- Legal Futures - https://www.legalfutures.co.uk -

Cyber threats in 2020

Posted by Brian Rogers, regulatory director for digital learning and compliance at Legal Futures Associate The Access Group [1]

Rogers: Make cyber-risk a board-level issue

Cyber-risk will continue to be a major risk for all law firms in 2020 due to the sensitive nature of the information they hold, and the substantial amounts of client money held by over 7,000 of them.

The Solicitors Regulation Authority has told firms that they should ask themselves, ‘When will we be targeted by online criminals, not if?’

This clearly puts firms on notice of the threat, so if they don’t take sensible/reasonable steps to protect themselves and their clients from harm, they could face regulatory action and professional indemnity insurers reserving their positions on cyber-related claims.

The threat

The recent tensions between Iran and the US have increased the risk of cyber-attacks, with cyber experts warning about cyber-attacks by Iran against American financial institutions; this could widen to other American businesses and their advisors, including law firms. Any law firm handling American clients/transactions should review their cyber-security plans and ensure their business continuity plans are updated accordingly.

The UK defence secretary recently suggested that, rather than recruiting 1,000 new people for the infantry, the Army should recruit 1,000 new hackers instead; other countries have already done this!

One law firm we have worked with suffered from a cyber-attack which was so sophisticated that it not only managed to stop the firm accessing its live data but also its backup data; had it not been able to reconstitute its client data from hardcopy files, it would probably have had to close down.

It was found that the attack was initiated by a foreign government; it was not interested in the client data but just wanted to disrupt parts of the UK economy.

An additional issue to consider is Microsoft withdrawing support for all those on Windows 7, which will leave PCs vulnerable to attack if they are not updated to a newer version.

Key cybersecurity risks in 2020

Cyber-risks seen as major threats to law firms in 2020 include:

Cybercrime is a clear and present danger and it could have a catastrophic impact on firms and their clients if appropriate plans are not put into place to stop it.

Law firm attitudes to cyber-risk

In its report Adapting to a new world, published in 2019, PwC found that 76% of the top 100 law firms were “somewhat concerned” or “extremely concerned” about cyber-security.

It found that firms had identified “improving use of technology” and “standardising and centralising business processes” as priorities, with many seeing technological change as a significant challenge for them in the following years.

These views also reflect how smaller firms do or should view cyber-risk; they may not have the same funding or resources as larger firms but the risks remain the same and, if they materialise, could impact them in a far more catastrophic way.

It was only a few years ago that we saw a cyber-attack on one of the largest law firms in the UK which led to it being unable to function properly for weeks afterwards, leading to reputational damage, regulatory focus, potential claims for negligence, etc.

Investment in technology has been lacking over previous years, with PwC finding that some firms are heading towards a pinch-point where they need to play catch-up; this could leave them exposed to cyber-threats in the interim.

As in previous years, the SRA has included cyber security in its 2019/20 Risk Outlook, but this year it has tied information security to the same risk; this is a reminder that, when you have a cyber-attack, you also need to think about your data protection obligations and whether a report will need to be made to the Information Commissioner’s Office.

The SRA’s new Standards & Regulations lay down a number of obligations that you should consider in relation to cyber-risk: Principles 2 and 5, requirements 3.2, 4.2, 6.3 and 7.2 for solicitors, and 2.1, 2.5, 4.2, 5.2, 6.3, 8.1 and 9.1 for firms.

You also need to consider whether your cyber-crime prevention measures are sufficient to meet the expectations of your professional indemnity insurer; they could reserve their position on claims if they can see that losses occurred as a result of your firm not taking reasonable steps to prevent client information from being accessed or money being stolen.

Action you can take to mitigate the risk of cyber attacks

Cyber-crime is a clear and present danger for law firms and it could have a catastrophic impact on them and their clients if appropriate plans are not put into place to stop it. Now is the time to review plans if you already have them, or to put in place plans if you don’t.

Criminals are acting now so you need to do so as well.

The Access Group offers e-learning on practical cyber security awareness [2].