The Changing Face of Cyber Risk for Law Firms

Uploaded on 2015-07-07 in NEWS-Cybersecurity News, FREE TO VIEW, BUSINESS-Services-Law

AAEAAQAAAAAAAAKfAAAAJDE0Y2IxMDM4LTljZGEtNGVlZS1iYzExLTlhYmZiNmVjNjFjMQ.jpg

 Source: Marsh's 2014 Global law Firm Cyber Survey

While cyber is not yet seen as the most significant risk law firms face, the sudden nature of an attack and the detrimental effects it poses means it is increasingly being written into risk management efforts as a rising priority. Law firms will no doubt remain a target of choice for cyber criminals due to the frequent and sizeable transfers of monies, which they can attack. Equally, there is high value, commercially sensitive and individual net-worth sensitive data that is attractive to criminals, all needing to be protected.

Cyberattacks are getting more and more sophisticated by abandoning the well-known methods of malware, ransomware and hacking attacks, and getting more granular in their approach. We're seeing examples of internal phishing where a hacked internal email is sent from the "managing partner" to the financial controller asking for payment to be made. In this scenario it is easy to ask the financial controller for their confidentiality on the subject as the payment may not be appropriate for firm-wide awareness.

The SRA and The Law Society are both concerned about this risk because no one really understands what the limits to cybercrime are. Underwriters are also beginning to ask a lot of questions around the procedures firms have in place in regards to their tracking of money and release of funds. Worryingly, there is no real defence if a transfer is hacked and diverted into the wrong account; the money will be gone and insurers have to pay. 

Cyberattacks can hit a firm hard and fast and the solutions will need to be found incredibly quickly. For conveyance, for example, underwriters are going to struggle with the pressure to replace the monies in the chain to avoid loss of deposits. Although PII covers such eventualities, this is an increasing concern for underwriters as losses can be considerable and growing as a percentage of their overall losses. If the trend continues it cannot be long before this aspect of cover comes under pressure and insurers start discussing its potential removal from the SRA's Minimum Terms and Conditions. Replacing this with separate insurance will have serious cost implications for firms.

No industry is as prepared for cybercrime as insurers would like and law firms are no exception despite their susceptibility. Aside from the Insurance costs, the outcomes of a cyberattack can involve reputational damage, regulatory investigation fines and business interruption, which could be injurious to the financial position of the firm. 
Although it is encouraging that law firms now acknowledge the seriousness of cyber risk, this acknowledgement needs to be converted into the implementation of preventative measures. Willis's Risk Barometer survey highlighted that small to medium-sized firms are struggling with this issue more than those with greater resources. Smaller firms can be more susceptible to cyberattacks due to smaller IT budgets, and the side effects of an attack, like business interruption, could be far more crippling for a smaller firm.

In short, cyber exposure is not just a significant risk in its own right; it can be the first domino in a chain of events. It is an enabler, amplifier or accelerator of existing risks that firms face. Investigating how to improve cyber risk management procedures and staff awareness is now just another box that needs to be checked.
Whilst many law firms rely on just the proposal form when renewing their PII, providing additional information can greatly assist negotiations and may achieve a better outcome. Underwriters need to fully understand what the firm does and what procedures they have in place to mitigate risk: if an underwriter is unaware of the good work you do to prevent claims occurring, a law firm could be paying a considerably higher premium than necessary. Additional information should be provided on the following key areas:

    1. What the firm does/Aspirations for growth etc.
    2. Conveyance analysis
    3. Clear claims information and summaries
    4. Disciplinary and compliance
    5. Risk Management - (including an awareness of cyber risk. To fail to display a clear awareness of cyber risk is to ignore one of the underwriters' biggest concerns at the moment.)
    6. Financial stability - still a concern for insurers

What exactly should a broker be doing for their client? It will come as no surprise that the Willis Risk Barometer indicated that a poor relationship with the incumbent broker is the biggest reason for changing to a different one; a bigger issue than cost. Some law firms may not be aware of how extensive (or otherwise) their broker's services can be and could be missing out on an array of services and advice, which would benefit their practice.

The best route to the PII market is with a broker that understands and meets the firm's specific needs. As with personal insurance, quick-fix low-rate online PII can easily be found and many would treat their PII as they would their car insurance. Many want the cheapest price available and they do not fully understand what is on offer. There are still many firms with unrated insurers even though alternative, piece proximate A-rated insurers may be available.

A law firm's relationship with their broker will depend on the specific needs of the firm itself. Some will require international capabilities but many do not. It is recognised, however, that large firms and small firms alike will have a better experience the more they engage with their brokers from day one. Good brokers can provide risk advice, take firms through their day-to-day claims process, engaging throughout the renewal process, provide input on strategy, review draft documents and attend conferences with the counsel to ensure their client's interests and reputation are protected at all times. If you have a claim that approaches your total limit of indemnity you'll certainly be pleased to know you have a quality advocate on your side.

In conclusion, the solicitors' working environment is constantly changing and many are looking at mergers and acquisitions of firms, teams, or lateral hires. It is important, therefore, that firms have a broker that can respond to this dynamic environment and provide cost-effective risk structures in the short and long term. Equally, they need to have the experience and excellent access to a wide range of insurers, which allows them to respond quickly when a firm wishes to seize an opportunity to further the firm's strategic plans.
Managing Partner:  http://bit.ly/1gjnZqi

 

« China tightens grip over the Internet
The Future Of Algorithmic Personalisation »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

ZenGRC

ZenGRC

ZenGRC (formerly Reciprocity) is a leader in the GRC SaaS landscape, offering robust and intuitive products designed to make compliance straightforward and efficient.

Resilient Information Systems Security (RISS)

Resilient Information Systems Security (RISS)

RISS is a research group is in the Department of Computing at Imperial College London.

Alan Turing Institute

Alan Turing Institute

Alan Turing Institute is the UK national institute for data science. A major focus is Big Data analysis with applications including cyber security.

Insta Group

Insta Group

Insta are a trusted cyber security partner for security-critical companies and organizations.

ITC Secure Networking

ITC Secure Networking

ITC are a leading cloud-based MSSP delivering service innovation in cyber security analytics & cloud technology.

SwiftSafe

SwiftSafe

SwiftSafe is a cybersecurity consulting company providing auditing, pentesting, compliance and managed security services.

Cyber Threat Defense (CT Defense)

Cyber Threat Defense (CT Defense)

CT Defense specialize in penetration testing and security assessments.

THEC-Incubator

THEC-Incubator

THEC-Incubator program is designed for international and ambitious tech startups in the Netherlands. Areas of focus include Blockchain and Cyber Security.

Duality Technologies

Duality Technologies

Duality Technologies combine Advanced Cryptography with Data Science to deliver High-Performance Privacy-Protecting Computing to Regulated Industries.

Capital Network Solutions

Capital Network Solutions

Capital Network Solutions are a highly accredited managed IT services and consultancy provider, specialising in cyber security, infrastructure and communications.

Dutch Institute for Vulnerability Disclosure (DIVD)

Dutch Institute for Vulnerability Disclosure (DIVD)

DIVD's aim is to make the digital world safer by reporting vulnerabilities we find in digital systems to the people who can fix them.

MyCISO

MyCISO

MyCISO is the World’s first SaaS application that will vastly simplify security management for all.

Novacoast

Novacoast

Novacoast helps organizations find, create & implement solutions for a powerful security posture through advisory, engineering, development & managed services.

NAK Consulting Services

NAK Consulting Services

NAK is helping organisations to create Secure, Agile IT Environments. Our goal is to be the trusted advisor and managed service partner for our clients.

LastPass

LastPass

LastPass provides award-winning password and identity management solutions that are convenient, effortless, and easy to manage.

Paragon Cyber Solutions

Paragon Cyber Solutions

Paragon Cyber Solutions provides specialized security risk management and IT solutions to protect the integrity of your business operations.

Radius Technologies

Radius Technologies

Radius Technologies is trusted by progressive SMEs to deliver world-class cloud, IT solutions, IT and data security, and telecoms systems.