Associate director Bristol +44 (0) 117 376 2195
Cyber-crime is now a fixture of the virtual landscape, with new channels constantly being created to extort victims as quickly as defences are put in place.
In addition to ‘traditional’ cyber-crime, offences committed today are often predicated on the value of information, either to its owner, their clients or the criminals themselves.
As holders of significant amounts of client money and repositories of valuable confidential information, law firms are attractive targets for cyber criminals. A high profile breach saw the IT systems of several US law firms penetrated. In at least one case, the firm was unaware that hackers had been intercepting price-
sensitive non-public information about pending M&A for several months; essentially enabling the hackers to carry out insider trading undetected.
While it’s impossible to be 100% secure, protecting your firm against the vast majority of low-level, opportunistic cyber-attacks need not be particularly technically challenging or expensive. All firms need to be aware of what their critical information is and how to protect it.
Firms should consider building a relationship with a cyber security consultancy that can help to assess their resilience, assist in preventing breaches and prepare them to get back up and running quickly after an attack.
Loss of revenue caused by an attack can be mitigated with insurance cover, but reputational damage is much harder to fix if the response to the attack is badly managed. It’s important to have a strategy in place, including how to communicate with clients, key stakeholders and the media in case of an attack.
The vast majority of cyber-crime occurs because of inadequate security processes, poor password discipline or clicking on links which install malware. Some fall victim to disgruntled former employees who are still able to access systems. Using strong passwords, regular reviews, existing security features and basic training will stop most of these types of attack.
All firms will need to comply with the EU General Data Protection Regulation (GDPR), which comes into force in May 2018. Non-compliance could mean hefty fines and potentially severe reputational damage (fines of up to €20m or 4% of global annual revenue are possible).
Obligations are also increased around the handling of personal information, creating appropriate processes and procedures, and strict reporting requirements in the event of a data breach.
One major requirement will be notifying the Information Commissioner’s Office as well as affected individuals within 72 hours of a security breach.
Loss of revenue caused by cyber-crime can strike a blow, but reputational damage will have a longer term effect on the bottom line. Those that are able to guard against attacks and act effectively in the event of a (perhaps inevitable) breach will regain trust the fastest.