Why cyber insurance isn’t a substitute for cyber risk management
So you think buying cyber insurance means your firm will avoid a major nightmare?
You’ve bought a cyber insurance policy to help protect your firm against devastating cyber attacks. It looks comprehensive so you can finally sleep at night. But before you get too carried away, is that really the case? Many law firms which have been victims of a cyber attack held cyber insurance policies. That cyber insurance did not prevent them from being the next victim. Of course, you will be glad you had the policy if the worst does happen, but it is essential to understand the difference between cyber risk management and cyber insurance. Simply put, cyber insurance is the transfer of residual risk once you have taken the right steps to manage your cyber risks in the first place. That includes carrying out proper cyber risk assessments and implementing robust cyber security controls.
What is not covered by cyber insurance?
There is no substitute for having proper cyber risk management in place. Cyber insurance may allow some costs to be recouped, provide cyber specialists to help deal with the immediate crisis and may even allow payment of a ransom demand in some cases, but there is a range of issues that cannot be resolved by simply putting insurance in place.
Difficulties that we have seen firms trying to manage after a cyber attack include:
- Senior management working through the night trying to work out how they are going to continue to run the business with no functioning systems
- Fee earners unable to work while locked out of their systems
- Having difficult conversations with clients explaining how and why their confidential information has been breached and the fact that their transactions are unable to proceed
- The requirement to communicate the problem to clients, staff, other law firms and the press, again without being able to use the firm’s usual methods of communication
- The need to report the incident to the ICO, the Law Society of Scotland and law enforcement agencies.
- Internal disruption, as well as blame and condemnation among personnel
- Extensive lost time
- The arguments over fault and liability in cases of diverted payments
- Trying to negotiate with criminals over their ransom demands for the return of confidential data or decryption of systems
- The fact that the underlying weaknesses that allowed the cyber attack to happen will still need to be identified and eliminated
The National Cyber Security Centre (NCSC) notes that:
“Cyber insurance will not instantly solve all of your cyber security issues, and it will not prevent a cyber breach/attack. Just as homeowners with household insurance are expected to have adequate security measures in place, organisations must continue to put measures in place to protect what they care about.”
Why is cyber risk management essential for law firms?
The legal industry is a high-risk sector when it comes to cyber security. Criminals have found a variety of methods, including email account takeover and ransomware attacks to be particularly profitable in a profession where data protection and client confidentiality are crucial.
The major risks of failing to proactively implement strong cyber security measures that cyber insurance will not help with include:
Breach of legal and regulatory obligations
The Law Society of Scotland requires all law firms to comply with legislation. This includes compliance with UK GDPR for the protection of personal data. Basic requirements include:
- Carrying out regular risk assessments for the security of data
- Putting effective controls in place, including:
- Providing relevant training to personnel and having policies in place outlining expected behaviour
- Having secure technology
- Having the right policies and framework in place in respect of governance
- Regularly testing, assessing and evaluating the controls
- Being able to provide evidence of compliance with the above
Failure to comply with legal and regulatory requirements can result in substantial fines – fines by the way, that your cyber insurance policy won’t cover.
Data breaches
In the case involving law firm Tuckers LLP, the ICO issued a fine of £98,000. A ransomware attack resulted in a personal data breach. Files were encrypted by the hackers, including court bundles, and a number were offered for sale on the dark web. The ICO found this was a result of the firm’s failure to implement appropriate technical and organisational measures and Tuckers had failed to process personal data in a way that ensured its security and protection.
The ICO stated that due to the confidential nature of data held, schemes such as Cyber Essentials and Cyber Essentials Plus were NOT sufficient security standards.
The ICO also highlighted breaches of the SRA Code of Conduct which it regarded as an aggravating factor. In the context of a breach relating to Law Society of Scotland members, one can expect the ICO to scrutinise (for example) the Rules & Regulations Section B Fundamental Principles Rule B1.6 Confidentiality (requirement to maintain confidentiality and appropriate supervision of employees); Guidance B1.6 (obligation to supervise extends to all outsourced providers); Advice B1.6 Notification to ICO under the Data Protection Act (reference to good practice information issued by ICO); Rule B6 Accounts, Accounts Certificates, Professional Practice (safeguarding client monies, duty to rectify breaches, cashroom management); Guidance B6 (cashroom supervision of staff and systems, partner responsibility for compliance); Section E General Guidance (business process outsourcing, cloud computing, security of social media, compliance with data protection legislation & regulatory obligations when outsourcing); the Law Society’s Cybersecurity Guide.
In the Interserve case, the ICO fined the company £4.4m over its failure to protect its employees’ data from cyber attacks. The Information Commissioner said companies should “expect a similar fine from my office” if they fail to put proper protections in place. The ICO made it clear it will have regard to “relevant industry standards of good practice” such as ISO 27001; the National Institutes of Standards and Technology; the various guidance from the ICO itself; from NCSC and from any sector regulator.
Breaches of client confidentiality
A breach of client confidentiality will have implications for your clients, your cases and your reputation. It is very hard to remedy the loss of confidentiality in any meaningful way and there is a substantial risk that major clients could look elsewhere for advice or representation.
Business disruption
Business disruption can also result in substantial losses, both in momentum and for clients who may lose trust in a firm that has failed to put adequate security in place. The initial difficulties can be crippling, and the long-term issues can last for many weeks or months whilst those involved scramble to restore systems and databases and persuade clients not to jump ship.
The importance of dealing with cyber security at partner level
Given that cyber security failures have the potential to devastate a firm, it must be understood that this is a matter for the senior leadership team in the firm. It is the senior partners who will have to face the consequences, answer to regulators, the ICO, clients, other affected third parties and their own colleagues. The senior leadership team need to have the appropriate management information in place that is discussed regularly at partners meetings.
The Government’s draft Cyber Governance Code of Practice, aimed at executive and non-executive directors and other senior leaders, highlights the fact that cyber risk should have the same prominence as financial or legal risks and that responsibility and ownership of cyber resilience is a Board level matter.
The importance of independent assurance
It should also be recognised that proper cyber risk management requires some independent assurance carried out by genuine cyber security specialists with in-depth knowledge of the latest security risks and experience of the attacks taking place in your sector. They should be independent of your IT provider, because having your IT mark their own homework is a non-starter from a compliance perspective.
Who are Mitigo and how can we help?
At Mitigo, we offer specialist advice and cyber security services to law firms, barristers’ chambers and other legal businesses. We are not an IT company. We know that you are a prime target for cyber criminals and our experts have the understanding needed of both your business and potential cyber risks to give you the protection you need.
We can work with your business and your IT partner to identify potential risks and eliminate them without delay. So don’t rely on your cyber insurance to save the day. The only way of effectively protecting your organisation is to ensure that your security protocols and systems are as strong as possible.
Mitigo are Affiliate partner of the Law Society of England and Wales, Strategic Partner to The Law Society of Scotland and Service Partner to the Bar Council. Our bespoke service takes into account the particular requirements of the legal industry and the threats you face.
Contact us today for a vulnerability risk assessment
If you would like a cyber security overview carried out by our cyber security experts, fill out our contact form, or see below. We will identify any issues that need attention and work with your business to ensure that you have the optimal cyber security protection for your organisation.
This article was produced by the Law Society of Scotland's strategic partner Mitigo. Take a look at their full cybersecurity service offer. Mitigo offer a free no-obligation consultation for Law Society of Scotland members. For more information contact Mitigo on 0131 564 1884 or email lawscot@mitigogroup.com