Guide

Cybersecurity for solicitors

Cybersecurity is a critical issue facing all businesses. Cybercrime is getting more sophisticated so it’s important to protect your firm’s information and systems.

28 Aug 2019

Less than 1 minute read

This guide looks at the security you should have in place to protect your critical assets from cybercrime. These assets will include:

data
networks
computers
mobiles and smart devices

Data must be processed securely to comply with the General Data Protection Regulation (GDPR).

Data breaches must be reported to the Information Commissioner’s Office within 72 hours of being discovered. Everyone in your firm should know how to do this.

You may want to consider cloud computing. This is where your data is stored on remote servers and accessed through the internet instead of your computer’s hard drive. These servers are managed by a third-party supplier, who’s also responsible for the security of the data it holds.

Find out what cover your professional indemnity insurance provides.

It’s unlikely it will be enough cover for cybercrime attacks, so you should understand the different types of cyber insurance and how to work out the right level of cover for your firm.

Expand all

There are steps you can take to protect your firm from a cyberattack.

General safety

Use a firewall to secure your internet connection
Protect all devices with antivirus software
Keep IT systems up to date with regular patching
Encrypt mobile devices and install a system that can wipe them if they are lost
Back up important information regularly
Avoid giving out admin accounts (able to access other accounts and install software) or access to payment systems unless necessary

Review your assets

You should regularly review:

your financial and information assets (for example payment systems and IT equipment)
who has access to assets and how they are stored
your firm’s policy on cybersecurity, appointing someone to oversee the policy

Introduce safety measures – for example, make sure there are clear processes and reporting lines across your firm for handling money.

Check regularly that your measures are working as expected.

Make a response plan

You may want to have a plan in place for what to do if there is a cyberattack. It can include:

who staff should alert if there is an attack
actions to take to stop the attack if it’s still happening
how to reduce damage afterwards

Train your staff

Make sure your staff understand how to:

follow your response plan in case of cyberattack
create secure passwords
recognise common scams
safely store and dispose of confidential documents
understand the added risks of working away from the office, for example losing paperwork, or having conversations with or about clients where they can be overheard

Staff should avoid:

changing payment details or making payments without thorough checks
opening email attachments without knowing who or where they’re from
connecting personal devices, for example memory sticks, to your network
downloading unsafe apps or browsing on unsafe sites

Get certified

Certification helps you and your practice demonstrate expertise to your clients.

Consider:

getting the National Cyber Security Centre’s (NCSC) Cyber Essentials certification
getting our Lexcel accreditation
complying with ISO 27001, a standard for managing and protecting information assets

Reporting an attack

You can report an attack to:

Resources

Data processing

Systems that handle personal data must comply with data protection by design and default. We recommend following these principles for all data processing purposes.

Data protection by design

You must consider privacy and data protection issues at the design phase of any system and throughout data processing.

This could be, for example, when you:

develop new IT systems
use personal data for new purposes
create processes that may affect the privacy of data

Data protection by default

To comply with the GDPR, you must only process data which is ‘necessary’ for your specific purpose.

Before the processing starts, data protection by default means you need to:

specify the data you’re using
tell the data subjects
only process the data you need for your purpose

You should also consider:

using a ‘privacy-first’ approach for system settings
giving data subjects enough choice and control over how their data is used
not processing additional personal data unless the data subject agrees
making sure personal data is not made publicly available unless the data subject agrees

Level of security

The level of security (or protection) you need for your data depends on the risks involved in your processing.

To understand the risks, you should review how valuable, sensitive or confidential the data is.

You should also consider:

risks with your firm’s computer systems
how many staff can access personal data
risks involved with personal data held or used by a processor acting on your behalf

Security requirements

You must have an ‘appropriate’ level of security to protect data. To achieve this, you should follow the NCSC and the Information Commissioner’s Office (ICO) security outcomes.

The security outcomes should:

manage security risk
protect personal data against cyberattacks
identify security events
minimise the impact of a data breach

Reporting a personal data breach

After a cyber attack, you need to check if personal data has been lost. If it has, you may need to report the breach to the ICO.

You must report a personal data breach within 72 hours of first finding out – even if this is outside working hours.

Read about when to report a personal data breach

You may want to consider using cloud computing for your firm’s IT needs.

Cloud computing is the delivery of services (for example, storage and computing power) over the internet by a supplier.

Benefits of cloud computing

These include:

your data storage and handling capacity is increased
your IT infrastructure and support costs could be lower
your cloud capacity can be increased simply
you have access to your files anywhere, on any device
your software updates are completed by suppliers
your data is backed up

For these reasons, small to medium-sized firms in particular may benefit from using cloud computing services.

Risks of cloud computing

These include:

client data is at risk if the cloud is breached
if the cloud server is unavailable you will not be able to access your data
you may have less visibility and control of your data

Choosing a cloud supplier

To minimise risks, you may like to check your supplier:

is reputable and well-established
can comply with regulatory obligations, for example under the GDPR
is ISO 27001-accredited, the international standard for information security management
has security measures to protect data from hacking
encrypts data in storage and in use
has added security measures – for example, two-factor authentication, which is another method of confirming someone’s identity beyond a username and password

Cyber insurance covers your costs and losses if you experience a data breach or cyber attack. This can supplement your professional indemnity insurance (PII) cover.

Some insurers will ask about security in your firm as it may lower PII premiums. Your firm should already have appropriate security.

What PII covers

A standard compulsory minimum terms and conditions PII policy will cover you for civil liability and most third party cover.

However, it will not cover other risks linked to cyber incidents, such as:

reputational damage
costs of a forensics investigation
business interruption

What cyber insurance covers

Cyber insurance policies have different levels of coverage:

first party cover – damage caused to your firm
third party cover – damage caused to clients and others

First party cover

First party cover includes:

breach costs – for example, costs of getting experts to investigate the cause and scale of the breach
restoration costs – for example, costs of repairing damage to software and data caused by a hacker, such as removing malware
response management – for example, getting expert advice to help develop communication strategies to limit reputational damage
business interruption – for example, paying back fee income that would have been earned
costs relating to cyber threats – for example, paying ransom costs

Third party cover

Third party cover includes:

privacy protection – defence costs and settlements following legal action or investigation after a data breach, invasion of privacy or breach of confidentiality
media content liability – defence costs and settlements following legal action as a result of content on the firm’s website or social media

Risks not covered

Third party cover does not include theft from your firm’s office account by either third parties or employees. You would need to buy a policy with a crime insurance element to cover this.

Buying cyber insurance

Before you buy cyber insurance, you need to understand the potential threats to your firm and the level of risk you'll accept. You should create your own risk management process.

Assessing the risk

When assessing the risks your PII policy does not cover, you should consider:

how much sensitive information your firm holds
what the reputational damage would be if you experienced a data breach
if you would need expert help to identify and respond to a cyberattack
how well you could recover from an attack – the costs of restoring software and data, avoiding bad publicity and not losing fee income

Using a broker

You should discuss your firm’s insurance needs with a specialist broker who is an expert in cyber and crime policies.

Discuss removing unnecessary elements in the policy, such as cover for regulatory fines and penalties, that are already covered by your firm’s PII policy. This may lower your cyber insurance premiums.

Your broker should advise on issues relating to your cyber and PII policies, including: