Facing down cyber risk – senior chambers’ leaders must step up to counter a growing threat.

Cyber risk management is a critical senior leadership responsibility, due to the escalating cyber threat landscape, and the profound impact of cyber incidents on business operations, reputation, and financial stability. A ransomware attack can bring a business to an abrupt halt, and, in some stances, close it down.

Share this post

The legal sector is an obvious target for attacks, given the high volume of confidential data being handled and the consequences for practitioners of being locked out of systems. It is hardly surprising that so many victims feel forced into paying the ransom demand when so much is at stake.

Barristers operate within a unique business structure. There is no doubt that the marrying together of a central business core, providing a variety of services to many self-employed individuals, can present real challenges when it comes to assessing, and then controlling, cyber risks. And with the best will in the world, working by committee is not always the most effective or speedy way of getting things done.

But cyber risk management is critically important and it must be tackled. Without proper controls in place, the behaviour of one individual can destroy the reputation of the whole set. Whatever the arrangements in your chambers, someone at senior level must assume responsibility for the management of cyber risk, in order to safeguard sensitive information, maintain operational continuity, and protect all stakeholder interests. The ICO and all regulators require this too. For anyone in any doubt about their obligations, the decision in the Interserve case (October 2022) should make for very interesting reading.

A fatal error which we have seen too many times is leaving cyber risk management to your IT support. That simply does not cut it. Proper cyber risk management is a sophisticated, standalone, discipline. It covers so much more than just technology. It requires a comprehensive ongoing programme, with formal risk assessments, policies and procedures, and staff training.

Good cyber governance should include obtaining independent assurance from a cyber security specialist. Someone who will assess and provide visibility of your cyber risks (having regard to your set up), determine the measures appropriate to control those risks (having regard to the level of centralised authority) and give you ongoing assurance that the controls you put in place, continue to be effective.

There are two key aspects to this:

  • Independence – because having IT mark their own homework is a nonstarter when it comes to good risk management.
  • Expertise – because cyber security is complex and ever changing, and you need a specialist who understands your business structure, and the current methods of attack, as well as your legal and regulatory obligations.

Cyber breaches do not result from bad luck. A serious breach means that someone at the most senior level has failed to understand what was required to protect their chambers and has not done their job properly. And if you haven’t yet assigned responsibility to someone at a senior level, you may be living on borrowed time.

CYBER SECURITY UPDATES

Sign up for the latest advice and information about keeping your business cyber secure.

Share this post