s files and deny access for months, grinding business and productivity to a halt. Without access to firm data and to client data, lawyers may miss court filings, court dates, settlement dates, and more. The frequency of these scenarios has been increasing over the last year, and while claim total severity is decreasing (an average of $1,077 in 2016 iv), smaller companies simply are not equipped to absorb the financial impact of these incidents as well as larger entities.

Yet, often paying the ransom is not the end of the ordeal. Hackers also access important data, which can later be exposed or sold. Likewise, hackers can create openings through which they can return later to once again hold systems and data captive. The ransom payment has not erased the problem, but has masked what could be an ongoing attack.

Preventing a Breach

Despite being targeted with more frequency, law firms do have options when it comes to preventing ransom attacks. Firms can use the following methods to test their readiness and uncover weaknesses in their security/and or incident response plan:

Tabletop Exercises: Working with external vendors and/or legal counsel, firms can walk through mock scenarios that are based on their industry, stored information, outsourced information, and policies that are in place. Through these tabletop exercises, stakeholders act out a breach response to test an entity’s incident response plan or to develop a plan. A tabletop exercise allows companies to view worst-case scenarios from their clients’ perspective as well as the impact such a breach would have on their operations. Each exercise can be customized to address issues that are unique to each firm.

Information Security Policy and Procedure Review: Firms should review all security policies and procedures, particularly their agreements with external vendors, and ensure that theyhave plans in place that protect the firm from potential breach. If no policies exist, many insurers offer their clients access to resources that can help law firms establish sound, easily manageable ones.

Risk Assessments: Depending on the firm’s operations, risk assessments will vary. A forensic assessment includes a review of relationships with vendors, including the type of data shared and system access and security protocols that are in place.

Employee Training and Education: This would typically include a discussion with key stakeholders to identify and prioritize employee training needs regarding overall security awareness. Working with various cyber security vendors and risk consultancies, firms can develop customized training and educational materials that help increase network security awareness among employees and management.  (Read more about raising employee awareness from my colleague Maura Wiese in her article, Ransomwares Greatest Adversary:  Employee Cyber Awareness.)

Insurance Protection

Insurers offer a myriad of insurance products and endorsement options that respond to these risks, including cyberattacks. Cyber policies may include coverage for cyber, technology errors and omissions, and media, including coverage for cyber extortion, data breach response and crisis management, business interruption and extra expense as well as data recovery and defense costs.

As ransomware attacks may become more prevalent in the law firm realm, smaller firms should prepare to face these potential risks. Using insurers as allies in the fight can help smaller firms face these cyber threats with confidence.


About the Author

Danielle Roth is a Team Leader with XL Catlin’s Cyber & Technology team.  She is based in New York and can be reached at



[i] Cyence estimates.

[ii] CFC Underwriting.


[iv] Symantec 

To contact the author of this story, please complete the below form

Invalid First Name
Invalid Last Name
Country is required
Invalid email
Invalid Captcha

Global Asset Protection Services, LLC, and its affiliates (“AXA XL Risk Consulting”) provides risk assessment reports and other loss prevention services, as requested. This document shall not be construed as indicating the existence or availability under any policy of coverage for any particular type of loss or damage. AXA XL Risk. We specifically disclaim any warranty or representation that compliance with any advice or recommendation in any publication will make a facility or operation safe or healthful, or put it in compliance with any standard, code, law, rule or regulation. Save where expressly agreed in writing, AXA XL Risk Consulting and its related and affiliated companies disclaim all liability for loss or damage suffered by any party arising out of or in connection with this publication, including indirect or consequential loss or damage, howsoever arising. Any party who chooses to rely in any way on the contents of this document does so at their own risk.

US- and Canada-Issued Insurance Policies

In the US, the AXA XL insurance companies are: AXA Insurance Company, Catlin Insurance Company, Inc., Greenwich Insurance Company, Indian Harbor Insurance Company, XL Insurance America, Inc., XL Specialty Insurance Company and T.H.E. Insurance Company. In Canada, coverages are underwritten by XL Specialty Insurance Company - Canadian Branch and AXA Insurance Company - Canadian branch. Coverages may also be underwritten by Lloyd’s Syndicate #2003. Coverages underwritten by Lloyd’s Syndicate #2003 are placed on behalf of the member of Syndicate #2003 by Catlin Canada Inc. Lloyd’s ratings are independent of AXA XL.
US domiciled insurance policies can be written by the following AXA XL surplus lines insurers: XL Catlin Insurance Company UK Limited, Syndicates managed by Catlin Underwriting Agencies Limited and Indian Harbor Insurance Company. Enquires from US residents should be directed to a local insurance agent or broker permitted to write business in the relevant state.