In an era dominated by digital transformation, the legal landscape finds itself perched on the precipice of cyber risk. As law firms increasingly digitise their operations, the allure of efficiency and convenience is accompanied by a lurking threat: the ever-evolving realm of cyber threats.
For years, solicitors have retained a reputation of being an appealing target for cyber criminals looking to exploit the vast amount of sensitive client data and client monies they hold. The Solicitors Regulation Authority (SRA) along with the National Cyber Security Centre (NCSC) and the Information Commissioner’s Office (ICO) continue to remind solicitors of their role in reducing cyber risk, and particularly ransomware risk – the biggest online threat to the UK. Therefore, it’s vital that firms understand what they can do to reduce the risk of a cyber attack.
Ransomware payments on the rise
Ransomware has become more problematic due to the value in extorting and publishing sensitive data. In the past, ransomware attackers would typically infiltrate a firm’s computer systems and encrypt data, in the hope that the subsequent operational disruption would encourage those firms to pay a ransom demand. However, if a firm had back-ups in place (or at least, back-ups that weren’t compromised during the attack), they could often recover data without paying the ransom demand.
To improve their leverage in ransom negotiations, cybercriminals have now started to exfiltrate data during ransomware attacks, which they can then threaten to publish online. As a result, even if a firm has back-ups in place, the potential reputational damage caused by having their data published online may make them more inclined to pay the ransom demand. This is a particular vulnerability for legal firms, given the volume of records and personal information held.
Evidence suggests this strategy is working. The cybersecurity firm, Sophos, revealed that ransomware payments have nearly doubled in the past year, with UK companies paying more than the global average. They found that average ransomware payments globally rose to $1.5m, up from $812,000 the previous year. By contrast, the average payment made by UK organisations stood at $2.1m.
The NCSC has also raised concerns about the expected rise in ransomware with artificial intelligence (AI), and how the use of AI can impact the efficacy of firms’ cybersecurity operations.
The impact of ransomware risk transfer – a claims case study
Ransomware attacks are devastating and can happen in an instant. One simple click of a link in a hacker’s email can potentially inflict serious operational and financial harm. In one example, a solicitors’ services firm suffered an elaborate ransomware attack in which all its computer systems and data were encrypted, including customer data. The ransomware also encrypted the company’s backups. Unable to afford the ransom demand, the company contacted its insurer. Within minutes, the insurer’s security incident response team made contact with company employees to diagnose the damage and minimise further loss.
In less than 24 hours, the response team worked with the claims team to secure ransom demand on the company’s behalf, and to facilitate the decryption of the company’s files. A member of the incident response team was then present onsite to help restore the company’s files, perform forensics, enabling the company to return to full operations. The total time to resolution was 48 hours from the initial compromise. Please note that this is not always the case, and, in some instances, recovery can take weeks to restore a company’s system fully.
Fortunately, the client’s cyber insurance policy covered the business interruption loss, the forensic and data restoration costs, as well as the cyber extortion itself.
Cyber security best practice – minimum controls for law firms
In response to this heightened risk landscape, leading experts in both insurance and risk management argue that investing in robust cybersecurity measures is not a luxury, but a strategic necessity. The cost of a cyber breach, both in financial and reputational terms, far outweighs the initial investment required to fortify digital perimeters.
As such, certain cyber hygiene standards which were merely recommended a few years ago are now considered mandatory across the board. Before they are willing to offer a quotation, insurers will undertake an in-depth assessment of a firm’s cyber security infrastructure to ensure minimum cyber security controls are in place, such controls include:
- Multi-factor authentication (MFA) – this is the first control an underwriter will look for and remains the first hurdle to securing cover. Remote network access, admin accounts, third-party remote access, and email user accounts. However, MFA alone will not be enough to meet insurers’ minimum standards.
- Endpoint detection and response (for the smaller entities Antivirus and firewalls which are updated at least quarterly).
- Data Backups – Ensure backup integrity (including encryption, air-gapping, secure (preferably offline) platforms, appropriately tested restoration) conducted on a weekly basis and held offline or offsite.
- Training – ensure all staff awareness cyber training including regular phishing simulations, protocol re safe use of portable devices, limited use of public Wi-Fi, and security controls for videoconferencing on an annual basis.
- End of life systems – segregated from the rest of the network.
- High Severity Patches – all critical patches implemented within 30 days.
- Email filtering software to scan incoming emails for malicious links or attachments.
- Passwords – ensure appropriate password management software with strong passwords required for admin rights.
There are also preventative and detective controls which are important and should be considered. These include:
- Privileged Access Management Software – ensure strategies and technologies are in place to control privilege.
- Business Continuity Plan – ensure a BCP is in place which address network outages, off-line communications, and data recovery protocols.
- Monitoring Capabilities – either through an SIEM or an internal team that is alerted on a 24/7 basis of any suspicious activity.
All insurers have different appetites and market strategies, so it is not one size fits all, however, the above controls provide a set of standards and are deemed good business practice to have in place.
Law firms should not be daunted by the above list, but rather take this as a positive opportunity to understand what controls they currently have, and what they may need to implement to improve their security. To satisfy cyber insurers, it’s important that law firms instil a culture of cybersecurity awareness at every level of their organisational hierarchy.
Resilient cyber security infrastructures are less likely to be compromised by cyber risks. As cyber exposures have increased in recent years, so have premiums. Accordingly, establishing a resilient cybersecurity infrastructure is the best and only method for reducing cyber insurance premiums.
Conclusion
Unfortunately, the cyber risk landscape for UK law firms is not a distant storm on the horizon, it’s a current reality, and the ever-evolving threat remains a challenge that all firms must meet. The implementation of a robust cyber risk management plan helps to mitigate risks, protect your balance sheet, preserve your reputation, and facilitate growth within your firm.
For more information, please visit our Cyber or Solicitors page, or contact:
Nicola Anthony, Risk Manager
Jack Bassett, Assistant Vice President