The real cost of a cyber incident
All law firms are now a target for cyber criminals. And make no mistake, cybercrime is well organised and sophisticated, using state of the art techniques. If you do not have properly tested defences in place, it is no longer a case of if you’ll be hit, but when you’ll be hit. We have seen many practices suffer as a result of confusing cybersecurity with IT support or thinking that Cyber Essentials will keep them protected, or naively believing that they are not a target. And the consequences will be more serious and costly than you might imagine.
Here are some examples of the way a cyber incident can affect your firm.
Stress to management
It is no exaggeration to say that we have seen Senior Partners and other senior management lose many sleepless nights as a result of an attack. Imagine discovering that all your confidential internal and client emails have been spied on for months and then intercepted to divert a significant payment. Or that all your clients have just received a virus infected email from your firm. Or that all your business data and systems have been encrypted by ransomware, disrupting your entire operation.
These are some real life examples of what you might face if you are breached. Imagine then having to sit in a partners’ meeting to explain this to your colleagues. The same questions get asked. How was the firm not protected by proper risk management arrangements? What was the partner in charge of compliance doing? Why had the COO not had the defences tested? Why were the firm’s legal obligations ignored (this includes undertaking and documenting a data risk assessment; testing the technology; providing cyber awareness training; putting in place policies and procedures; measuring the effectiveness of all these things on an ongoing basis; and record keeping)? Usually it is the senior management who are targeted and breached, which makes the discomfort even worse.
Financial and identity theft
The dramatic rise in remote email account takeover is a worrying trend. The initial attack may be automated and indiscriminate. Once you are breached, the bad guys are willing to be patient, and will watch for opportunities to strike. As well as serious data loss, the consequences can include significant interception and redirection of payments, both from and to firms. Stolen money is moved quickly and is rarely retrievable.
The theft of credit/debit card details is also prevalent, often as a result of making payment on a fraudulent website. Identity theft is a similar concept, with attackers compromising a user’s online account to allow them to perform actions in their name. Funds moved in small amounts build up yet can go undetected for weeks. All of these examples are happening on a daily basis.
Ransomware
When malicious software locks up all your data and systems, it can bring your business to an abrupt halt. Many firms we speak to assume that having a back up performed regularly will allow the firm to get back up and running quickly. This is not the case.
We have found that very few firms have set up their backup systems correctly to enable them to restore everything, either within a few days or ever. Usually the technical configuration of the back up is wrong. Often the back ups are just copies of the corrupted versions of the data. At best it can take a long time to restore everything. During which time, your business and your client work has stopped entirely. If you decide not to pay the ransom, there is still the question of what confidential data has been accessed? Will the fraudsters strike again? Are they still in the network?
Unfortunately, there is a new twist to ransomware. And it is not a good one.
The alarming new trend is for the criminals to steal a copy of your data as a first step, and THEN encrypt the version you have on your system. And this now gives the fraudster two ransom opportunities. First, they ask for payment for the decryption key. Then they threaten to publicly release, piece by piece, the confidential data they have stolen about you, your clients, and your business relationships, unless you pay up. Typically, the payments are in crypto currencies, and we see amounts ranging from tens of thousands to hundreds of thousands of pounds.
And even if you do pay up, the bad guys could STILL use the data to mount further cyberattacks on you, on your clients, on your business relationships. Or for targeted phishing attacks against your staff and others, or to sell it on to other criminals.
These cases are rapidly increasing, and they are happening right now, to firms of ALL sizes and all specialisms around the country.
Complete loss of data or theft of data
We have seen other cases of partial or complete loss or corruption of client and other personal and business data. Imagine having to deal with the theft or loss of commercially sensitive information belonging to your firm, or even worse, belonging to your clients.
Incident investigation and management
We have seen firms waste literally hundreds of hours of partner and fee earner time in dealing with the investigation and management of a cyber breach. Outside experts usually have to be brought in to identify the cause of the breach, the extent of the loss of personal and other confidential information, and the remedial action required. Much time is often spent reviewing reporting obligations and then explaining the situation to the Law Society, the ICO, colleagues within the firm and to the clients affected. Sometimes PR advisers may also be needed.
Damage to technology or software
Cyber hackers may disable technology and software or render it unsafe to use. It can be costly to find and fix the problems or replace what has been damaged.
Loss of your clients and your reputation
Lose your hard won reputation, lose almost everything.
Trust is a crucial part of your relationship with clients. And loss of their personal and confidential information, or your ability to progress or complete their transaction can destroy it. Remember, depending upon the nature of the incident, you will have an obligation to tell your clients exactly what went wrong, the extent of the breach of their information, and how you are putting it right. It is the larger clients especially, who will reconsider continuing to instruct you once you have demonstrated you cannot be trusted with their confidential information. Damage to your reputation can also affect relationships with third parties.
Regulatory penalties and fines
The Law Society and the ICO will not be impressed if you have not, as a minimum, complied with your legal obligations for cybersecurity nor taken the security of your clients’ information and affairs seriously. Fines are on the rise. Expect the ICO, which is ramping up its enforcement, to show its teeth.
Class action compensation claims
Individuals now have the right to seek compensation against data controllers (and processors) who fail to comply with their security obligations. This will provide fertile ground for a new breed of claims companies, indeed, we have already seen the emergence of a new claims industry, with a number of class actions already launched. Clients or third parties affected by the breach may claim for consequential financial loss.
When the true costs and consequences of a cyber incident are fully appreciated, the value in proportionate investment in independent cyber protection will be readily understood. The assurance it gives, forms a crucial part of risk management. And do not be misled into thinking that cyber insurance will make all the pain go away. Insurance will not give you back all your time, build your reputation back up, restore the lost trust (internal and external), replace the lost clients, or prevent the sleepless nights of worry.
This article was produced by Mitigo.Take a look at their full service offer here.
For more information contact Mitigo on 0131 564 1884 or email lawscot@mitigogroup.com