A candid conversation on cyber
Kurtis Suhs, CEO of Cyber Special Ops, explains the risks cyber attacks pose to firms, how they attack and how you can best defend your organisation.
In September 2020, the Solicitors Regulation Authority (SRA) released a Cyber Security Thematic Review showing how three quarters of the firms surveyed had experienced a cyber-attack, and that 23 of the 30 cases targeted saw a total of more than £4m of client money stolen.
While the financial impact of a loss of data is more difficult to calculate, the SRA Review found one firm that sustained indirect financial costs around £150,000 worth of billable hours following an attack which crippled their system.
The enemy is both sophisticated and invisible. The reality is that the cyber-attackers are adept at constantly probing vulnerabilities and a persistent, state sponsored threat actor can successfully compromise any target.
Today, the most common attack methods across the legal sector's threat landscape include criminal pursuit of sensitive financial and client information, extortion (non-ransomware), ransomware, third-party risks, password breaches and insider leaks and hacktivism.
The attack surface for threat actors to share and use information sourced from cyber-attacks has also expanded through the dark Web, so that this information can be used to conduct ransomware attacks and subsequent breaches.
Law firms are an attractive target because of the high value data they hold and their fiduciary role as safekeepers of public trust. Because these attacks are not new, law firms could be held liable for not taking reasonable steps to protect attorney-client privileged data if the information was impacted by a data breach.
Solicitors are also ethically obligated to be competent in all aspects of client representation and required to maintain confidentiality with regard to all client information and documents.
Tough insurance market
Law firms may consider risk transfer with the purchase of cyber insurance. However, with the recent increase in frequency and severity of ransomware and business email compromise claims over the past two years, the cyber insurance market has hardened.
Cyber insurers have cut their risk appetite, increased annual premiums anywhere from 25 to 400%, reduced limits, increased retentions and added coinsurance for network extortion.
Furthermore, many insurers now require applicants to acknowledge the use of multi-factor authentication (MFA) in the cyber application process. In fact, many cyber underwriters will often decline an applicant that does not utilize MFA.
What to do
So, how does a law firm best prepare for a cyber-attack when they don’t have the internal available resources or those associated with a cyber insurance policy?
Organisations need an experienced Cyber Emergency Response Team (CERT), led by an experienced data breach law firm that has handled thousands of cyber-attacks. Other members of the CERT include information security forensic, call centre, identity/credit monitoring and crisis management organisations.
During an incident, an information security professional will first triage the event for the the data breach law firm. If the event is a cyber incident, then the data breach law firm will assemble the CERT third-party service providers for remediation and immediate response.
A crucial task of the cyber incident response plan is for the data breach law firm to directly engage the information security forensics firm to maintain attorney-client privilege. The faster an organisation can respond to a cyber-attack, the greater the organisation can minimize their financial and reputational loss.
Cyber-attack? What’s your plan?