Cyber risk and incidents remain a regular feature in news headlines around the world, most recently illustrated by the colossal breach of Panamanian law firm Mossack Fonseca. The threat is so wide ranging that tackling the subject and deciding how to mitigate the risk can be a real challenge for solicitors.
In some ways the term "cyber" has been helpful in raising awareness of technology-linked risks but at the same time this term can be confusing when it comes to identifying what the related risks are. If national governments and global financial institutions have yet to agree the scope of cyber risk (there is no comprehensive framework for the risk assessment of cyber catastrophes), then there should be a healthy dose of sympathy for a typical solicitor’s firm trying to do the same.
One simple view of “cyber risk” is to break it down into two concepts: operational and informational risk.
Operational cyber risk arises out of a firm's unprecedented reliance on electronic systems and the devastating effect on business that can occur when those systems are interrupted or interfered with. In January, Lincolnshire County Council lost access to its systems for over a week following a fairly unsophisticated cyber attack.
In February 2016, as part of a seminar on cyber business interruption, we considered a case study involving a fictional law firm called Uber Law which fell victim to a malware attack and suffered 3 days of interruption as it had to rectify 300 infected computers. You can watch a summary of the case study here, and the entire seminar here.
The financial losses suffered by law firms due to operational cyber risks are typically not insured under the Minimum Terms and Conditions, driving demand for new dedicated cyber coverages either as standalone policies or as an “add-on” to existing policies.
Informational cyber risk arises out of the legal and commercial risks attaching to data and information. Solicitors firms are no different to any other company in holding ever increasing volumes of electronic data.
The massive data breach suffered by Mossack Fonseca grabbed headlines around the world and demonstrated the informational risk that solicitors firms carry not only for their clients, but their clients’ clients. For many years, cyber security commentators have warned how professional services firms, including solicitors, are high risk targets as they act as “aggregators” of sensitive information.
The Panamanian breach and other high profile data breaches in the UK have served to highlight how unacceptable it is for companies not to have a clear understanding of what data they hold, what they are doing with it, and how it is secured. One security commentator remarked that Mossack Fonseca showed an “astonishing” disregard for security.
When considering the operational and information aspects of cyber risk, it quickly becomes clear that cyber is a risk that can only be mitigated and not eliminated. Therefore, companies should also prepare and rehearse for cyber and data breach incidents, and even consider purchasing cyber insurance coverage.
The following precautions may help minimise the risk of a data attack:
- Ensure there is appropriate vetting of employees with access to confidential data;
- Require employees to change passwords frequently;
- Use additional layers of IT security for those accessing data remotely such as home workers;
- Ensure IT is properly managed and overseen by senior IT members responsible for an efficient and modern system (adopting the best security practices available);
- Ensure appropriate IT education is given to staff;
- Restrict those employees/officials who can access the entire internal system;
- Spread data across multiple infrastructures to limit the impact of a leak; and
- Prepare a response plan that will respond in the event the system is attacked.