Law firms and cybersecurity:
6 actions you should take following the SRA review

It’s nearly two years since the Solicitors Regulation Authority (SRA) published its thematic review into cybersecurity at 40 law firms. All the firms featured in the study had experienced cybersecurity breaches, often with catastrophic outcomes. Two years on, we are still finding firms who haven’t learned the lessons or implemented the recommendations laid out in the report.

Share this post

If your firm has yet to take steps to mitigate the devastating impact cyber criminals can have on your business, or you haven’t updated your cyber defences recently, the 6 key take outs of the SRA review will provide you with actions you can take to bolster your cybersecurity provision.

1. Designate a leader to implement a formalised approach to cyber risk management

Responsibility for protecting your firm from cyberattacks is a board level matter. The SRA review recommends having a high profile leader in your firm who is responsible for all-things cyber security and who will make sure the importance of the issue remains front of mind company wide, and that the correct protections and procedures are in place.

Disturbingly, the SRA found that some senior leaders in firms who’d suffered cybersecurity breaches could not answer simple questions about the nature of their firm’s cyber defences. Having a designated cybersecurity guru is seen as a way of overcoming these knowledge gaps, with accurate record keeping and the allocation of a specific annual budget for security issues, crucial to ensuring a formalised approach to cyber risk management.

2. Know the cyber risks facing Law firms

One of the biggest mistakes that firms’ make according to the report is thinking they won’t be the target of a cyberattack. Since the report was published, the ways cyber criminals attack firms has evolved and more and more firms have fallen victim. The dark web has an array of off-the-shelf tools criminals can use to breach defences. The SRA report revealed that the most common ways law firms fell victim to cyber attacks were via:

Since the report, the impact COVID has had on changing working habits has been even more widespread, with remote working and reliance on cloud-based technology more commonplace, giving cyber attackers more ways to exploit vulnerabilities. So now more than ever, your firm needs to know the risks you face. You need to know how ransomware can infect your system and the impact it can have on your firm and your clients. You also need to be aware of the signs of an email account takeover or if spyware has been installed. Only by understanding the risks you face can you take steps to build defences to secure your firm against attacks.

3. Be aware of the consequences of a cyber breach on law firms

The SRA report revealed that as well as the loss of money and data, cyber attacks frequently had financial and operational implications for law firms. Loss of fee-earning and management time was one such impact, with one firm reporting losses north of £150,000 in billable hours. Other devastating consequences included clients losing money, trust in law firms being eroded, substantial increases to insurance premiums, limited or total loss of access to IT systems and an increase in stress levels to people across the firm. We’re all too aware of the fear and disruption cyber breaches can cause, and with ransomware payments averaging £262,000 in Q4 2021, it’s clear to see that the size and scale of the impact of cyber breaches is huge.

4. Appreciate the important role people and governance play in cybersecurity

Technology-based changes to your cyber defences, via software upgrades, systems configurations and vulnerability scans are certainly good ways to boost your firm’s defences. But they are not the only way. The biggest cyber risks law firms face come from the actions your employees take day to day. These actions are often linked to how aware they are of the cyber threats their firm faces. Most attacks are against people, so educating them about the risk can turn your biggest weakness into your best defence. The SRA report revealed that many breached firms had inadequate policies and procedures in place, and had failed to provide proper awareness training, ultimately paying a high price for these shortcomings.

5. Take responsibility for cybersecurity away from IT Support

SRA discovered that 75% of firms who had experienced a cyber breach had placed responsibility for cybersecurity on their IT support team. While it’s an understandable move given the technical complexity of the issue, effective cybersecurity requires the skills and insights of professionals. The reports warns against reliance on outsourced IT providers for security and recommends regular reviews of systems, processes and policies, ideally by independent specialists.

6. Familiarise yourself with your legal obligations

A final, key takeout of the SRA review concerned the legal and regulatory obligations law firms have for cybersecurity under the relevant Code of Conduct and Account Rules. Legal practices must operate in full accordance with the requirements of governance and risk management. Client funds and data must be protected, as well as the personal data of clients and the firm’s staff. Risk assessments, the provision of training to staff, cybersecurity procedures, policies, and technical vulnerabilities all need to be officially documented to prove compliance, and these must be regularly reviewed and updated.

Two years on from SRA’s review, many firms are taking actions to protect themselves from ever-changing threats. But only by staying up-to-date with these threats and making sure the issue of cybersecurity is given the prominence and funding it needs can firms hope to stay as safe as possible in the face of the criminals’ evermore complex methods of attack.

CYBER SECURITY UPDATES

Sign up for the latest advice and information about keeping your business cyber secure.

Share this post