Losing data or exposing sensitive or confidential information may be the most frightening thing that can happen to a law firm.
Cyber security has become one of the principal concerns for professional practices with seminars, articles and media coverage on a regular basis, covering everything from legal liability to public relations.
The recent “WannaCry” and “Petya” cyber-attack crippled parts of the UK’s NHS as well as other high profile companies with consequent investigations and reputational damage. Aside from upskilling and raising awareness within firms, the practical consequences need to be considered in the context of a firm’s ability to recover from attack and how it responds to disruption.
Cyber security – evidence from our survey
Our 2016/17 survey revealed that cyber-attacks on legal firms were up almost 50% year on year rising from 20% reporting attacks in 2015 to 29% in 2016.
Cyber security is not just about IT, its domain incorporates people, processes, practice and organizational norms and culture. Risks of reputational damage and client expectations of security and privacy are extremely high. It is clear that there is increasing focus on this area with regular media reportage, high profile data leaks and incidents of system and data hacks. Indeed regulatory requirements are a de minimis. There is an expectation firms will keep pace with and have adequate defences and controls in place to mitigate these risks.
Cybercrime is on the rise and is one of the biggest emerging threats facing the legal profession today. British PI insurer QBE reported last year that c. £85 million was stolen from client accounts in the previous 18 months in the UK.
Source: Smith & Williamson Survey of Irish Law Firms 2016/17
An issue of real importance
Cyber-attacks if successful can have significant repercussions. Firms need to be cognisant of the risks to their firm from lax security protocols or untrained staff as well as how to mitigate the impact of an attack.
Top threats to law firms include
Ransomware – where your system is locked down by a cyber attackh and a ransom payment is demanded to unlock your data
Financial fraud – where a cybercriminal poses as a partner or client and through social engineering convinces the unsuspecting party to transfer funds
Data espionage – where the attack is directed at gaining information on a particular client or transaction often during important transactions or litigation.
Indeed practice notes from the Law Society states that “any deficit arising in client moneys held by a practice is the personal responsibility of the partner/principal of the practice, whether caused by a solicitor or staff member or as a victim of cybercrime”1
Analysis of risk requires a review of areas like outsourcing and contractors as well as evaluating the benefits of having a cyber-insurance policy.
According to Paul Wyse, “For any legal practice cyber security is a real burning issue. Practices need to take control of their tech estate to protect themselves and their clients.”
He went on to state, “Paper based law practices are a thing of the past. Control of the firm’s technology and having appropriate cyber security is critical for any well-managed practice. There are solutions out there and professional practices have the opportunity to leapfrog through leveraging best practice already in place in industries like financial services. We wouldn’t expect practices to be spending extravagant amounts on developing a plan and high-tech software. However, we would expect the tech investment to scale and grow as the firm expands and grows.
Cybercrime is a clear and present threat to legal practices in Ireland. Attacks will occur more frequently, and at an increasing rate. Firms need to plan for both mitigation and response as the threat grows, in likelihood and severity.
If you would like more in-depth information on any of the ways we can support and help you, please contact any of our team directly.