Law firms are becoming increasingly vulnerable to cybercriminals. As the legal industry expands its reliance on technology and law firms collect more personally sensitive data, the exposure is increasing. Unfortunately, many firms do not realize the risk they face and are not taking the necessary steps to protect themselves from being a target, particularly against social engineering scams.

One in four lawyers reported their firm had suffered a computer security breach in 2022, according to a 2023 report from the American Bar Association (ABA). In another report by EC-Council University, law firms were identified as the second-most susceptible industry to cyberattacks, behind only manufacturing.

There are many different ways cybercriminals can take advantage of a law firm's vulnerabilities—from hacking their network and stealing personal information belonging to employees, clients or both, to ransomware attacks where a firm's computer network is shut down until a financial demand is met.

But the biggest cybersecurity threat to law firms currently comes from social engineering schemes, where a cybercriminal tricks an attorney into sharing sensitive information or transferring funds through a false communication or client directive, typically via email.

Cybercriminals are becoming more sophisticated with these schemes, making it difficult for law firms to discern whether the person they are communicating with is a legitimate entity. According to recent Berkley Select claims data, cyber-related incidents against law firms increased significantly, the bulk of which were perpetuated through fraudulent funds transfers. Some of the claims alleged dollar amounts of more than six figures.

Although a law firm may unintentionally fall victim to a social engineering scheme, its lawyers professional liability (LPL) policy may not cover these claims because “intentional acts" are excluded. These situations are completely dependent on the facts, and it can be difficult to prove the incident was due to a legal mistake. Policies may also have exclusions for conversion or misappropriation of funds, or they may be “silent" on cyber claims altogether.

Relying on a silent policy—which neither expressly covers nor expressly excludes cyber claims—is a gamble, and uncertainty could leave law firm insureds vulnerable to costly claims if they don't have the right policy in place or don't understand their risk.

Here are four ways agents can help their clients:

1) Advise law firms to purchase a standalone cyber policy. Only 40% of law firms currently have a cyber liability policy, according to the ABA's 2023 technology report. Firms can also add a social engineering sublimit to their LPL policy.

2) Make sure law firm clients maintain a robust cybersecurity program. A cybersecurity program should include secure email and software monitoring with real-time alerts if an outside party has accessed the firm's server.

3) Ensure law firm clients have a verification process for financial transactions. It must be confirmed that financial transactions, such as wire or bank transfers, are being sent to the intended recipient. There should also be a plan for notifying banks and law enforcement as soon as a fraudulent transaction has been discovered.

4) Encourage regular training. Firms should hold cybersecurity training that educates all staff about how to avoid falling victim to these scams.

To avoid coverage confusion, the industry has been moving toward coverage exclusions or providing sublimits for certain cyber-related claims. It is critical that agents and brokers understand what coverage and risk management options are available to help their law firm clients mitigate their exposure to social engineering scams.

Al Roberts is vice president of underwriting, professional liability at Berkley Select.

Disclaimer: Berkley Select is a member company of W. R. Berkley Corporation, a Fortune 500 Company. The views expressed herein are those of the author and do not necessarily represent the views of W. R. Berkley Corporation.