Managing Risk: Ten Point Review of Cyber Security for Law Firms

Cyber security risk is an increasing concern for law firms. We have previously reported on the increase in claims where cyber is the underlying issue.  

The thematic review on cyber security within law firms that was published by the SRA in September 2020 also suggests that many law firms have further work to do on this issue. 

Below is a quick-fire 10 point review of issues to consider when reviewing cyber security risks within your firm. It is not a definitive list, but it does cover the more significant areas of concern and is offered as a starting point for firms to identify some potential action points.

1. Do you undertake adequate and regular training on cyber security for everyone in your firm?
   
   The people in your firm can be both the biggest asset and the biggest risk when it comes to cyber security. Training on cyber security for everyone in the firm is essential and should be undertaken on a regular basis. This will ensure that the risks remain at the forefront of people’s minds and the right behaviours become embedded in their daily routines. 
   
   Never apologise for repeated warnings and training on issues such as password hygiene and phishing emails. We all need reminders to help us maintain a vigilant approach. It is also important that new scams and frauds are communicated to everyone in a timely way. The modus operandi of fraudsters is continually changing and everyone in the firm needs to stay one step ahead.

2. Do you have adequate polices and controls in place to address cyber risks and do you regularly review these?
   
   We encourage firms to consider whether their policies and controls relating to cyber security are sufficiently comprehensive and updated as regularly as they should be.  While you might have dealt with some issues are there any gaps? For example the SRA thematic review (available here) indicated that 50% of firms did not have a removable media policy and 58% did not monitor the use or provenance of data sticks. Some policies to consider are:
   
   •    Acceptable and secure system use
   •    Removable media policy
   •    Home and mobile working policy
   •    Email use
   •    Website and social media use
   •    Passwords
   •    Incident Reporting

3. Does your firm have Cyber Essentials or Cyber Essential Plus?
   
   Cyber Essentials is a government backed scheme that will assist law firms of all sizes with the identification and implementation of basic technical controls to address cyber risks. The scheme requires the adoption of 5 technical controls:
   
   •    Securing your Internet connection (firewalls and routers)
   •    Securing your devices and software (secure configuration)
   •    Controlling access to your data and services (access control)
   •    Protection against viruses and other malware (malware protection)
   •    Keeping your devices and software up to date (software updates).
   
   There are two levels for the scheme. Cyber Essentials involves a self-assessment that is independently verified and Cyber Essentials Plus includes an independent technical audit including vulnerability checks. In addition to the controls helping to keep your firm safe, these badges are also a good way of demonstrating to clients that you take the issue of cyber security seriously.

4. Do you stress test your systems and controls or undertake external penetration testing?
   
   The SRA have noted concern that of the 40 firms involved in the SRA thematic review on cyber security, 14 had undertaken neither internal stress testing of policies and procedures relating to cyber security nor any penetration testing by an external provider. These activities are key to identifying security vulnerabilities in a computer network, system, or web application that could be exploited. 
   
   Internal stress testing can include undertaking mock-cyber incidents or testing staff responses to phishing enquiries. Findings and observations can be used to adapt and develop policies, procedures and training. External penetration testing mimics techniques used by cyber criminals to identify software flaws and operational weaknesses that could be susceptible to cyber-attack. Do you know how susceptibility your firm might be?

5. Do you use MFA (Multifactor Authentication) and VPNs (Virtual Private Networks)?
   
   VPNs (Virtual Private Networks) and MFA (Multifactor Authentication) are key to preventing unwanted/unauthorised access into the corporate network. MFA is an authentication method that requires users to verify identity using multiple independent methods. Examples of MFA include:
   
   •    Google Authenticator (an app on your phone).
   •    SMS text message with a code.
   •    Soft token (also called software token).
   •    Hard token (also called hardware token).
   •    Security badge.
   
   Fee earners who are home-working, must access the corporate network over the internet (whether this is via home internet or public Wi-Fi), but where there are internet facing protocols such as remote desktop, there is an increased risk that outsiders are able to access this also using either stolen credentials or vulnerabilities. The internet is inherently insecure, and therefore the use of VPN to provide encrypted communication between the end user and the corporate network and MFA to provide layered authentication rules for accessing the corporate network are important tools to manage cyber risk.
   
   Of the firms that participated in the SRA thematic review 63% used MFA, but in our view, the fact that 37% are not doing so is a concern. If this percentage is replicated across the entire legal profession then there is a significant number of firms that are vulnerable. Firms should also be aware that many underwriters of cyber insurance policies now require this as basic risk-mitigating tool.

6. Do you control access to data and systems?
   
   Does your firm control the extent of access that users have to systems and data? Giving everyone access to you entire system increases risk and it is concerning to note that this occurred in 7 of the 40 firms participating in the SRA thematic review. We encourage firms to review this issue in line with the recommendation in Cyber Essentials that "staff accounts should have just enough access to software, settings, online services and device connectivity functions for them to perform their role."

7. Is your operating system still supported including the continued availability of security updates?
   
   The SRA thematic review also identified shortcomings when it came to operating systems with some firms using out-dated systems that had ceased receiving security updates and support, or would soon do so. Firms need to remain on top of this issue and identify whether the system they are currently using has a limited life span. This will enable appropriate planning and replacement of systems within a time frame that ensures continuity of security updates and support is maintained.

8. Do you have adequate expertise to address cyber risk issues – either in house or via a third party supplier?
   
   Remember that your field of expertise is the law and not cyber security. For all firms, whatever their size, investment will be needed to ensure that good advice is accessed and reliable and secure systems are procured and maintained. Some firms are able to fund in-house expertise, others will need to rely on third-party providers. In both scenarios it is important to undertake your due diligence and ensure that you are satisfied that the individuals or businesses you have engaged with have the appropriate expertise.
   
   The SRA thematic review identified that in some instances there were shortcomings in the service provided by third party providers and for 2 of the 40 firms surveyed, the experts' poor service had left the firms vulnerable. Are you confident that you are receiving the advice and support you need?

9. Do you have a process for recording and reporting cyber risk issues and cyber breaches?
   
   We strongly recommend that firms have a clear process for recording and reporting cyber risk issues and breaches. This will ensure that incidents are reported to the SRA, Information Commissioner’s office (ICO) and law enforcement in compliance with your regulatory and statutory requirements. 
   
   Prompt reporting to your insurer is also important. Separate cyber cover will provide specialist support and assistance and the sooner this is triggered the better. Some insurers will waive the excess for investigating any breaches where notification is made within 48 hours. Therefore, along with being a regulatory and statutory issue, reporting promptly to an insurer can also save money.
   
   Failure to report a cyber security incident to ICO in accordance with the requirements of GDPR can result in a significant fine and risk damage the firm’s reputation beyond the breach itself. To the extent that a firm’s failure to report falls breaches its obligations under the SRA’s Code of Conduct, disciplinary action could follow.

10. Do you have separate cyber insurance cover?
    
    Given the increased claims activity Howden has seen as a result of cyber risk issues, we recommend that law firms maintain a separate cyber policy. Only 30% of firms participating in the SRA’s thematic review on cyber security had specific cybercrime insurance. This is surprisingly low given the vulnerability of law firms to attack. 
    
    There can be a mistaken view amongst law firms that the very broad terms of their professional indemnity insurance (PII) will cover them for all losses resulting from cyber-related issues. PII will cover third party losses (for example cyber fraud resulting in the loss of money in the client account), but it is a separate cyber policy that can respond to a firm’s own costs and losses such as:
    
    •    specialist assistance and support to mitigate an incident
    •    reporting to the ICO under GDPR
    •    communicating with affected clients
    •    the financial impact of the interruption to your business.

Firms also need to be aware that there is currently an SRA consultation on changes to the MTCs to address the issue of “silent cyber”. This refers to the scenario where cover for claims arising from cyber-related events is neither specifically included nor excluded in a policy wording. Both the Prudential Regulation Authority and Lloyds’ have required insurers to put plans into action to reduce “silent” exposures by either excluding them or providing affirmative cover. The SRA have indicated that they have no intention that the changes should result in any reduction in the existing cover for third party losses under the MTCs, but there is always potential for unintended consequences when wordings are changed. This is another reason why we would encourage firms to take separate cyber cover.

Please feel free to contact us for further information or discussion.