In an era dominated by digital transformation, the legal sector must be live to cyber risk. As firms increasingly digitise their operations, the allure of efficiency and convenience is accompanied by a lurking threat: the ever-evolving realm of cyber crime.
For years, professional services firms have retained a reputation of being an appealing target for cyber criminals looking to exploit the vast amount of sensitive client data and client monies they hold. Law firms are no exception to this, and in many ways fit the bill as to what cyber criminals want when considering targets. The National Cyber Security Centre (opens a new window) (NCSC) along with the Information Commissioner’s Office (opens a new window) (ICO) continue to remind firms of their role in reducing cyber risk, and particularly ransomware risk – the biggest online threat to the UK. Therefore, it is vital that firms understand what they can do to reduce the risk of a cyber attack.
In the last few years, the Law Society of Scotland has issued a range of resources to help firms deal with many of these risks. These materials include their “Guide to Cybersecurity (opens a new window)” which outlines some of the key threats and provides tips for best practice. The Society has also partnered with Mitigo (opens a new window), a cybersecurity specialist that provides resources and guidance. Any law firm wanting to enhance their security controls should consider reaching out to cybersecurity specialists such as Mitigo.
Ransomware payments on the rise
Ransomware has become more problematic due to the value in extorting and publishing sensitive data. In the past, ransomware attackers would typically infiltrate a firm’s computer systems and encrypt data, in the hope that the subsequent operational disruption would encourage those firms to pay a ransom demand. However, if a firm had back-ups in place (or at least, back-ups that were not compromised during the attack), they could often recover data without paying the ransom demand.
To improve their leverage in ransom negotiations, cybercriminals have now started to exfiltrate data during ransomware attacks, which they can then threaten to publish online. As a result, even if a firm has back-ups in place, the potential reputational damage caused by having their data published online may make them more inclined to pay the ransom demand. This is a particular vulnerability for legal firms, given the volume of records and personal information held.
Evidence suggests this strategy is working. In their National Strategic Assessment 2024, the NCA reported that identified incidents of ransomware impacting UK victims in 2023 were double those of 2022. Given that ransomware incidents are under-reported the true figures are likely to be higher.
The NCSC has also raised concerns about the expected rise in ransomware with artificial intelligence (AI) (opens a new window), and how the use of AI can impact the efficacy of firms’ cybersecurity operations.
The impact of ransomware risk transfer – a claims case study
It is becoming increasingly important for firms to consider their insurance coverage and whether they should obtain specific cyber insurance. Subject to its terms and conditions, the Master Policy itself will typically respond to any situation involving loss of client account funds that were in the control of the law firm, regardless of whether that loss has been caused by a cyberattack or fraud.
However, there are situations where a cyber incident will lead to first party costs and, generally, these will not be covered under the Master Policy. These losses can be significant in a ransomware attack, and can include:
Breach response costs.
Business interruption loss.
Extortion payments.
Digital asset loss.
Reputational harm.
These are the categories of costs that would be typically covered by a cyber insurance policy. A well-written cyber policy can therefore help to protect a firm when a ransomware or other cyber event occurs.
One of the main benefits of a cyber insurance policy is that it will normally include access to an incident response team. Ransomware attacks are devastating and can happen in an instant. One simple click of a link in a hacker’s email can potentially inflict serious operational and financial harm. In one example, a professional services firm suffered an elaborate ransomware attack in which all its computer systems and data were encrypted, including customer data. The ransomware also encrypted the company’s backups. Unable to afford the ransom demand, the company contacted its insurer. Within minutes, the insurer’s security incident response team contacted company employees to diagnose the damage and minimise further loss.
In less than 24 hours, the response team worked with the claims team to secure ransom demand on the company’s behalf, and to facilitate the decryption of the company’s files. A member of the incident response team was then present onsite to help restore the company’s files, perform forensics, enabling the company to return to full operations. The total time to resolution was 48 hours from the initial compromise. (Please note that this is not always the case, and, in some instances, recovery can take weeks to restore a company’s system fully.)
Fortunately, the client’s cyber insurance policy covered the business interruption loss, the forensic and data restoration costs, as well as the cyber extortion itself.
Cyber security best practice – minimum controls for professional services firms
In response to this heightened risk landscape, leading experts in both insurance and risk management argue that investing in robust cybersecurity measures is not a luxury, but a strategic necessity. The cost of a cyber breach, both in financial and reputational terms, far outweighs the initial investment required to fortify digital perimeters.
As such, certain cyber hygiene standards which were merely recommended a few years ago are now considered mandatory across the board by providers of cyber insurance, but are also best practice from a risk management perspective.
Before they are willing to offer a quotation, insurers will undertake an in-depth assessment of a firm’s cyber security infrastructure to ensure minimum cyber security controls are in place, such controls include:
Multi-factor authentication (MFA) – this is the first control an underwriter will look for and remains the first hurdle to securing cover. Remote network access, admin accounts, third-party remote access, and email user accounts. However, MFA alone will not be enough to meet insurers’ minimum standards.
Endpoint detection and response (for the smaller entities Antivirus and firewalls which are updated at least quarterly).
Data Backups – Ensure backup integrity (including encryption, air-gapping, secure (preferably offline) platforms, appropriately tested restoration) conducted on a weekly basis and held offline or offsite.
Training – ensure all staff awareness cyber training including regular phishing simulations, protocol re safe use of portable devices, limited use of public Wi-Fi, and security controls for videoconferencing on an annual basis.
End of life systems – segregated from the rest of the network.
High Severity Patches – all critical patches implemented within 30 days.
Email filtering software to scan incoming emails for malicious links or attachments.
Passwords – ensure appropriate password management software with strong passwords required for admin rights.
There are also preventative and detective controls which are important and should be considered. These include:
Privileged Access Management Software – ensure strategies and technologies are in place to control privilege.
Business Continuity Plan – ensure a BCP is in place which address network outages, off-line communications, and data recovery protocols.
Monitoring Capabilities – either through an SIEM or an internal team that is alerted on a 24/7 basis of any suspicious activity.
All insurers have different appetites and market strategies, so it is not one size fits all, however, the above controls provide a set of standards and are deemed good business practice to have in place.
Firms should not be daunted by the above list, but rather take this as a positive opportunity to understand what controls they currently have, and what they may need to implement to improve their security. To satisfy cyber insurers, it is important that firms instil a culture of cybersecurity awareness at every level of their organisational hierarchy. From a cyber insurance point of view, as cyber exposures have increased in recent years, so have premiums. Accordingly, establishing a resilient cybersecurity infrastructure is the best and only method for reducing cyber insurance premiums.
Conclusion
Unfortunately, the cyber risk landscape for professional services is not a distant storm on the horizon, it is a current reality, and the ever-evolving threat remains a challenge that all firms must meet, irrespective of size. The implementation of a robust cyber risk management plan helps to mitigate risks, protect your balance sheet, preserve your reputation, and facilitate growth within your firm.
For more information, please visit our Cyber (opens a new window) page, or contact:
Jack Bassett, Assistant Vice President