Fraud and cybersecurity: are you on the ball?

Why this risk matters

Cybersecurity is the hot topic of the moment. Our recent seminars on the subject have always attracted a capacity audience. Yet the mystique round the subject, encouraged by many consultants, is not helpful for a real understanding of the issues, required to address the risk properly.

Let’s be clear: we are in no danger of cybercrime overtaking residential conveyancing claims as the number 1 source of claims against the profession any time soon. Yet, that is no reason to dismiss it as a concern. Firms should not give a low priority to risks simply on the basis that they have not cost them very much yet! Law firms, of all shapes and sizes, need to take data protection, fraud and cybersecurity very seriously. The risks are increasing, and claims are starting to emerge.

This message needs to be understood by everyone in the firm, not just the IT manager.

Firms that do not prepare now will be at much higher risk of a significant loss in the future.

As the latest UK Government cybersecurity survey clearly identifies, today more than ever we are all using IT as an integral part of our daily lives, within both our business and personal lives. The mistake is to consider it a topic apart. The reality is that our new ways of working have simply produced new ways for, essentially, the same old risks to manifest themselves. Recent conveyancing claims, by way of example, frequently have a cyber element to them.

We are, however, beginning to see a definite risk trend for law firms – and it is one being replicated across the whole of the UK. Crime is moving online, and it is becoming increasingly sophisticated, targeted, and ever more common.

Six steps to cybersecurity

If you leave IT security to your IT team, the problem is that, no matter how good a job they do, something somewhere will slip through. So not only do you have to have the most effective system controls and firewalls, but you also have to have the most alert staff, if you are to avoid a serious breach at some point.

Your strategy, in simple terms, should consider three elements:

1. Systems
2. Staff
3. Mitigation.

Systems

1. Ensure your IT systems are up to date
   If your servers are running on Windows Server 2003, if you are using Internet Explorer 8 to browse the internet, or if your computer runs on Windows XP, you are particularly at risk from a cyber attack.
2. Implement effective security protocols
   Law firms should be auditing their IT security – and ideally seeking a recognised accreditation. Cyber Essentials is the accreditation that Lockton recommends all firms attain as a necessary base level. You may also wish to consider Cyber Essentials Plus, or even ISO 27001.

Lockton has produced an IT risk assessment that you can complete as part of a confidential risk consultancy report. Law firm managers may also be interested in the guidance on password security protocols.

Remember that systems should be designed to be practically secure rather than technically secure. We recently heard of a firm whose IT security meant that confidential data could not be transmitted via a relatively secure encrypted online site, and therefore had to be emailed, much less securely. Similarly, if your IT protocols prevent people doing their work in a pragmatic manner (albeit it carries a modicum of risk), they may well resort to far more insecure methods instead! Consult those doing the work before making decisions about system security if you want to achieve the best results.

Staff

1. Engage your staff in regular cybersecurity awareness training
   It is essential that everyone in your office is educated about the risks. This should not be a one-off training session. Little and often is far more effective.
   Lockton provides Scottish solicitors free access to a range of training materials and resources, including webinars, password security awareness training, and supported by a range of posters designed to be used round the office to remind people of the risks.
2. Conduct a simulated phishing exercise
   As phishing attacks are the most common source of cyber attack by far, affecting most people, educating staff on how to identify potential phishing emails is a must. Better than reading about it is to test it in reality, which is why Master Policy lead insurer, RSA, commissioned a simulated phishing exercise which Lockton offered to Scottish law firms. While such phishing test exercises are inevitably less effective for very small firms, for larger firms (10 or more staff) they can be a very effective form of training. In the first exercise conducted by NCC Group for RSA and Lockton, fee earners in 58% of firms participating clicked on a suspicious link. The improvement rate in a subsequent test proved the effectiveness of the exercise, with more than a 60% decrease in the click rate.

Mitigation

At some stage, you will be likely to suffer some form of information security breach or cybercrime attack. If you are unfortunate enough to suffer a serious attack, and your systems are corrupted or brought down, or you have a serious data breach – you need to be prepared.

1. Have a breach response strategy
   Knowing what to do and who to contact when the worst happens and your systems are brought down, or there is a major breach of system security, is essential if your firm is to recover reputationally and financially. It is worth having a specialist PR agency on hand to proactively manage media and public enquiries. Don’t just assume that, because you are a small firm, you will avoid the headlines and reputational damage.
   It is also vital to be able to get back up and running as quickly and safely as possible – if nothing else, to avoid other claims arising, and further financial losses.
   You can obtain “breach response” insurance – which typically will provide all this for you, using the insurer’s own panel of expert consultants.
2. Consider insuring against the risks
   Cyber insurance has been talked about in recent years, but the UK Government’s cybersecurity survey reveals “very disparate levels of awareness around cyber insurance”. Of those UK businesses that do have some form of cyber insurance, almost two-fifths said they did not understand it well.
   There are a lot of different policies in the market currently, all of which have different limits, exclusions, and terms. Before you take out any policy it is important that you understand:

• what insurance protections you already have;
• what your potential risk exposure is;
• what additional insurance protections you wish to put in place.

This table provides an overview of some of the policies available, and what they cover.

For more information…

Matthew Thomson of the Law Society of Scotland’s Professional Practice unit, is a specialist in cyber risk issues. The Society’s Technology Committee, of which he is secretary, is in the process of launching revised guidance about cyber risk, which will be available shortly.

Lockton has more detailed information about information security, cyber and fraud risks on our dedicated solicitors’ website.

In addition to the risk management training and guidance on our website’s Resource Centre, you can also find more information about products specifically designed to dovetail with your existing Master Policy cover.