The Changing Face of Cyber Risk for Law Firms

AAEAAQAAAAAAAAKfAAAAJDE0Y2IxMDM4LTljZGEtNGVlZS1iYzExLTlhYmZiNmVjNjFjMQ.jpg

 Source: Marsh's 2014 Global law Firm Cyber Survey

While cyber is not yet seen as the most significant risk law firms face, the sudden nature of an attack and the detrimental effects it poses means it is increasingly being written into risk management efforts as a rising priority. Law firms will no doubt remain a target of choice for cyber criminals due to the frequent and sizeable transfers of monies, which they can attack. Equally, there is high value, commercially sensitive and individual net-worth sensitive data that is attractive to criminals, all needing to be protected.

Cyberattacks are getting more and more sophisticated by abandoning the well-known methods of malware, ransomware and hacking attacks, and getting more granular in their approach. We're seeing examples of internal phishing where a hacked internal email is sent from the "managing partner" to the financial controller asking for payment to be made. In this scenario it is easy to ask the financial controller for their confidentiality on the subject as the payment may not be appropriate for firm-wide awareness.

The SRA and The Law Society are both concerned about this risk because no one really understands what the limits to cybercrime are. Underwriters are also beginning to ask a lot of questions around the procedures firms have in place in regards to their tracking of money and release of funds. Worryingly, there is no real defence if a transfer is hacked and diverted into the wrong account; the money will be gone and insurers have to pay. 

Cyberattacks can hit a firm hard and fast and the solutions will need to be found incredibly quickly. For conveyance, for example, underwriters are going to struggle with the pressure to replace the monies in the chain to avoid loss of deposits. Although PII covers such eventualities, this is an increasing concern for underwriters as losses can be considerable and growing as a percentage of their overall losses. If the trend continues it cannot be long before this aspect of cover comes under pressure and insurers start discussing its potential removal from the SRA's Minimum Terms and Conditions. Replacing this with separate insurance will have serious cost implications for firms.

No industry is as prepared for cybercrime as insurers would like and law firms are no exception despite their susceptibility. Aside from the Insurance costs, the outcomes of a cyberattack can involve reputational damage, regulatory investigation fines and business interruption, which could be injurious to the financial position of the firm. 
Although it is encouraging that law firms now acknowledge the seriousness of cyber risk, this acknowledgement needs to be converted into the implementation of preventative measures. Willis's Risk Barometer survey highlighted that small to medium-sized firms are struggling with this issue more than those with greater resources. Smaller firms can be more susceptible to cyberattacks due to smaller IT budgets, and the side effects of an attack, like business interruption, could be far more crippling for a smaller firm.

In short, cyber exposure is not just a significant risk in its own right; it can be the first domino in a chain of events. It is an enabler, amplifier or accelerator of existing risks that firms face. Investigating how to improve cyber risk management procedures and staff awareness is now just another box that needs to be checked.
Whilst many law firms rely on just the proposal form when renewing their PII, providing additional information can greatly assist negotiations and may achieve a better outcome. Underwriters need to fully understand what the firm does and what procedures they have in place to mitigate risk: if an underwriter is unaware of the good work you do to prevent claims occurring, a law firm could be paying a considerably higher premium than necessary. Additional information should be provided on the following key areas:

    1. What the firm does/Aspirations for growth etc.
    2. Conveyance analysis
    3. Clear claims information and summaries
    4. Disciplinary and compliance
    5. Risk Management - (including an awareness of cyber risk. To fail to display a clear awareness of cyber risk is to ignore one of the underwriters' biggest concerns at the moment.)
    6. Financial stability - still a concern for insurers

What exactly should a broker be doing for their client? It will come as no surprise that the Willis Risk Barometer indicated that a poor relationship with the incumbent broker is the biggest reason for changing to a different one; a bigger issue than cost. Some law firms may not be aware of how extensive (or otherwise) their broker's services can be and could be missing out on an array of services and advice, which would benefit their practice.

The best route to the PII market is with a broker that understands and meets the firm's specific needs. As with personal insurance, quick-fix low-rate online PII can easily be found and many would treat their PII as they would their car insurance. Many want the cheapest price available and they do not fully understand what is on offer. There are still many firms with unrated insurers even though alternative, piece proximate A-rated insurers may be available.

A law firm's relationship with their broker will depend on the specific needs of the firm itself. Some will require international capabilities but many do not. It is recognised, however, that large firms and small firms alike will have a better experience the more they engage with their brokers from day one. Good brokers can provide risk advice, take firms through their day-to-day claims process, engaging throughout the renewal process, provide input on strategy, review draft documents and attend conferences with the counsel to ensure their client's interests and reputation are protected at all times. If you have a claim that approaches your total limit of indemnity you'll certainly be pleased to know you have a quality advocate on your side.

In conclusion, the solicitors' working environment is constantly changing and many are looking at mergers and acquisitions of firms, teams, or lateral hires. It is important, therefore, that firms have a broker that can respond to this dynamic environment and provide cost-effective risk structures in the short and long term. Equally, they need to have the experience and excellent access to a wide range of insurers, which allows them to respond quickly when a firm wishes to seize an opportunity to further the firm's strategic plans.
Managing Partner:  http://bit.ly/1gjnZqi

 

« China tightens grip over the Internet
The Future Of Algorithmic Personalisation »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

Cyber Security Supplier Directory

Cyber Security Supplier Directory

Our Supplier Directory lists 6,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

Watch this webinar to hear security experts from Amazon Web Services (AWS) and SANS break down the myths and realities of what an NGFW is, how to use one, and what it can do for your security posture.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

Resecurity, Inc.

Resecurity, Inc.

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

rPeople Staffing

rPeople Staffing

rPeople provides direct placement in all areas of your organization, including and specializing in Technical and Executive hiring.

European Defence Agency (EDA)

European Defence Agency (EDA)

EDAs mission is to improve European defence capabilities. Programme areas include Cyber Defence.

FFRI Security

FFRI Security

FFRI is committed to research and development of preventing the most advanced cyber-attacks and breaches.

Elliptic

Elliptic

Elliptic solve the crucial problem of identity in cryptocurrencies, with the sole purpose of combating suspicious and criminal activity.

Araxxe

Araxxe

Araxxe delivers Revenue Assurance, End-to-End Billing Verification and Interconnect Fraud Detection solutions to communication companies worldwide.

Marvell Technology Group

Marvell Technology Group

Marvell is a semiconductor company providing solutions for storage, processing, networking, security and connectivity.

Secured Communications

Secured Communications

Secured Communications has developed the only unified secure communications platform trusted by public safety and counter terrorism professionals around the world.

Swedish Incubators & Science Parks (SISP)

Swedish Incubators & Science Parks (SISP)

Swedish Incubators & Science Parks (SISP) is the Swedish industry association for Swedish incubators and science parks.

Cyberwatch Finland

Cyberwatch Finland

Cyberwatch Finland's services improve decision-makers’ strategic situational picture and enable successful holistic cyber risk management.

Senteon

Senteon

Senteon is a turnkey cybersecurity platform designed to make securing confidential data affordable, understandable, and streamlined for small-to-mid sized businesses and MSPs.

Acrisure

Acrisure

Acrisure is powered by the best of human and high-tech and offers insurance, reinsurance, real estate, cyber and more solutions to millions of clients around the world.

BlueCat Networks

BlueCat Networks

BlueCat is the Adaptive DNS company. Our mission is to help the world’s largest organizations thrive on network complexity, from the edge to the core.

InnovateHer

InnovateHer

At InnovateHer, our vision is to make the tech sector more equitable, by increasing diversity across the spectrum and creating more inclusive workplaces.

Relatech

Relatech

Relatech is a Digital Enabler Solution Knowledge (D.E.S.K.) Company that offers digital services and solutions dedicated to the digital transformation of businesses.

eGyanamTech (EGT)

eGyanamTech (EGT)

eGyanamTech provides robust security solutions tailored for Operational Technology (OT) and Supervisory Control and Data Acquisition (SCADA) systems used in critical infrastructure systems.

DigitalXForce

DigitalXForce

DigitalXForce is the Digital Trust Platform for the New Era – SaaS based solution that provides Automated, Continuous, Real Time Security & Privacy Risk Management.