As you know, LIANS arranges mandatory first response Cyber insurance coverage for all insured lawyers. With the recent (July 1, 2022) renewal, there has been significant change to the conditions of coverage. If you want protection under the policy, there are three additional steps that you must take now.
Normally for those of you practicing in firms, we would only send this note to your designated lawyer. However, the issues these new conditions address are just as relevant for your (and your families) personal email accounts and computer use as they are for your business accounts so we thought it prudent to send this to all.
The three new conditions for coverage are:
- Multi-factor authentication must be enabled on email accounts and for remote network access (also known as VPN or Virtual Private Networking, or remote desktop access).
- Email scanning must be enabled on your mail services to ensure each email is scanned before entering your inbox or leaving your sent box for malicious attachments, links, or other content.
- Firm members must engage in cyber awareness training before June 30, 2023.
These new conditions are in addition to the following longstanding conditions which we have previously noted to you:
- Weekly backups of data, stored offsite, and tested at least annually.
- Application of critical patches to your systems, anti-virus software, and anti-spyware software must be made within two weeks of release.
- Installation and maintenance, and active monitoring within reasonable business practices, of firewalls and endpoint protection (also known as anti-virus and anti-spyware).
Many lawyers and law firms will already have these protections, including the new ones, in place. However, if you do not, or are not sure, you should check with your IT consultant ASAP and take steps to implement Multi-Factor Authentication and email scanning today. Information on both processes, including links to instructions, follows.
Multi-Factor Authentication (MFA)
MFA is a process by which users are prompted during the sign-in process for an additional form of identification, such as a code sent to your cellphone or a fingerprint scan. Hackers are gaining unauthorized access to networks by stealing log-in credentials. By requiring multi-factor authentication, you reduce the likelihood of an unauthorized third-party in possession of a username and password from accessing your computer networks.
The MFA feature has to be turned on.
If you use Microsoft Office 365, you can go to this link for instructions: https://docs.microsoft.com/en-us/microsoft-365/admin/security-and-compliance/set-up-multi-factor-authentication?view=o365-worldwide
If you use Gmail, go to this link: https://safety.google/authentication/
If you use an email system other than Microsoft or Gmail, you should contact your service provider for guidance on turning MFA on.
Here is a link to an article on MFA and other cyber issues: https://www.attorneyatwork.com/multi-layer-security/
If you use Microsoft Outlook or Gmail, it may be that this setting is automatically enabled. But you should check your settings to make sure.
For Microsoft, you can go to this link for information: https://support.microsoft.com/en-us/topic/spam-and-virus-protection-in-microsoft-365-small-business-7c4ea825-48e9-4cde-ab27-e5e131e3e652
For Gmail, you can go to this link for information: https://support.google.com/a/answer/9157861?hl=en#zippy=%2Cturn-on-spoofing-and-authentication-protection
If you use a different email system, you should check your settings and / or contact your service provider for guidance.
Cyber Awareness Training
The policy condition requires that you engage in cyber awareness training on at least an annual basis.
If you are in a firm, it may very well be that you have access to such training. If so, we would recommend you review it annually. We also recommend that you make it available to your staff.
If you do not have access to programming with your firm, or if you are interested in additional resources for you and your staff, we recommend the following.
Carnegie Mellon University in partnership with the National Cyber Security Alliance (NCSA) has produced a series of eight 3 minute videos covering the fundamentals of cyber security. They are available at: https://www.cmu.edu/iso/aware/videos/ncsa-videos.html. Clicking the “Training and Awareness” tab on that page will link to further resources.
In addition, from that site, or by clicking the following link, you can access further NCSA resources: https://staysafeonline.org/resources/