Posted by Aaron Naisbitt, sales director at Legal Futures Associate CTS [1]
Naisbitt: You need to audit and assess potential vulnerabilities
Cyberattacks against the legal sector are on the rise – it is not a question of whether a cyberattack will occur, but when and how bad it will be. When it does, having cyber-insurance can help your organisation recover and get back to business quicker.
It is vital that you accurately audit and assess your firm’s or chambers’ potential vulnerabilities, building a detailed picture of your cyber-risks and your ability and preparedness to manage them. Carrying out this kind of research can be a daunting and time-consuming task. However, it can be very insightful when structuring your cyber-security strategy, as well as being useful when buying cyber-insurance for underwriting purposes.
Be prepared – follow our checklist below to ensure you are ready to open a dialogue with a cyber-insurance provider at any time.
Build your business profile
Collating general information about your law firm or barristers’ chambers will provide insight into the degree to which your business is at risk of a cyberattack, and therefore, allow the insurer to provide the most suitable cover for you.
To assist your insurer to build a profile of your business, you should offer information on what sector you operate in, what types of products and services you offer, who your clients are, your annual turnover and how much you set aside for your IT security budget.
The legal sector deals with highly sensitive and confidential data and information. In order to assess how at-risk this data may be, insurers will need to know what category of and how much data is managed, where it is stored, who within the business is responsible for handling data, what cyber protection measures are in place, and how you work to comply with any relevant regulations.
Additionally, the development of a risk profile will enable you to identify possible areas of risk before an event happens. Certain technologies can enable better risk management, such as optimising case management systems to include fields and tags which will support you to collate the aforementioned information in a centralised database and monitor any changing trends or potential risks.
Identify exactly what data you are required to collect to insure your business, and the data you will need to provide if you were to make a claim, then build this into your CMS. This will speed up time spent reacting to a breach or cyberattack and recovery of any data lost.
Consider the human component
The human component is a vital element on cybersecurity, and so, you must have the ability to demonstrate that your firm or chambers has cybersecurity training embedded into your business’s culture.
Due to the amount of human error, the insurer is likely to want to learn about how your operational teams are managed and trained on cybersecurity, as well as how they handle sensitive data such as client records and documentation.
This information can act as a key indicator to the insurer of your practice’s ability to mitigate damages and/or losses brought about by employees.
Set aside a budget and be aware of changing premiums
Solicitors Regulation Authority figures show that, in the first half of 2020, around £2.5m had been stolen from law firms via cyber breaches – more than three times the amount reported in the first half of 2019. This has led to higher cyber-insurance premiums, which have increased by an average of 32% [2] since last year.
Keeping abreast of any changes to prices will enable you to plan your budget effectively. As with cybersecurity, a cyber-insurance budget should be carefully planned and included within your IT strategy to ensure that you are fully prepared and able to protect your sensitive data.
Make a detailed record of all your IT systems
For the insurance company to understand the level of insurance protection required, you should create a map of all your IT systems both inside and outside of your business, as well as what data is located within these systems.
Additionally, information on your different networks demonstrates how networks are segmented, network security measures, levels of redundancy, and access controls to server rooms, which will show how prepared you are if an outage or breach were to occur.
Finally, it is important to inform the insurer about what policies are in place for the management and upkeep of your networks and systems, particularly when it comes to updates and maintenance, as this will complete the overall picture of your firm or chambers’ ability to face any potential cyber risks.
Preparing all this information will not only aid your discussion with your insurer, but also give you in-depth insight into how prepared your legal practice is when it comes to cyber risks, both in terms of preventing them and of reacting appropriately and effectively should an incident occur.
Find out how you can shape your IT strategy for law and plan for the future by visiting https://cts.co.uk/solutions/cyber-protection/ [3]