Lindsay Hill, CEO at Mitigo, lists nine ways in which a cyber attack can seriously disrupt your law firm, and why you shouldn’t solely rely on cyber insurance to protect yourself.
All law firms are now a target for cyber criminals. And make no mistake, cybercrime is well organised and sophisticated, using state of the art techniques. If you do not have properly tested defences in place, it is no longer a case of if you’ll be hit, but when.
We have seen many firms suffer as a result of confusing cybersecurity with IT support, thinking that Lexcel or the Cyber Essentials Scheme will keep them protected, or naively believing that they are not a target. The consequences will be more serious and costly than you might imagine.
Here are some examples of the way a cyber incident can affect your firm.
Stress to management
It is no exaggeration to say that we have seen senior partners and other senior management have sleepless nights as a result of an attack on their firm. Imagine discovering that all your confidential internal and client emails have been spied on for months and then intercepted to divert a significant payment. Or, that all your clients have just received a virus-infected email from your firm. Or, that all your business data and systems have been encrypted by ransomware, disrupting your entire operation.
These are some real life examples of what you might face if you are breached. Imagine then having to sit in a partners’ meeting to explain this to your colleagues. The same questions get asked. How were we not protected by proper risk management arrangements? What was the COLP doing? Why did the COO not get the defences tested? Why were our legal obligations ignored (this includes undertaking and documenting a data risk assessment; testing the technology; providing cyber-awareness training; putting in place policies and procedures; measuring the effectiveness of all these things on an ongoing basis; and record keeping)? Usually, it is the senior management who are targeted and breached, which makes the discomfort even worse.
Financial and identity theft
The dramatic rise in remote email account takeover is worrying. The initial attack may be automated and indiscriminate. Once you are breached, the criminals are willing to be patient, and will watch for opportunities to strike. As well as serious data loss, the consequences can include significant interception and redirection of payments, both from and to firms. Stolen money is moved quickly and is rarely retrievable.
The theft of credit / debit card details is also common, often as a result of making a payment on a fraudulent website. Identity theft is a similar concept, with attackers compromising a user’s online account to allow them to perform actions in their name. Funds moved in small amounts build up, yet can go undetected for weeks. All of these examples are happening on a daily basis.
When malicious software locks up all your data and systems, it can bring your business to an abrupt halt. Many firms assume that their regular backups will allow them to get back up and running quickly – but they are usually wrong, because they will not have been configured by a security specialist. As Travelex discovered, it can take many days or weeks to restore.
Ask yourself what it would cost you if your systems were down for a week, and you were reduced to pen and paper (as Travelex was)? How would you transact business in any department? It is no surprise that firms feel forced to pay the ransom, often measured in tens of thousands of pounds (often in bitcoins). But even if you pay, there is no guarantee you will be given the keys to decrypt the data or that the criminals will not return.
Complete loss of data or theft of data
We have seen cases of partial or complete loss or corruption of client and other personal and business data. Imagine having to deal with the theft or loss of commercially sensitive information belonging to your firm, or even worse, your clients.
Incident investigation and management
We have seen firms waste literally hundreds of hours of partners’ and fee-earners’ time in dealing with the investigation and management of a cyber breach. Expensive outside experts usually have to be brought in to identify the cause of the breach, the extent of the loss of personal and other confidential information, and the remedial action required. Much time is often spent reviewing reporting obligations and then explaining the situation to the SRA, the ICO, colleagues and clients affected. Sometimes, PR advisers may be needed.
Damage to technology or software
Hackers may disable technology and software, or render it unsafe to use. It can be costly to find and fix the problems or replace what has been damaged.
Loss of your clients and your reputation
You lose your hard won reputation, you lose almost everything.
Trust is a crucial part of your relationship with clients. And loss of their personal and confidential information, or your ability to progress or complete their transaction, can destroy it. Remember, depending upon the nature of the incident, you will have an obligation to tell your clients exactly what went wrong, the extent of the breach of their information, and how you are putting it right. It is the larger clients, especially, who will reconsider instructing you in future, if you have shown that you cannot be trusted with their confidential information. Damage to your reputation can also affect relationships with third parties.
Regulatory penalties and fines
The SRA and the ICO will not be impressed if you have not, as a minimum, complied with your legal obligations for cybersecurity or taken the security of your clients’ information seriously. Fines are on the rise. Expect the ICO, which is ramping up its enforcement activity, to show its teeth.
Class action compensation claims
Individuals now have the right to seek compensation against data controllers (and processors) who fail to comply with their security obligations. This will provide fertile ground for a new breed of claims companies; indeed, we have already seen the emergence of a new claims industry, with a number of class actions already launched. Clients or third parties affected by the breach may claim for consequential financial loss.
The assurance that independent cyber protection brings is a crucial part of risk management. Cyber insurance will not give you back all your time, build your reputation back up, restore the lost trust (internal and external), replace the lost clients, or prevent the sleepless nights.
Lindsay Hill is CEO of Mitigo. He is a solicitor and experienced CEO, who has spent 30 years as a specialist in legal & regulatory compliance and business risk management, including legal obligations for cyber and data security (including GDPR).