How good are your cyber defences?

Cyberattacks are rising, and the effects can harm smaller law firms. Brian Boehmer, partner at Lockton, says cyber insurance is becoming increasingly important, but ensuring prevention is vital

Practices of all sizes are vulnerable to cyberattacks, but for smaller practices, the impact of a successful attack can be severe, leading to potentially devasting financial and reputational damage. Smaller practices are also typically the most vulnerable, with little or no dedicated cybersecurity and IT support. Instead, reliance on external providers creates a larger third-party risk, making it difficult to assess whether they have the appropriate controls in place. The risk of accidental internal data breaches presents another challenge, and one that is set to grow as more practices opt to incorporate ChatGPT and other artificial intelligence tools into their work.

We’re seeing attacks become more advanced, as cyber criminals deploy ever-more sophisticated software to gain access to data, be it through phishing emails, malware, or ransomware attacks. According to a report from the National Cyber Security Centre, published in June 2023, nearly three-quarters of the UK’s top 100 law firms have been affected by cyber-attacks, while for smaller firms, the risk of incidents is on the rise.

Legal practices make them a particularly attractive target for cybercriminals. Firms are routinely entrusted to handle confidential, commercially sensitive, and personal information, all of which can be valuable to criminal organisations. The loss of billable hours and increased costs to clients means that attacks against practices can be costly. This makes them an attractive target for ransomware gangs, who seek to extort money in return for restoring service.

Given the rising threat facing the sector, cyber insurance has become increasingly important to professional indemnity (PII) insurers in recent years. While there is an element of coverage afforded under the Solicitor Regulation Authority’s (SRA) Minimum Terms and Conditions, there is no first-party coverage provided should a cyber event cause a financial loss to a client. Despite this, there is an expectation from many of the leading insurers that each practice should have a separate cyber policy in place. For some insurers, failure to evidence this could result in an additional charge, up to as much as 10-15% of the PII premium.

Yet, while cyber insurance is an important security measure, it cannot rule out a cyberattack, nor does it offer complete protection against reputational harm. Instead, having in place effective cyber resilience measures can help to prevent the occurrence of a successful attack and ensure timely detection, which helps to limit the extent of its effects.

Priorities here include implementing multi-factor authentication (MFA), regularly backing up data, and installing Endpoint Detection and Response (EDR), which alert security teams of any malicious activity. Practices should also ensure any employee devices are regularly patched with the latest updates and provide training to help identify and reduce the likelihood that employees fall victim to a cybercriminal. Not only will these measures help to protect against a cyber breach – they can also have a positive impact on the cost of cyber insurance.