Download PDF

Cyber attacks on solicitors firms and cyber insurance – The SRA’s Thematic Review on Cyber Security

November 2020
Andrew Jones

As Andrew Jones reports, the SRA’s Thematic Review on Cyber Security has shone a light on the frequency and potentially hugely damaging consequences of cyber crime on law firms. It also highlights the potential benefits of law firms obtaining specialist cyber insurance in addition to their Professional Indemnity Insurance.

The SRA recently published its report on its Thematic Review on Cyber Security¹. The review was an in-depth look at 40 law firms who had reported being a target of cybercrime in the past three years. The SRA said they wanted to learn more about the types of attacks the firms were subjected to, what measures they did/did not have in place to protect themselves at the time and how being targeted had affected them.

The report is an illuminating and often sobering look at the experience of firms that have been targeted by cybercriminals. The report also demonstrates the potential benefits of specialist cyber insurance to law firms.

Findings

The report’s findings included:

Financial consequences

  • Cyber criminals were successful in their attacks against over three-quarters of the firms targeted, leading to over £4million of client and office money stolen.
  • £3.6m of this £4m was recovered from insurers, but £400,000 had to be paid by the firms’ own resources.
  • There were also wider costs of successful cyber attacks to law firms, including higher insurance premiums, lost time and damage to client relationships. One firm lost around £150,000 worth of billable hours following an attack which crippled their IT system.
  • Most firms implemented appropriate mitigation measures following attacks. For most firms, the costs of mitigation were less than the amount of money lost.

The attacks

  • The criminals typically used a wide range of methods for their attacks, including spyware, ransomware, viruses, email modification and denial of service attacks.
  • Attacks were not isolated incidents; two of the larger firms reported they were targeted hundreds of times per year.

People and training

The SRA said that knowledgeable and empowered staff were the first line of defence against cybercrime. However, the SRA found:

  • Only around two-thirds of staff at firms claimed to be ‘knowledgeable’ about cybersecurity and IT issues, with even some senior figures unable to answer basic questions about cybersecurity terminology.
  • A fifth of firms had never provided specific cybersecurity training to staff.
  • Around a quarter of firms still had inadequate cybersecurity policies and controls.

Security

The SRA’s findings in relation to security were mixed:

  • Most firms had adequate and appropriate systems in place. 93% of firms had firewalls in place, 87% used anti-virus software and all firms used password protection (the majority two-factor) and backed up data.
  • However, there were some commonplace practices that could potentially make a firm’s system vulnerable. This included more than half of firms allowing external data sticks to be freely used and plugged into their desktop machines. Some firms also used old Windows operating systems that were no longer supported by security updates.

Insurance

Interestingly the SRA’s report found less than a third of the firms reviewed held specific cyber insurance, despite this growing area of cover.

It is not uncommon for law firms to think that their Professional Indemnity (“PI“) Insurance, subject to the generous minimum requirements of the SRA Minimum Terms and Conditions (“MTCs”), would cover all the losses arising from cyber attacks on their business. However, this is not the case, particularly for the first party and more indirect losses that can be suffered. Indeed, it appears that cyber insurance might have helped with many of the consequences suffered by the firms detailed in the SRA’s report.

Loss of client and office money

As mentioned above, over £4m of client and office money was lost, with only £3.6m being recovered from insurers. The SRA’s report does not give any detail as to why £400,000 was not covered, but the limits of PI insurance may explain this.

In terms of loss of client money resulting from an attack, law firms’ PI insurance will generally indemnify such losses (subject to an excess).

However, the MTCs do not require and therefore PI Insurance typically does not cover:

  • Loss of the firm’s own office money;
  • The firm’s own business interruption losses suffered as a result of a cyber attack. Property/Business Interruption policies generally do not cover this either if there is no physical damage to property unless non-damage policy extensions are obtained. As noted above, one firm lost around £150,000 worth of billable hours following an attack; and
  • Any ransom payments demanded from law firms by any cybercriminals as part of a ransomware attack.

Cyber policies (and/or Crime policies for the firm’s own office money) can provide cover for the above losses and can therefore plug these gaps in cover.

IT Costs and Crisis Management

As noted above, the SRA’s report found varying levels of IT expertise within the law firms. Cyber policies typically cover the (usually not cheap) costs of specialist IT forensic services to investigate, identify and stop cyber attacks. Many polices include cover for the costs of reconstituting lost data as well.

The SRA’s report found that some of the firms who had been victims of attacks also considered they had suffered reputational damage and negative media coverage. Specialist cyber policies often provide cover for the following which can assist law firms in this regard:

  • The costs of specialist PR companies to help the firm with press releases and handling media enquiries;
  • Particularly for large scale loss of client data or money, the setup of call centres to handle client queries;
  • The cost of credit monitoring services for any clients or other individuals affected by a breach of their personal data held by the firm. This is something that can also mitigate against any penalties imposed by the Information Commissioner.

Typical cyber policies also often cover the costs for specialists assisting in notifying, if required, the Information Commissioners’ Office and the affected individuals following a personal data breach. Timely and proper notification can also assist in avoiding or mitigating any penalties.

Other benefits

The SRA’s report found that the firms who had cyber insurance reported a range of other benefits with their policies they found useful beyond the specific insurance cover provided, namely:

  • Emergency contact information;
  • Help with training;
  • Help with analysing firm risk; and
  • Access to specialist advice and teams.

Both the post-attack crisis management services and the pre-attack risk assessments/guidance commonly provided by cyber insurers and brokers can greatly assist firms in mitigating the consequences of successful cyber attacks, and increase the chances of preventing them happening in the first place.

Comment

Whilst the growing threat of cybercrime, cybersecurity and the potentially catastrophic consequences of cyber attacks are becoming increasingly reported and known, the SRA’s Thematic Review on Cyber Security provides a particularly illuminating view specifically into the experience of law firms. Law firms are particularly ripe targets for cyber criminals, given the large sums of client and office money, and sensitive personal data, that are frequently held and transferred, yet have traditionally not always built in the same controls and security as some other financial professionals. The SRA’s report flags numerous areas that will benefit law firms for the future, including in security, training, technology and support.

Cyber insurance should undoubtedly form part of that consideration going forwards for law firms – and all organisations – given the gaps in insurance cover it can plug and the other benefits provided highlighted above. In that regard the SRA’s report also leaves a warning for firms not to leave it until after the event in that regard: firms told the SRA that cyber insurance was often unavailable immediately following a cyber attack because the firm was perceived as too high risk. Don’t leave it too late!


¹https://www.sra.org.uk/sra/how-we-work/reports/cyber-security/

 

Download PDF