Why your chambers’ cyber risk management cannot be replaced by cyber insurance.

Cyber insurance will not instantly solve all of your cyber security issues, and it will not prevent a cyber breach/attack. Knowing the distinction between cyber risk management and cyber insurance is essential.

Share this post

So you think buying cyber insurance means will avoid a major nightmare?

You’ve bought a cyber insurance policy to help protect your chambers against devastating cyber attacks. It looks comprehensive so you can finally sleep at night.  But before you get too carried away, is that really the case? Many organisations which have been victims of a cyber attack held cyber insurance policies.  That cyber insurance did not prevent them from being the next victim.  Of course, you will be glad you had the policy if the worst does happen, but it is essential to understand the difference between cyber risk management and cyber insurance. Simply put, cyber insurance is the transfer of residual risk once you have taken the right steps to manage your cyber risks in the first place. That includes carrying out proper cyber risk assessments and implementing robust cyber security controls.

What is not covered by cyber insurance?

There is no substitute for having proper cyber risk management in place. Cyber insurance may allow some costs to be recouped, provide cyber specialists to help deal with the immediate crisis and may even allow payment of a ransom demand in some cases, but there is a range of issues that cannot be resolved by simply putting insurance in place.

Difficulties that we have seen chambers trying to manage after a cyber attack include:

  • Senior management working through the night trying to work out how they are going to continue to run the business with no functioning systems
  • Members of chambers unable to continue cases while locked out of systems
  • Having difficult conversations with your instructing solicitors explaining how and why their clients’ confidential information has been breached and the fact that their matters are disrupted
  • The requirement to communicate the problem to solicitors, staff, other third parties and the press, again without being able to use the usual methods of communication
  • The need to report the incident to the ICO, your regulator and law enforcement agencies
  • Internal disruption, as well as blame and condemnation among personnel
  • Extensive lost time
  • The arguments over fault and liability in cases of diverted payments
  • Trying to negotiate with criminals over their ransom demands for the return of confidential data or decryption of systems
  • The fact that the underlying weaknesses that allowed the cyber attack to happen will still need to be identified and eliminated

The National Cyber Security Centre (NCSC) notes that:

“Cyber insurance will not instantly solve all of your cyber security issues, and it will not prevent a cyber breach/attack. Just as homeowners with household insurance are expected to have adequate security measures in place, organisations must continue to put measures in place to protect what they care about.”

Why is cyber risk management essential for chambers?

The legal industry is a high-risk sector when it comes to cyber security. Criminals have found a variety of methods, including email account takeover and ransomware attacks to be particularly profitable in a profession where data protection and client confidentiality are crucial.

The major risks of failing to proactively implement strong cyber security measures that cyber insurance will not help with include:

1. Breach of legal and regulatory obligations

As a starting point, all regulators require compliance with legislation. This includes compliance with UK GDPR for the protection of personal data. Basic requirements include:

  • Carrying out regular risk assessments for the security of data
  • Putting effective controls in place, including:
    • Providing relevant training to personnel and having policies in place outlining expected behaviour
    • Having secure technology
    • Having the right policies and framework in place in respect of governance
  • Regularly testing, assessing and evaluating the controls
  • Being able to provide evidence of compliance with the above

Failure to comply with legal and regulatory obligations can result in substantial fines – fines by the way, that your cyber insurance policy won’t cover.

2. Data breaches

In the case involving law firm Tuckers LLP, the ICO issued a fine of £98,000. A ransomware attack resulted in a personal data breach. Files were encrypted by the hackers, including court bundles, and a number were offered for sale on the dark web.  The ICO found this was a result of the firm’s failure to implement appropriate technical and organisational measures and Tuckers had failed to process personal data in a way that ensured its security and protection.

The ICO stated that due to the confidential nature of data held, schemes such as Cyber Essentials and Cyber Essentials Plus were NOT sufficient security standards.

The ICO also highlighted breaches of the SRA Code of Conduct which it regarded as an aggravating factor. In the context of a chambers breach, one can expect the ICO to scrutinise (for example) the BSB Handbook CD 6 (confidentiality); CD 10 (managing the practice competently and in compliance with legal and regulatory obligations); rC89.5 (proper arrangements for ensuring the confidentiality of clients’ affairs); gC134.1 (putting in place and enforcing adequate procedures for protecting confidentiality); gC134.2 (complying with data protection obligations imposed by law); gC134.4 (to take account of other BSB guidance); the Information Security guidance issued by the General Bar Council; and the Information Security Questionnaire agreed by the Law Society and Bar Council.

In the Interserve case, the ICO fined the construction company £4.4m over its failure to protect its employees’ data from cyber attacks. The Information Commissioner said companies should “expect a similar fine from my office” if they fail to put proper protections in place. The ICO made it clear it will have regard to “relevant industry standards of good practice” such as ISO 27001; the National Institutes of Standards and Technology; the various guidance from the ICO itself; from NCSC and from any sector regulator.

3. Breaches of client confidentiality

A breach of client confidentiality will have implications for your clients, your cases and the reputation of the whole set and its members. It is very hard to remedy the loss of confidentiality in any meaningful way and there is a substantial risk that major clients could look elsewhere for advice or representation.

4. Business disruption

Business disruption can also result in substantial losses, both in momentum and for clients who may lose trust in any organisation that has failed to put adequate security in place. The initial difficulties can be crippling, and the long-term issues can last for many weeks or months whilst those involved scramble to restore systems and databases and persuade instructing solicitors and clients not to jump ship.

The importance of dealing with cyber security at the most senior level

Given that cyber security failures have the potential to devastate the organisation, it must be understood that this is a matter for the senior leadership team. It is the senior leaders and members who will have to face the consequences, answer to regulators, the ICO, instructing solicitors, clients, other affected third parties and their own colleagues.  The senior leadership team need to have the appropriate management information in place that is reviewed regularly in management forums.

The Government’s draft Cyber Governance Code of Practice, aimed at executive and non-executive directors and other senior leaders, highlights the fact that cyber risk should have the same prominence as financial or legal risks and that responsibility and ownership of cyber resilience is a Board level matter.

The importance of independent assurance

It should also be recognised that proper cyber risk management requires some independent assurance carried out by genuine cyber security specialists with in-depth knowledge of the latest security risks and experience of the attacks taking place in your sector. They should be independent of your IT provider, because having your IT mark their own homework is a non-starter from a compliance perspective.

Who are Mitigo and how can we help?

At Mitigo, we offer specialist advice and cyber security services to law firms, barristers’ chambers and other legal businesses. We are not an IT company. We know that you are a prime target for cyber criminals and our experts have the understanding needed of both your business and potential cyber risks to give you the protection you need.

We can work with your set and your IT partner to identify potential risks and eliminate them without delay. So don’t rely on your cyber insurance to save the day. The only way of effectively protecting your organisation is to ensure that your security protocols and systems are as strong as possible.

Mitigo are Affiliate partner of the Law Society of England and Wales, Strategic Partner to The Law Society of Scotland and Service Partner to the Bar Council.  Our bespoke service takes into account the unique structure of chambers and the threats you face.

Contact us today for a vulnerability risk assessment

If you would like a cyber security overview carried out by our cyber security experts, contact us today. We will identify any issues that need attention and work with your business to ensure that you have the optimal cyber security protection for your organisation.

Speak to one of our cyber security experts by calling 0161 711 0201, emailing us at info@mitigogroup.com or filling in our contact form.

CYBER SECURITY UPDATES

Sign up for the latest advice and information about keeping your business cyber secure.

Share this post