Indicative Quote
Get in touch

MANAGE YOUR CYBER RISK WITH THIS CYBER DEFENCE CHECKLIST

CYBER RISK CHECKLIST

Cyber risk management is an important requirement of the SRA Principles but what items should be on a firm's cyber defence checklist?

 

Cyber risk management is an important - if not explicit - requirement of the SRA Principles. But what exactly is required, and what items should be on your cyber defence checklist?

Cyber risk is a growing and increasingly significant risk facing law firms. Worryingly, firms do not always realise that they have been subject to a cyber attack and, even when they do, concern for reputational exposure often prevents them from disclosing the details. This makes it impossible to quantify how many law firms have fallen victim.

Whilst not explicitly stating so, the SRA Principles 2011, specifically Principals 4, 8 and 10, require law firms to seriously consider cyber risk. Every law firm should establish the risk, the impact it could have on its clients and its business, and should consider the extent to which that risk could be transferred via insurance.

Cyber risk management is an important - if not explicit - requirement of the SRA Principles. But what exactly is required, and what items should be on your cyber defence checklist? <br>

Cyber risk is a growing and increasingly significant risk facing law firms. Worryingly, firms do not always realise that they have been subject to a cyber attack and, even when they do, concern for reputational exposure often prevents them from disclosing the details. This makes it impossible to quantify how many law firms have fallen victim.

Whilst not explicitly stating so, the SRA Principles 2011, specifically Principals 4, 8 and 10, require law firms to seriously consider cyber risk. Every law firm should establish the risk, the impact it could have on its clients and its business, and should consider the extent to which that risk could be transferred via insurance.

Principle 4 requires law firms to protect the personal and confidential information of clients.

Law firms hold significant personal and confidential information in their case files. Firms also hold personal information in respect of partners and staff. Such personal information can include:

 

  • names; 
  • addresses;
  • telephone numbers;
  • bank accounts;
  • credit card details.

 

Solicitors have a duty to protect such information. Some insurance protection will be offered by the firm’s professional indemnity (PI) insurance policy, however, the firm will still have to deal with losses that stem from loss of employee personal data, notification, and credit monitoring costs.

Principle 10 requires firms to protect client money and assets.

The role solicitors play in client transactions and the fact that solicitors often have control over substantial sums of client money makes the profession a particularly attractive target for cyber criminals.

How many deals do you seal via email? It is commonplace for solicitors to use emails to accept and validate instructions from clients. Without the proper systems in place, such emails can be intercepted by fraudsters, who then provide false bank account details and instruct the solicitor to pay monies to a different bank account.

Principle 8 requires firms to run their business with proper governance and sound financial and risk management principles.

In order to meet this requirement, cyber risk needs to be on the agenda and should be the responsibility of the management board, rather than delegated to the IT department. Additional risks to consider include the reputational risk to the firm and the impact on the business of not being able to use the IT system.

Given that GCHQ estimate 80% of cyber attacks could be prevented by following best practice, it is clear that cyber risk should be central to any risk management policy. Solicitors should also consider specific cyber insurances, rather than rely on their PI policy, in order to transfer many of the risks and provide support services in the event of a breach of cyber security.

Cyber defence checklist

We would recommend firms looking to minimise their cyber risk exposure work their way through the checklist below:

 

  • Hire an expert 
  • Update processing systems
  • Upgrade firewall & virus protection
  • Encrypt sensitive data
  • Employ 'bring your own device' rules 
  • Conduct penetration test
  • Procure cyber insurance
  • Develop crisis response plan

 

Discuss cyber risks

If you have questions regarding your potential cyber exposure, please contact:

 

 

    Mark Carver
    020 7481 2781
    mark.carver@chancerypii.co.uk