Aon | Professional Services Practice
Release Date: September 2022
Law Firms and Cyber Interruption – How Do You Measure and Prove a Loss of Revenue?
As discussed in the Professional Services Practice’s “Looking Ahead: Top Risks Facing Professional Service Firms in 2022 and Beyond” Cyber-attack/data breach was the top rated risk facing firms in 2022. Business interruption was rated 4th in the same Global Risk Management Survey. A significant component of the costs associated with these risks originates from network interruptions.
Establishing the Amount of Revenue Loss Due to a Cyber Event
One of the major drivers of cyber event claims cost is the loss of revenue. This is particularly the case with ransomware, in which the initial network outage of 2-4 weeks is typically followed by a period of 6-8 weeks of varying levels of interruption as systems are remediated and brought back online and critical data is decrypted and restored. The latest quarterly update from Coveware, one of the leading ransomware negotiation consultants, indicates that in Q2 2022 the average downtime from a ransomware event was 24 days (up 25% from Q4 2021).
Given these timelines and the failure rates of files being corrupted in the decryption process, it is often a significant amount of time before the firm can start operating at close to full productivity.
Even after systems are remediated, longer term impacts from the outage can continue to impact revenue realization for months. Whether these longer-term impacts are covered by insurance will depend on the definition and duration of the period of restoration in the policy itself.
Ultimately, following a cyber event involving a network outage it takes detailed and complex forensic accounting analyses to establish a revenue loss figure for an insured.
The following points outline the major issues that are considered in these analyses for law firms:
1. Deferred Revenue:
- The lag between work completed, time-recording, billing and revenue received means that for the initial period of interruption revenue will continue as normal as clients pay invoices that were already submitted. This means that it will be days to potentially weeks before any material revenue loss is seen.
- In the case of work completed but not time-recorded, and time-recorded but not invoiced, invoices will be held up, but once they are issued the revenue will be received as normal. The cyber incident delays receipt of payment but the revenue is deferred, not lost.
2. Frictional Effects:
- For work that is in progress, there will be operational friction, meaning that, especially for time-sensitive work, lawyers will have to contrive workarounds and work longer hours, use personal devices, complete some processes manually and so on. As with the items in 1. above, this means that current engagements will continue to generate revenue. Although time-recording and invoicing may be delayed, the revenue is unlikely to be lost.
- However, delays and friction in completing work mean that revenue may not be received in the usual cadence and the firm may have to concede lower billing rates to compensate for frictional effects. The knock-on effects of these issues may slow the performance of work generally and erode the revenue line below its normal level, creating a lost revenue delta.
3. Onboarding Effects:
Certain systems are crucial to onboarding new work (particularly conflicts) and if these systems are offline, engagements cannot be accepted, or the acceptance process takes much longer to complete. This impacts prospective work and reduces future revenue:
- Existing clients turn to other firms or take the work in-house when the firm cannot timely accept new, urgent matters
- New and prospective clients who cannot be onboarded while the conflicts system is down may decide to place the work with other firms that are able to quickly respond. As the firm informs clients and prospective clients of the reason for delays, it tends to rapidly become public knowledge which in turn can chill prospective clients from considering the firm for time-sensitive new matters.
- The firm’s attorneys have less time to prospect for new clients because of the frictional effects and extra time it takes to complete current work due to the network outage (see item 2 first bullet). Their work on current matters is less efficient and is taking longer, using manual processes or other workarounds because their usual digital resources are unavailable. They will also spend more time on compliance and double-checking work that must be completed manually. Even if the attorneys are able to prospect new opportunities, they may not be able to onboard the work because conflicts and other key systems are down.
4. Extra Expense
- The firm will incur extra expense in various areas, particularly on paying non-exempt IT and administrative staff working overtime to remediate systems and complete processes manually. The firm may also have to utilize alternative technology platforms and rent physical facilities with systems available for depositions, video conferencing, etc. – all at additional cost.
5. Reduced Expense
- The calculation should also include factors that may create savings, although these are usually minimal. They include savings from staff furloughed or laid off, contract workers not used, and even reduced electricity usage with systems powered off and building occupancy reduced. It is also possible that high value / high margin work can be prioritized, and lower margin work selectively purged, resulting in revenue profile improvements.
The reduced and lost revenue from the impacts described in 2 and 3 above will depend on the duration of interruption and the nature of the impaired business functions or processes. For example, an unavailable conflicts system will have a sustained impact on revenue the longer the system remains down.
The length of the system interruption is also a crucial factor in determining the loss amount and the loss of revenue will not be proportionate to this duration. Initially revenue will continue to be received normally with a certain amount of revenue being deferred (as noted in 1 above). However, as the period extends beyond a certain point, actual decreases in revenue commence, which can increase exponentially with time. As the period of interruption extends, the cadence of revenue-generating work slows as existing matters are completed, all invoiced work is paid, but new matters are not onboarded and future work is not prospected, resulting in a potentially rapid drop in the revenue line.
In events that have triggered a material interruption to systems we have seen this dynamic result in significant loss of revenue for large law firms.
Impact on Decisions About Insurance Limits
In terms of whether it is possible to predict and calculate a loss to better estimate appropriate limits of insurance, certain costs / losses associated with a cyber event can be estimated based on scenario-building, including:
- Breach counsel, incident response services, crisis communications and other professional advice
- Remediation costs and extra expense, including equipment replacement
- Loss of revenue, using different scenarios based on total downtime and recovery periods for key systems such as email, document management and conflicts.
However, there are other material costs that are less predictable and potentially exceed the costs above, for example:
- Extortion payments – we have seen numerous extortion payments in the region of $5 million but are aware of payments reaching tens of millions of dollars.
- Cost of compliance with statutory notifications associated with a breach of PII/PHI. These costs are generally proportionate to the number of records stolen and can be very significant, potentially eroding cyber insurance towers worth hundreds of millions of dollars. The average costs associated with a breach involving theft of PII (including breach counsel and remediation but excluding extortion and revenue) appears to be between $5 and $10 per record.
- Fines and penalties and mass tort litigation – developing regulations and privacy statutes that introduce statutory damages or statutory standing are contributing to an increasingly unfavorable environment for firms that, from business necessity, host large quantities of PII and PHI.
According to the NetDiligence Cyber Claims Study 2020, the largest professional service firm cyber loss exceeds $120 million. The presence of volatile and unpredictable factors in cyber events makes the process of choosing an appropriate limit of insurance extremely difficult. Aon’s benchmarking indicates that premium spend tracks more closely to firm revenue than selection of limit, indicating that economics are a significant factor, although the correlation is not particularly close, and the recent volatility of the cyber market has further complicated the picture.
Benchmarking against peer firms is a popular measure but a more analytical approach for selecting limits uses an external provider to assist with the forensic accounting and scenario-based impact analysis of a cyber event to establish parameters around the predictable costs (Aon Cyber Solutions has such a service offering). The firm can then use benchmarking and cost-benefit judgement to address the unpredictable elements of loss described above and decide on how much additional limit is appropriate to address the overall risk.
This conundrum is challenging to all firms, particularly as the costs of insurance have escalated in the last year, focusing more attention on the issue. There is no simple answer to the problem, but Aon has resources and benchmarking that can assist a firm with making better decisions.
The Cyber Solutions team at Aon can help you understand and quantify your cyber risks. Please contact Bryan Hurd.
Managing Director, Aon Cyber - Stroz Friedberg