Posted by Nigel Wallis, a director at Legal Futures Associate O’Connors Legal Services Limited [1]
Wallis: A more strategic approach to cyber-risk is now required
I’m pretty sure that if you forced 10 cyber-criminals to sit through an average law firm’s IT committee meeting, they’d be turning themselves in to the National Crime Agency before it reached AOB, desperate for some form of stimulus.
Either that, or they’d be in A&E having their heads stitched back on after laughing them off.
This is certainly not a criticism of law firms. It is just a recognition that cyber-criminals are free spirits, without things like client work, regulatory compliance and ethics to distract them from staying 20 steps ahead of their prey.
Even if you are highly attuned to cyber-security and, like me, your heart skips a beat whenever Apple sends you a new software download, the reality is we need to fight fire with fire and adopt an array of methods to protect our law firms from losses arising from cyber-security breaches.
In our work with law firms across the country, we see the many ways in which firms approach cyber-risk. This has led us to the conclusion that a more strategic approach to cyber-risk is now required in order to achieve a more robust and comprehensive solution.
Often it is an IT manager who leads the charge when a law firm is reviewing its approach to cyber-risk, but the ultimate responsibility for this does, of course, remain with the entire management board.
So, it’s important that all law firm managers are familiar with the key issues regarding cyber-risk to enable them to discharge their statutory and regulatory duties when approving a cyber-risk mitigation plan for the law firm.
As the incidence and complexity of cyber-related risk increases, some law firms respond by purchasing a standalone cyber-liability insurance policy (known as cyber-insurance), sticking the policy document in a drawer and hoping never to see it again. But cyber-insurance is only one small part of an effective approach to cyber-risk.
So, here is our suggested five-step plan to help you take a strategic approach to cyber-risk.
Step 1 – Commission a cyber-risk audit
Engage a specialist risk consultant to conduct a cyber-risk audit of your law firm’s systems and controls to identify and advise on any areas of weakness that could give rise to cyber-risk. There are many specialist consultants in the market, some independent and some embedded within the assurance divisions of the larger accountancy firms and insurance brokers.
It is worth carrying out a simple procurement exercise to select the right consultant for your law firm and considering taking independent legal advice on the terms of the consultant’s service agreement.
Step 2 – Commission a legal contract audit
Engage a specialist law firm to review the risk-related contract provisions in your agreements with customers, suppliers, service providers and others to identify and advise on any weaknesses where responsibility for cyber-security has been or is being transferred to another party.
Relevant agreements may be obvious ones – such as IT support contracts – or less obvious ones like those with web developers, marketing agencies and joint venture partners. Use a law firm with proven commercial contract and insurance expertise.
Step 3 – Commission an insurance audit
Engage a specialist insurance broker to review your insurance programme, with focus on cyber and business interruption risks, to identify and advise on any gaps that could benefit from additional or different cover. If appropriate, the insurance broker will be able to recommend specific cyber-insurance products to plug any gaps in your current insurance coverage.
The wording of such policies is critical and invariably benefits from a legal review to assist the insurance broker in negotiating variations to standard wording to eliminate common flaws and tailor the policy for your law firm.
Step 4 – Compile a cyber-risk mitigation plan
Gather the information from these three audits and use it to put together a comprehensive cyber-risk mitigation plan that can be reviewed by your risk consultant, legal adviser and insurance broker. Once approved, the plan can be presented to your management board members.
The plan might include recommendations to your board to seek cyber-related accreditations for your law firm ranging from the basic Cyber-Essentials to the advanced IS0 27001.
The risks highlighted in your cyber-risk mitigation plan should be fed into your firm-wide risk register, your business continuity plan and your data protection procedures. Importantly, any cyber-risk mitigation plan should be reviewed, updated and tested on a regular basis to keep pace with the emerging risks.
Step 5 – Develop a cyber-risk culture through leadership, policies and training
A risk mitigation plan (however well compiled, reviewed, updated and tested) is unlikely to succeed in preventing losses from cyber-security breaches if the culture of your law firm conveys the impression that cyber-prevention is not taken seriously.
Culture is set by the leaders of a law firm, so the message needs to be ‘do as I do’ not ‘do as I say’ and that admitting mistakes is a positive not negative behaviour. Putting in place practical and proportionate policies and procedures for the use of information systems will support and enhance this culture.
But, most of all, good-quality and auditable training of all staff will ensure that everyone understands their obligations to the law firm and to colleagues as well as the consequences of individuals not playing their part.
By following these five steps you should have powerful strategy for managing your cyber-risk on an ongoing basis, fulfilling your management responsibilities and, importantly, safeguarding your balance sheet and stakeholders.