What to do after a cyber attack
Knowing what to do after a cyber attack will help you protect your firm’s systems from further damage or loss, and your clients’ data from being compromised.
This guide explains how to:
- limit damage to systems and data
- comply with regulations
If personal data is lost, you’ll need to know what to do under the General Data Protection Regulation (GDPR). You may need to tell the Solicitors Regulation Authority, and your clients if their data is affected.
You should know what to expect from your professional indemnity insurance and cyber insurance. Be aware of what client information you can give to your insurers. You should also know what you can tell your clients and other parties about your insurers.
If you’ve been hacked, you should follow your response plan to alert the right members of staff, take actions to stop the attack, and reduce the damage.
This may involve:
- disconnecting from the internet
- disabling remote access
- installing any pending security updates or patches
- changing passwords
- maintenance work on your firewall
Document the attack and the steps you took to fix it. You’ll need these records if you need to report the attack, for example under GDPR.
Find out what happened
Investigate the hack to understand the extent of it. Do not delete any files as this could make the situation worse.
If you have a website hacker protection service, the monitoring service should give you an early warning that you’ve been attacked.
Taking down your website
If your website is badly attacked, you may decide to take it down in the short term.
If you do not already have a back-up plan in place, ask your hosting provider to back up your website data.
You can use external website hack cleaning services to scan, diagnose and fix your website.
Your reporting duty will depend on the kind of cyber attack you’ve experienced and what the damage was.
If money is lost
You must tell the Solicitors Regulatory Authority (SRA) immediately if you lose client money or information through an attack, even if you later recover it. It will expect you to:
- tell the client
- repay any money you lost
- take steps to reduce risks of a further attack
You should also contact:
- your bank to find out whether it will be able to replace the funds
- your professional indemnity insurer
If sensitive personal data is lost
You may also wish to report attacks to the SRA and Action Fraud to raise awareness of risks and allow others to learn from the event.
You may need to tell your clients if the attack is likely to negatively affect their personal data or privacy. You do not need to do this if you can prove the data was protected with encryption or a similar security measure.
You should have a PR strategy in place to handle any incoming questions from clients. Tell your client-facing employees what your position is and give them any Q&As that may be useful.
At an appropriate point, review the attack with your employees:
- how it happened
- what the impact was
- what went well in responding to the attack
- what improvements could be made
You should be aware of client confidentiality when talking to your insurers.
Professional indemnity insurance
Under the terms of your professional indemnity insurance (PII) policy, you must tell your insurer about any circumstances that may lead to a claim.
You’ll also have to give some details of your insurers to clients and/or claimants – see the SRA Indemnity Insurance Rules and the Provision of Services Regulations 2009. These regulations apply only to the compulsory element of the insurance.
You should not give information about your insurers beyond what is necessary. Ideally, get your insurer to agree what you may tell clients and other parties.
Do not admit liability or offer a settlement to any third party without consent from your insurers.
If you have cyber insurance, you might be able to get help with:
- stopping the attack
- the cost of responding to a data breach
- investigating the cause of the attack
- restoring systems and recovering information
- informing clients
- repairing reputational damage
- fines (where insurable by law)
- cyber extortion