Managing and Reporting a Cyber Attack
You are a member in a CLIA jurisdiction and you think you’ve been a victim of a cyber attack – what should you do?
First, how do you know if a cyber attack has occurred? Here is a list of examples of indicators of a cyber attack:
Your systems are locked, and you receive a demand for funds, property, or services to regain access.
Your sensitive data has been exposed or has been threatened to be exposed publicly.
Data migrates off the network and is being sent to an unknown source.
There is malware discovered on the system that has gone undetected for some time.
Your computer system performance has deteriorated or is interrupted, and you suspect that it may be due to malware.
A client or vendor alerts you of a third party attempting to impersonate your business.
What should you do if you believe you have suffered a cyber attack?
Step 1: Assess If Email Has Been Compromised and Change Password
If a lawyer/law firm thinks they may have suffered an email compromise (such as a client notifying them that their email is sending them spam, or phishing emails), before they do anything else, they should change their email password, and enable multi-factor authentication (MFA). If they are using a provider that doesn’t have a multi-factor authentication option available, then it is highly recommended that they look at a new provider that does provide this option.
Note: MFA is a requirement to be eligible for insurance.
Step 2: Engage with Your Internal or External IT Provider
(if you don’t have an IT provider, go to Step 3)
The lawyer/law firm should reach out to their IT provider and give them a summary of the situation. As they already know their systems, they should be the quickest to start evaluating the situation.
Step 3: Report the Cyber Attack
The Lawyer/law firm should notify the CLIA cyber insurance program via cyberclaims@clia.ca or 1-833-383-1488, communicate that they have a potential event unfolding, and give a brief overview of the situation.
If they do not have an IT provider, the insurance programs breach coach will help to assess their next steps and recommend an IT provider.
If they have an IT provider, the lawyer/law firms should specify in their report that they are looking at the issue. This will make sure that the insurance program is ready to assist should the need arise.
The breach coach will acknowledge the lawyer/law firms email or call and be standing by for updates. If a breach is confirmed or likely to have occurred, then the lawyer/law firm should immediately update the CLIA cyber insurance program and seek their advice to determine the best option for deeper investigation and remediation. The insurance program has access to forensics and other IT professionals which can be brought in to assist who specialize in cyber breaches, as well as vet any offerings. If the event turns out to be nothing, they should simply let the program know that it was a false alarm.
If a law firms or lawyers clients have notified the lawyer/law firm that they feel they have suffered damages as a result of a breach a system, then the lawyer/law firm should immediately report a claim to cyberclaims@clia.ca.
What constitutes a notice to the insurer?
An email to cyberclaims@clia.ca will be required for formal notice of claim or circumstance to the insurer.
Are there costs for calling the phone-line or emailing the CLIA cyber program?
If a lawyer requires the services of the breach coach beyond providing initial overview of the claim situation, costs may be incurred for their assistance. A lawyer will not be charged for simply calling the cyber phone-line or emailing the cyber claims inbox, but if there is a legitimate claims and actual assistance is provided then there will be charges.