Skip to main content
Cyber Risk Management|Financial, Executive and Professional Risks (FINEX)
COVID 19 Coronavirus

By Joanne Cracknell | May 14, 2021

In this article, we will look at how law firms can minimise their risk of the ever increasing exposure to cyber attacks.

The ever-evolving threat facing the legal profession

Cyber crime continues to rise in scale and complexity and remains a constant challenge to the legal profession. Law enforcement agencies have issued stark warnings about the increase in cyber attacks as a result of the coronavirus pandemic (COVID-19). An assessment by Interpol during the early stages of the pandemic identified cyber criminals’ appetites had changed and were focusing on major corporations, governments and critical infrastructure rather than individuals and small businesses1.

In this article, we will look at how law firms can minimise their risk of the ever increasing exposure to cyber attacks.

Reasons why law firms are targeted

Law firms and their clients are considered attractive targets by cyber criminals because of the potential to access vast sums of monies held in both client and office accounts, as well as confidential and sensitive information held about their businesses and their clients. Data and money are extremely valuable commodities to cyber criminals.

Over recent years technological advancements have become a priority for many law firms yet for some it was viewed as a ‘nice to have’. However, the importance of a firm’s IT infrastructure was thoroughly tested during March 2020 when lockdown restrictions were imposed at beginning of the coronavirus outbreak (COVID-19). These restrictions expedited any IT investment programmes to ensure businesses could support their entire workforce and clients remotely at very short notice in response to COVID-19.

The Solicitors Regulation Authority (SRA) reported an increase of 400% in cyber attacks at the beginning of the first lockdown2.

The Solicitors Regulation Authority (SRA) reported an increase of 400% in cyber attacks at the beginning of the first lockdown2. This was considered to be a consequence of cyber criminals taking advantage of people increasingly working under extreme pressure and not being as focused on cyber security as they usually would be.

A survey carried out by PwC of the top 100 law firms examining the key challenges facing the legal profession in 20203 highlighted cyber risk as being the second largest threat facing the profession, with COVID-19 holding the top position.

The findings of the survey suggested that overall, 71% of the firms surveyed said they were “somewhat concerned” or “extremely concerned” about the cyber security threat. However, cyber risk was ranked the largest threat for the top 11-25 law firms.

How law firms can minimise their risk of a cyber attack

Effective cyber security should be an integral feature of all businesses strategies, objectives and budgets regardless of their sector and size. Having an effective cyber security regime is a key component to understanding and managing risk effectively. The C-Suite should be fully aware of the cyber threats to their businesses and have a real understanding of potential exposure.

Only 22% of the top 100 law firms have established a cyber committee which reports into the team/committee responsible for governance.

Despite the stark warnings from government bodies and law enforcement agencies, cyber crime is a growing risk which has accelerated during the pandemic. However, the implementation of robust and effective cyber security governance still is not being appropriately prioritised within the legal profession. As highlighted by the findings of the PwC survey which stated that only 22% of the top 100 law firms have established a cyber committee which reports into the team/committee responsible for governance. Alarmingly the figure is 0% for the top 10 law firms and 9% for the top 11-25 law firms.

In December 2020 we saw the US tech company, Solarwinds fall victim to a cyber attack4, when the software product called Orion was hacked giving access to thousands of public and private sector company systems. More recently on 7 March 2021 the European Banking Authority fell victim to a cyber attack which exploited a vulnerability in Microsoft’s Exchange email system, potentially compromising data of business and public-sector clients5, which proves that size and status holds no boundaries for cyber criminals.

Necessary steps must be taken by law firms to minimise their exposure from cyber attacks, especially as such incidents are becoming increasingly sophisticated, as seen from the recent high profile and large scale attacks. The consequences of being the victim of a cyber attack can be complicated and costly, with implications for not only data protection, regulatory compliance and financial impact but also reputational damage, and the added concern about whether there is insurance cover for such an event.

It is important therefore that law firms implement effective and robust cyber security incident response policies, controls and procedures in order to minimise their exposure to cyber risks, which should be kept under constant review and tested regularly to ensure that they are effective and adequate.

It is arguable that technology is evolving faster than legislation which is helping criminals adapt and continue to be one step ahead of law enforcement. In order to at least keep the pace, both the private and public sector need to work together and have effective tools in their armoury to fight cyber crime.

Regular training for all members of staff, even at senior management level, is essential to establishing a strong cyber awareness culture.

Continuous education and awareness are considered to be the most powerful tools available, and this is recognised by the SRA. Whilst there is a heightened awareness and understanding of cyber security risks as a result of increased news coverage of high profile cyber security breaches, and the increasing prominence of cyber security in people’s personal lives, regular training for all members of staff, even at senior management level, is essential to establishing a strong cyber awareness culture.

In 2018 the National Cyber Security Centre (NCSC) published the 10 Steps to Cyber Security Guidance6 (10 Steps) which is still current. The NCSC considers defining and communicating a firm’s cyber risk regime is essential to the overall cyber security strategy. Firms may want to use the 10 Steps as a refresher to their cyber risk training programme.

As we start moving towards the easing of restrictions, now is a good opportunity to take the time to reassess your cyber security strategies and review your policies and controls and procedures in order to assess and test their efficacy. You may want to consider utilising the resources and guidance made available to you by the NCSC, the SRA, the Law Society and the Information Commissioner’s Office (ICO) on their websites when carrying out the review. Doing so will help you identify whether any revisions and further resources are needed as we move into the next phase.

There is merit in testing the IT systems backup to make sure it's fully functioning and ensuring that the latest anti-virus software is installed on all systems and mobile devices, and that it is constantly running and ensure any security vulnerabilities are patched as soon as practically possible after they are released.

Summary

A report published last year analysing data breach reports reported to the ICO identified that human error caused 90% of cyber data breaches in 20197. Furthermore, the latest data security incident figures from the ICO8 suggests this is still the case. Over half of the non cyber related breaches reported to the ICO by the legal sector were caused by human error, with the most common causes arising from data being emailed, posted or faxed to an incorrect recipient.

Therefore, it is helpful to frequently remind everyone to:

  • Only open emails or download software/applications from trusted sources
  • Not to click on links or open attachments in unexpected emails or emails received from an unknown sender
  • Use only strong and unique passwords which should be changed regularly
  • Avoid including bank account details in email correspondence
  • When working from home, not to allow children and other family members to use work devices to ensure confidentially of sensitive information is maintained, and to minimise the risk of any accidental deleting or modification of information, or even worse, any accidental infection to the device
  • Discuss any concerns with the firm’s Data Protection Officer

The key to minimising the risk of a cyber attack during these challenging times is to remain vigilant and as mentioned above, continuous education and awareness and senior management engagement is vital to maintaining a cyber aware culture.

Footnotes

1 Interpol. (2020). INTERPOL report shows alarming rate of cyberattacks during COVID-19. Retrieved from the Interpol website: https://www.interpol.int/en/News-and-Events/News/2020/INTERPOL-report-shows-alarming-rate-of-cyberattacks-during-COVID-19

2 Solicitors Regulation Authority. (2020). Cybercrime. Retrieved from the Solicitors Regulation Authority website: https://www.sra.org.uk/solicitors/resources/cybercrime/

3 PwC. (2020). Embracing change to succeed PwC Law Firms’ Survey 2020. Retrieved from the PwC website: https://www.pwc.co.uk/industries/law-firms/law-firm-survey-report-2020.pdf

4 https://www.willistowerswatson.com/en-GB/Insights/2021/01/client-alert-solarwinds-cyber-incident

5 BBC News. (March, 8, 2021). European Banking Authority hit by Microsoft Exchange hack. Retrieved from the BBC News website: https://www.bbc.co.uk/news/technology-56321567

6 National Cyber Security Centre. (2021). 10 steps to cyber security. Retrieved from the National Cyber Security Centre website: https://www.ncsc.gov.uk/collection/10-steps-to-cyber-security

7 National Cyber Security Centre. (2020). Weekly threat report: Report claims human error is major cause of UK breaches. Retrieved from the National Cyber Security Centre website: https://www.ncsc.gov.uk/report/weekly-threat-report-7th-february-2020 and via https://www.cybsafe.com/press-releases/phishing-dominates-uk-cyber-threat-landscape-shows-analysis-of-latest-ico-figures/

8 Information Commissioner’s Office. (2021). Data security incident trends. Retrieved from the Information Commissioner’s Office website: https://ico.org.uk/action-weve-taken/data-security-incident-trends/

Author

Associate Director - Finex PI UK Legal Services

Related Capabilities

Contact Us