Cyber risk management: some urgent lessons for law firms

Cyber risk is now widely recognised as the single biggest threat capable of seriously damaging a law firm. Just one incident can halt operations overnight, expose sensitive client data and trigger regulatory scrutiny that lingers long after systems are restored. 

Most law firm leaders know this – or they certainly should – and, as a result, many are already spending heavily on cyber security, insurance and technology.  

However, there is still that nagging doubt; “Are we genuinely secure - or do we just think we are?” 

As can be seen from recent commentary in the legal press, this doubt is wellfounded: not because firms are doing nothing, but because many are approaching cyber risk in the wrong order. 

The common mistake law firms keep making 

Across the legal sector, cyber investment is often driven by urgency rather than understanding. Firms see scary stories about the effects of cyber attacks and panic. What can they do to protect themselves, and how can they do it quickly and cost-effectively? 

As usual, a panicked response is never a good one. Firms go hunting for a quick fix that keeps them safe and the ICO off their backs. The result is often a performative gesture, being seen to take action - buying software, monitoring tools or cyber insurance – and somehow thinking that this will ensure long-term safety and assurance. However, although these measures are important, they just will not deliver unless they are part of a cyber risk management programme. In order for that to happen, firms must resist the urge to spend money on solutions until they have worked out what it is they are trying to control.  

Doing otherwise lulls them into a false sense of security. They believe that they are protected because they have bought the new shiny cyber products, but when the crunch comes, they cannot adequately explain, either to their stakeholders or their clients: 

• where their biggest cyber vulnerabilities sit; 

• how people and behaviour increase exposure; 

• whether governance and controls meet SRA expectations; and 

• how confident they really are that defences would hold under pressure. 

If they do not have that visibility of purpose, then they will be spending blind, no matter how much money they think they are investing.  

Not just an IT issue 

Although the subject of cyber security has become a lot more mainstream in recent years, with some very high profile cyber attacks hitting the headlines, it is still seen by many legal professionals, especially those with no connection to digital experts and thought leaders, as a purely technical matter. The reality is that it covers more or less every aspect of a law firm, including:  

• Technology and systems 

• People and working practices 

• Policies, procedures and governance 

• Regulatory and professional obligations 

Therefore, it is everybody’s business to be aware of and take seriously.  

So technology in isolation, unconnected to the rest of the firm, cannot address the risk from human error, structures of governance or the problems that arise from supply chain issues.  This demonstrates the weakness of a strategy that concentrates on buying and implementing layers of security tools, while critical weaknesses remain unaddressed elsewhere in the organisation. Many leaders may realise this, and feel uneasy, despite having done something tangible about cyber risk, albeit directed at the wrong target.  

Start from the right place – risk before solution  

As we touched on above, no matter what size of firm, there is one principle that applies universally – to manage cyber risk, you have to understand it. That means carrying out a cyber risk assessment in sufficient depth and with enough detail to provide clarity across:  

• Technical vulnerabilities 

• People risk and training gaps 

• Governance and policy weaknesses 

• Regulatory and SRArelated exposure 

• Unknown or emerging risks 

Once you have done this, you will have the understanding you need to get the priorities right when it comes to investment, be able to justify decisions to the board and show that your approach to cyber risk management is sound.  

Once you have got your priorities straight – risk first, solution second – then things become a lot clearer and a lot more certain.  

Specialist support matters 

The legal sector is highly regulated and therefore, those regulatory obligations need to be factored into any cyber risk management solution and understood by those drafting and implementing that solution.  

Cyber support that takes these considerations into account can help firms:   

• spot the hidden risks that could cause issues later; 

• ensure their controls are what the regulators are expecting to find; 

• take informed, proportionate decisions; and 

• respond decisively if an incident occurs. 

Getting the right expertise and guidance can, for many firms, be the point at which they start to gain confidence in tackling and managing cyber risk.  

Not just a one-off exercise 

The cyber sector is constantly evolving; hackers and attackers are in an arms race with security experts, and cyber defences in place today can be obsolete in six months. Coupled to that is the inevitable turnover of staff that causes changes in the skills profile of the firm and means the cyber strategy will need revisiting and refreshing on a regular basis.  

That is why cyber risk assessments should be embedded into a firm’s core operations, rather than carried out reactively after a near miss or other external reason. This process of ongoing review can turn cyber risk management into a business discipline rather than the drudgery of yet another compliance task. 

A more confident conversation for law firms 

For brokers who support law firm clients with their cyber protection requirements, the conversation is now shifting from placing insurance to taking specific and targeted steps that can help firms understand their risk and reduce their vulnerability to attack. Policies that add value and include structured, expert led cyber risk management can give law firms something that is just as valuable as cover – the confidence to identify, address and deal with cyber threats before they happen, as well as the ability to react quickly and effectively if they do.