Cyber risk management is a critical senior leadership responsibility, due to the escalating cyber threat landscape and the profound impact of cyber incidents on business operations, reputation, and financial stability. A ransomware attack can bring a firm to an abrupt halt and in some instances close it down.
The legal sector is an obvious target for attacks, given the high volume of confidential data being handled, and the consequences for practitioners of being locked out of systems. It is no surprise that so many victims feel forced into paying the ransom demand when so much is at stake.
All senior business leaders have a responsibility to manage their cyber risk to safeguard sensitive information, maintain operational continuity, and protect stakeholder interests. The Information Commissioner’s Office and regulators including SRA require this too. The Law Society, the Conveyancing Society and the National Cyber Security Centre are all urging firms to review and reinforce their cybersecurity arrangements. The Government has issued a draft Cyber Governance Code of Practice aimed at executive and non-executive directors and other senior leaders, which highlights the fact that cyber risk should have the same prominence as financial or legal risks.
Leaving cyber risk management to your IT support simply does not cut it. Proper cyber risk management is a sophisticated stand alone, discipline, covering so much more than just technology. It requires a comprehensive programme, with formal risk assessments, policies and procedures, and staff training.
Good cyber governance should include obtaining independent assurance from a cybersecurity specialist – someone who will assess and provide visibility of your cyber risks, determine the measures appropriate to control those risks, and give you ongoing assurance that the controls you have in place continue to be effective.
There are two key aspects to ensuring success:
Independence – because having IT mark their own homework is a nonstarter when it comes to good risk management.
Expertise – because cybersecurity is complex and ever-changing, and you need a specialist who understands your business structure and the current methods of attack, as well as your legal and any regulatory obligations.
Cyber breaches do not result from bad luck. A serious breach means that someone at the most senior level has failed to understand what was required to protect their firm and has not done their job properly. And if you haven’t yet assigned responsibility to someone at Board level, your business really is living on borrowed time.