The Changing Face of Cyber Risk for Law Firms

Uploaded on 2015-07-07 in NEWS-Cybersecurity News, FREE TO VIEW, BUSINESS-Services-Law

AAEAAQAAAAAAAAKfAAAAJDE0Y2IxMDM4LTljZGEtNGVlZS1iYzExLTlhYmZiNmVjNjFjMQ.jpg

 Source: Marsh's 2014 Global law Firm Cyber Survey

While cyber is not yet seen as the most significant risk law firms face, the sudden nature of an attack and the detrimental effects it poses means it is increasingly being written into risk management efforts as a rising priority. Law firms will no doubt remain a target of choice for cyber criminals due to the frequent and sizeable transfers of monies, which they can attack. Equally, there is high value, commercially sensitive and individual net-worth sensitive data that is attractive to criminals, all needing to be protected.

Cyberattacks are getting more and more sophisticated by abandoning the well-known methods of malware, ransomware and hacking attacks, and getting more granular in their approach. We're seeing examples of internal phishing where a hacked internal email is sent from the "managing partner" to the financial controller asking for payment to be made. In this scenario it is easy to ask the financial controller for their confidentiality on the subject as the payment may not be appropriate for firm-wide awareness.

The SRA and The Law Society are both concerned about this risk because no one really understands what the limits to cybercrime are. Underwriters are also beginning to ask a lot of questions around the procedures firms have in place in regards to their tracking of money and release of funds. Worryingly, there is no real defence if a transfer is hacked and diverted into the wrong account; the money will be gone and insurers have to pay. 

Cyberattacks can hit a firm hard and fast and the solutions will need to be found incredibly quickly. For conveyance, for example, underwriters are going to struggle with the pressure to replace the monies in the chain to avoid loss of deposits. Although PII covers such eventualities, this is an increasing concern for underwriters as losses can be considerable and growing as a percentage of their overall losses. If the trend continues it cannot be long before this aspect of cover comes under pressure and insurers start discussing its potential removal from the SRA's Minimum Terms and Conditions. Replacing this with separate insurance will have serious cost implications for firms.

No industry is as prepared for cybercrime as insurers would like and law firms are no exception despite their susceptibility. Aside from the Insurance costs, the outcomes of a cyberattack can involve reputational damage, regulatory investigation fines and business interruption, which could be injurious to the financial position of the firm. 
Although it is encouraging that law firms now acknowledge the seriousness of cyber risk, this acknowledgement needs to be converted into the implementation of preventative measures. Willis's Risk Barometer survey highlighted that small to medium-sized firms are struggling with this issue more than those with greater resources. Smaller firms can be more susceptible to cyberattacks due to smaller IT budgets, and the side effects of an attack, like business interruption, could be far more crippling for a smaller firm.

In short, cyber exposure is not just a significant risk in its own right; it can be the first domino in a chain of events. It is an enabler, amplifier or accelerator of existing risks that firms face. Investigating how to improve cyber risk management procedures and staff awareness is now just another box that needs to be checked.
Whilst many law firms rely on just the proposal form when renewing their PII, providing additional information can greatly assist negotiations and may achieve a better outcome. Underwriters need to fully understand what the firm does and what procedures they have in place to mitigate risk: if an underwriter is unaware of the good work you do to prevent claims occurring, a law firm could be paying a considerably higher premium than necessary. Additional information should be provided on the following key areas:

    1. What the firm does/Aspirations for growth etc.
    2. Conveyance analysis
    3. Clear claims information and summaries
    4. Disciplinary and compliance
    5. Risk Management - (including an awareness of cyber risk. To fail to display a clear awareness of cyber risk is to ignore one of the underwriters' biggest concerns at the moment.)
    6. Financial stability - still a concern for insurers

What exactly should a broker be doing for their client? It will come as no surprise that the Willis Risk Barometer indicated that a poor relationship with the incumbent broker is the biggest reason for changing to a different one; a bigger issue than cost. Some law firms may not be aware of how extensive (or otherwise) their broker's services can be and could be missing out on an array of services and advice, which would benefit their practice.

The best route to the PII market is with a broker that understands and meets the firm's specific needs. As with personal insurance, quick-fix low-rate online PII can easily be found and many would treat their PII as they would their car insurance. Many want the cheapest price available and they do not fully understand what is on offer. There are still many firms with unrated insurers even though alternative, piece proximate A-rated insurers may be available.

A law firm's relationship with their broker will depend on the specific needs of the firm itself. Some will require international capabilities but many do not. It is recognised, however, that large firms and small firms alike will have a better experience the more they engage with their brokers from day one. Good brokers can provide risk advice, take firms through their day-to-day claims process, engaging throughout the renewal process, provide input on strategy, review draft documents and attend conferences with the counsel to ensure their client's interests and reputation are protected at all times. If you have a claim that approaches your total limit of indemnity you'll certainly be pleased to know you have a quality advocate on your side.

In conclusion, the solicitors' working environment is constantly changing and many are looking at mergers and acquisitions of firms, teams, or lateral hires. It is important, therefore, that firms have a broker that can respond to this dynamic environment and provide cost-effective risk structures in the short and long term. Equally, they need to have the experience and excellent access to a wide range of insurers, which allows them to respond quickly when a firm wishes to seize an opportunity to further the firm's strategic plans.
Managing Partner:  http://bit.ly/1gjnZqi

 

« China tightens grip over the Internet
The Future Of Algorithmic Personalisation »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

Resecurity, Inc.

Resecurity, Inc.

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

TrustedIA

TrustedIA

TrustedIA is a cyber and protective security company. Our mission is to help businesses protect themselves from disruptive events that can impact their successful operation.

Cydome

Cydome

Cydome offers full-spectrum cybersecurity solutions tailored for the maritime industry.

Arete

Arete

Arete is a global cyber risk company whose mission is to transform the way organizations prepare for, respond to, and prevent cybercrime.

Protergo

Protergo

Protergo is the first integrated provider of cybersecurity solutions in Indonesia. We proactively protect our clients from cyber threats.

IAmI Authentications

IAmI Authentications

IAmI is a first in Tokenization Cloud-based IAM Security Services, delivering the most advanced form of Two-Factor Authentication.

The Security Company (TSC)

The Security Company (TSC)

The Security Company is a leading provider of creative employee security awareness programmes.

Sum&Substance (Sumsub)

Sum&Substance (Sumsub)

Sum&Substance is a developer of remote verification solutions. Our technology allows online services around the world to meet regulatory requirements, prevent fraud and enhance customer confidence.

Snode Technologies

Snode Technologies

Snode's Guardian cybersecurity platform uses AI and machine learning to monitor, detect and proactively respond to all threats on every device within your network.

Guardian Digital

Guardian Digital

Guardian Digital makes email safe for business. Threat-ready business email protection. Fully supported.

Data Protection Commission (DPC)

Data Protection Commission (DPC)

The Data Protection Commission (DPC) is the national independent authority responsible for upholding the fundamental right of individuals in the EU to have their personal data protected.

MedSec

MedSec

MedSec is the only company of its type focused solely on cybersecurity for hospitals and medical device manufacturers, offering both a cybersecurity software solution and consulting services.

RubinBrown

RubinBrown

RubinBrown LLP is a leading accounting and professional consulting firm. The RubinBrown name and reputation are synonymous with experience, integrity and value.

PreVeil

PreVeil

We started PreVeil to bring radically better security to ordinary business and personal communication and information storage.

Censinet

Censinet

Censinet provides the first and only third-party risk management platform for healthcare organizations to manage the threats to patient care that exist within an expanding ecosystem.

risk3sixty

risk3sixty

Risk3sixty are information and cyber risk management craftsmen helping build business-first security and compliance programs.

Washington Technology Solutions (WaTech)

Washington Technology Solutions (WaTech)

WaTech operates the state’s core technology infrastructure – the central network and data center, provides strategic direction for cybersecurity and protects state networks from growing cyber threats.