This Div is a JS Trigger
Issue 76 | July 2022


This newsletter includes information to help lawyers reduce the likelihood of being sued for malpractice. The material presented is not intended to establish, report, or create the standard of care for lawyers. The articles do not represent a complete analysis of the topics presented, and readers should conduct their own appropriate legal research.
Email Security and the Mandatory Cyber Insurance Coverage (Part 2)

Following up on our July 14, 2022 note on the cyber insurance renewal, we have now heard from some of you that your email providers do not offer Multi-Factor Authentication (MFA) on your accounts.

Since 2017 when we first provided cyber coverage as part of our program, it has been refined and expanded based on lawyer experience and conditions within the cyber insurance market. We have had claims here (as have other provinces) and they are increasing in frequency, sophistication and exposure.

A common form of cyber breach is business email compromise. Regardless of how access is gained - phishing where attackers bait you into providing your password, leaked credentials from previous breaches or through brute force attempts to guess your password - once a criminal has access to your data, they can exploit your clients’ trust – and trust funds.

MFA coupled with email filtering and strong passwords has proven to be effective at preventing this form of breach. The three work together, not in isolation:

  1. MFA requires you to prove that you are the person attempting to log in by using a second point of contact such as your cell phone or an alternate email address;
  2. Email filtering prevents malicious emails from reaching your inbox or leaving your outbox by identifying any that contain potentially malicious attachments and embedded code; and
  3. Strong passwords that are critical to online security. Passwords should be unique and difficult for people and algorithms to guess. They should contain upper and lower case letters, numbers and symbols. Given the number of passwords we must keep track of, password managers such as Dashlane, LastPass, or 1Password are useful tools for both personal and business use.

These are now viewed by cyber insurers as minimum standards of protection that businesses, including law firms and lawyers, should have in place.

Accordingly, effective July 1, 2022, the mandatory cyber insurance program now excludes claims that could have been prevented by the presence of either of these key tools. Other claims may still be covered.

If you are using a service provider that does not offer MFA or email filtering, it is strongly recommended that you migrate to a service that does. Services that include and support these features are Microsoft 365 and Google’s ‘Gmail for Business’. 

Other solutions are available so we also recommend that you work with an IT specialist to select an email service that works for you and gives you the necessary cyber protection tools. In addition to helping you migrate to that new system (if that has to happen), an IT specialist will help you to redirect your email to it so that long time clients can still contact you at which time you can advise of your new address.

It is unfortunate that some email providers do not provide these features as some of you may have been using those services (and addresses) for many years. Though they may offer these features in the future, the fact is that over the last few years, the risks to law firms of not having these protections has increased exponentially.

This is not to say that even with these protections you will not suffer a cyber attack or a loss. It is only to say that businesses must take steps to make these attacks as difficult as possible to execute. Given that these protections are now conditions in the policy, it is our responsibility to advise you of them.