2015 is the year that Law firms, both large and small need to address the ever-growing threat of cyber crime. Hackers are already targeting Law firms, and this is not by accident. Cyber criminals are fully aware of the valuable data and monies that pass through a solicitor’s system and are targeting their vulnerabilities. The reality for Law firms is that it is not a question of if it will happen, but when.
The financial costs of a major cyber attack, both in terms of business continuity and reputational damage, are likely to ripple through the industry with the potential for large insurance claims resulting from high value actions against Law firms . As such, Law firms should ask themselves: what are the recent trends in cyber losses and insurance coverage? How have the significant losses transformed cyber into a board issue? What cyber cover do I have? And is there a road map for those who are insured?
It’s not just the role that lawyers play but also the trust placed in the relationship between the client and the lawyer that means lawyers often hold highly sensitive and valuable information and data, which they are expected to protect at all costs. It is therefore, hardly surprising that Law firms are at significant risk, as both they and their clients are being targeted for the information they hold, leaving them both vulnerable to attack. Having this trust broken by the loss or accessing of this confidential and sensitiveinformation, can have potential devastating reputational effects for a firm.
Law firms sit in the middle of the information chain. Often Law firms have email chains and documents revealing a company’s strategy (including weaknesses) in multi billion pound litigation cases, company trade secrets, commercially sensitive (often legally privileged) information as well as intellectual property. Holding this sensitive personal information, Law firms are becoming hugely concerned with what might happen to their clients’ data if accessed by unauthorized persons and what measures they need in place to protect themselves.
Ryan Senior, Executive Director, Professional Services Group, Aon added: “No business is immune to cyber crime. Whilst the industry is taking steps to pull together and share information, it still remains that few in the legal profession really fully understand the extent of the threat cyber crime presents to their business. As Law firms continue to hold increasing amounts of client sensitive information electronically on servers that are controlled by third parties, it may be a mistake to assume that the security measures in place provide an impenetrable barrier to those seeking to gain unauthorised access to your systems. The question is whether Law firms are prepared to assure their clients that they are genuinely safe custodians of their valuable information, and if the answer is no, they need to urgently put the necessary security in place.”
The Law Society has implemented a consultancy to advise firms on the risk of cyber attacks, but what still remains a fundamental issue is one of senior management taking responsibility to ensure they have the correct insurance in place to protect the law from potential claims from their clients in the event of a nightmare scenario. The financial sector has recognised that cyber protection is not simply an issue for the IT departments, but sits alongside the Risk management department and ultimately needs to be addressed at senior management level. Parts of the legal profession may, at times have overlooked cyber crime as a material issue to their business. This may be underestimating the potential ramifications of cyber crime on their business.
Individuals running any business, including Law firms, can be held responsible for not implementing adequate data protection measures. Firms have the obligation to recognise, actively engage and invest in the necessary products their business requires to safely process and protect the data entrusted to them. Failure to ensure appropriate safety measures are adopted may also open up the possibility for your clients to bring lawsuits against the firm and the individual partners. In response, insurance companies are offering professional indemnity products such as Directors & Officers’ policies that provide cover as well as joint and individual liability cover with specialised cyber insurance.
Clients of law firms are placing more scrutiny on the companies they use and questioning what protective measures they are putting in place to protect their commercially sensitive information. As Ryan adds, “Companies are increasingly requiring their Law firms to provide not only the reassurance that their information is safe, but that they can show an understanding of what the threats are as well as the protective measures they have put in place. This is where your insurer and your insurance broker should be working with you to demonstrate their thought leadership and guidance on the emerging exposures and coverage issues. As part of this, Law firms will need to build a security model into their business model design, that is seamlessly integrated into every device at every layer to provide that reassurance.”
The impact of cyber crime to any Law firm is one not only of cost, but the reputational damage it may cause and can also threaten the continued operation of their business. As regulators from both Europe and the US continue to mount pressure on companies and their advisors to ensure that they have adequate cyber security measures in place, they need to demonstrate that they are actively taking steps to protect client data. Law firms will also be aware that in certain jurisdictions they also may need to proactively notify the relevant government agencies of serious breaches. Additionally, Law firms will be acutely aware of the proposed EU General Data Protection Regulation. The potential for tough new regulatory standards around mandatory breach disclosure, the requirement for data protection officers and the potential for hefty fines of up £100m in Euros or 5% of the company’s annual revenue* will need to be factored into any Law firm’s risk management approach.
With the now widespread use of The Cloud by legal firms as a chosen method for storing client data, firms could become increasingly vulnerable to the ransomware variants that compromise installed security software and target the clients that subscribe to the cloud-based solutions.
As mobile devices, such as tablets and smart phones increasingly become the devices of choice, data protection will be ever more challenging as these devices are in some cases more likely to suffer attacks. In addition, the way some Law firms are now using social media, third party outsourced information technology vendors and data analytics to drive sales, raise efficiency and decrease costs, which can leave many of these companies exposed to unprotected third party infiltration..
One of the many challenges, especially to small Law firms, is the need to constantly review and up-date their IT systems. This can be a costly exercise, either through getting specialist consultants in, or for larger firms, ensuring their own IT staff are sufficiently up to trained and up-to-date. Their role is no longer simply about managing systems, given the fact that many sophisticated attacks can go undetected for a significant period of time. Whilst the cost of preparing your business for a potential cyber attack may be great, it will be outweighed by the cost of having to repair it.
With cyber liability being a concern for many businesses, too many law firms believe that the investment in IT alone will reduce their need to be insured and, as such, insurance cover within the profession is not that common. Working with your insurance broker and your insurance company will not only identify and help quantify your risks, but help identify where your security gaps are and the potential threats. This in turn will better enable you to have an incident response plan. By looking at putting a financial contingency plan in place, this could better protect you if and when you make a claim under your insurance policy.
By demonstrating the lengths you are taking to protect yourself against cyber attacks, clients will have greater faith in the security of their information when it is sent to you which may potentially give you a competitive advantage. It will also allow you to benchmark your cyber risk management systems and ultimately ensure your business is sufficiently financially cushioned (provided you have appropriate insurance in place). By preparing a comprehensive and accurate representation of your cyber risk management, your insurance broker may negotiate favourable terms and conditions on your behalf with insurers.
The Government launched the Cyber Security Kite Mark back in 2014 as part of a wider project to demonstrate that the UK is safe for business. For those Law firms looking to work with the Government departments, they will need to hold a cyber security kite mark. However, it is broadly being touted that businesses will soon need to make sure they are demonstrating their commitment to cyber security and at the very least being ISO27001:2013 compliant.
When discussing Cyber Liability Cover with your insurance carrier, it is important to know whether the cover they offer includes first party and third party coverage, loss or damage to digital assets, business interruption from network down time, cyber extortion, theft of money or digital assets as well as security and privacy breaches, investigation costs following a breach, customer notification costs and loss of third party data. It is also worth looking at the ‘service offering’ that comes with a cyber policy. |This gives the insured a response plan in the event of a breach (24/7), including access to IT forensic security specialists, PR consultants and legal experts etc, (which, subject to the terms and conditions, should be covered under your policy). Ideally, there is only one number to call and these specialists will work with the firm to make sure they respond to incidents as soon as possible. Time is critical with all potential cyber security breaches. It may help to mitigate any 3rd party liability if you act quickly and decisively in such circumstances.
Something firms should be mindful of when reviewing cyber insurance are the exclusions in the policy wording. Policies may exclude cover for patents, trade secrets, refunds owed by the breached entity and liquidated damages, known network security vulnerabilities and unencrypted devices such as laptops, tablets and mobile phones.
Many critical coverage issues are often not negotiated. This can include the choice of counsel and third party outsourced vendors who may have deleted exclusions for lack of patch upgrades/unencrypted data/devices. At a very basic level, a Law firm’s information security policy needs to be combined with risk management and its technology framework and then presented to their board or managing partners for review and sign off. The reality, to all involved in the field of cyber crime, is that companies struggle to stay ahead of the game. Hackers have the advantage of growing with technology and being adept at quickly adapting to new products, infiltrating companies and being invisible. However, Law firms do have the choice to better secure their clients’ information. Knowing the challenges Law firms face and the associated risks, those who ignore the fast paced growth of cyber threat do so that their own peril. With ever-greater client, Government and regulatory expectations, now is the time to act.
Source: Cardiff & District Law Society (http://www.cardifflaw.org/home.php?page_id=4&show_news_item=327)
If you require assistance regarding any Cyber crime matters, please contact us on 02920 484 550 and receive expert advice from one of our legal professionals.