Understanding Your Cyber Coverage
Recently, we had the privilege of providing an overview of CLIA’s Cyber Coverage to Saskatchewan lawyers at the CBA Saskatchewan Mid-Winter Meeting. Now we’d like to make sure the lawyers in our other Subscriber jurisdictions understand what cyber coverage they have under the Mandatory Cyber insurance program, the eligibility requirements for this coverage and that excess cyber coverage is available.
If you use the internet in any capacity, you and your law firm are targets for a cyber-attack. Cyber-attacks are unwelcome attempts to steal, expose, alter, disable, or destroy information through unauthorized access to computer systems. Cyber insurance provides coverage for lawyers and law firms who may fall victim to a wide range of cyber-attacks.
CLIA administers a Mandatory Cyber insurance program. This product is purchased by each CLIA Subscribing Law Society and provides coverage for their members who were required to be insured by mandatory lawyers’ professional liability insurance at the time of Discovery.
CLIA also provides an optional, enhanced Stand-alone Cyber insurance product which can augment your protection, and provide your firm with robust coverage for its potential expenses and lost revenues in the event of a breach or attack.
The following table outlines the Mandatory Cyber and optional Stand-Alone Cyber Coverages:
* These coverage extensions are available for an additional premium and are purchased in conjunction with Stand Alone Cyber.
See our website for more information, including coverage explanations.
To be eligible for coverage under the Mandatory Program, the following minimum standards are necessary:
Backup Controls: Weekly backups of data, stored offsite, and tested at least annually.
Patching: Application of critical patches to your systems, anti-virus software, and anti-spyware software must be made within two weeks of release.
Anti-Virus/Firewalls: Installation and maintenance, and active monitoring within reasonable business practices, of firewalls and endpoint protection (also known as anti-virus and anti-spyware)
Multifactor Authentication (MFA): MFA is an authentication method that requires the user to provide two or more verification factors to gain access. MFA must be enabled on email accounts and for remote network access (also known as VPN or Virtual Private Networking, or remote desktop access).
Email Scanning: Email scanning must be enabled on your mail services to ensure each email is scanned before entering your inbox or leaving your sent box for malicious attachments, links, or other content.
Employee Awareness Training: Engage in cyber awareness training on at least an annual basis.
See our website for more information on why these minimum standards are required and for tips to meet the requirements.
Note that law firms are required to go through an application process for the cyber stand-alone insurance. Law firms applying for insurance must meet certain requirements (typically more extensive than the mandatory requirements) in order to be eligible for insurance. If the applicant fails any of the underwriting questions, they may still be eligible for cyber insurance but with additional underwriting, or they may not be eligible and will be required to make changes to their IT systems and/or processes.
For more information on how to manage and report a cyber attack, see our website.