Cybersecurity for solicitors
This guide looks at the security you should have in place to protect your critical assets from cybercrime. These assets will include:
- mobiles and smart devices
Data must be processed securely to comply with the General Data Protection Regulation (GDPR).
Data breaches must be reported to the Information Commissioner’s Office within 72 hours of being discovered. Everyone in your firm should know how to do this.
You may want to consider cloud computing. This is where your data is stored on remote servers and accessed through the internet instead of your computer’s hard drive. These servers are managed by a third-party supplier, who’s also responsible for the security of the data it holds.
Find out what cover your professional indemnity insurance provides.
It’s unlikely it will be enough cover for cybercrime attacks, so you should understand the different types of cyber insurance and how to work out the right level of cover for your firm.
There are steps you can take to protect your firm from a cyberattack.
- Use a firewall to secure your internet connection
- Protect all devices with antivirus software
- Keep IT systems up to date with regular patching
- Encrypt mobile devices and install a system that can wipe them if they are lost
- Back up important information regularly
- Avoid giving out admin accounts (able to access other accounts and install software) or access to payment systems unless necessary
Review your assets
You should regularly review:
- your financial and information assets (for example payment systems and IT equipment)
- who has access to assets and how they are stored
- your firm’s policy on cybersecurity, appointing someone to oversee the policy
Introduce safety measures – for example, make sure there are clear processes and reporting lines across your firm for handling money.
Check regularly that your measures are working as expected.
Make a response plan
You may want to have a plan in place for what to do if there is a cyberattack. It can include:
- who staff should alert if there is an attack
- actions to take to stop the attack if it’s still happening
- how to reduce damage afterwards
Train your staff
Make sure your staff understand how to:
- follow your response plan in case of cyberattack
- create secure passwords
- recognise common scams
- safely store and dispose of confidential documents
- understand the added risks of working away from the office, for example losing paperwork, or having conversations with or about clients where they can be overheard
Staff should avoid:
- changing payment details or making payments without thorough checks
- opening email attachments without knowing who or where they’re from
- connecting personal devices, for example memory sticks, to your network
- downloading unsafe apps or browsing on unsafe sites
Certification helps you and your practice demonstrate expertise to your clients.
- getting the National Cyber Security Centre’s (NCSC) Cyber Essentials certification
- getting our Lexcel accreditation
- complying with ISO 27001, a standard for managing and protecting information assets
Reporting an attack
You can report an attack to:
Cybersecurity Information Sharing Partnership (CiSP) run by the NCSC – discuss cybersecurity with peers and get alerts
National Cybersecurity Centre – small business guide: cybersecurity – how to improve cybersecurity within your organisation quickly, easily and at low cost
National Cybersecurity Centre information Security – good practice for information security
National Cybersecurity Centre – 10 steps to cybersecurity
Under the UK General Data Protection Regulation (GDPR) you must process personal data securely.
Personal data is information that can be used to identify people. All solicitors hold personal data.
You must protect personal data against:
- unauthorised or unlawful processing
- accidental loss
You must consider data protection:
- at the start of any processing activity
- during the processing
Systems that handle personal data must comply with data protection by design and default. We recommend following these principles for all data processing purposes.
Data protection by design
You must consider privacy and data protection issues at the design phase of any system and throughout data processing.
This could be, for example, when you:
- develop new IT systems
- use personal data for new purposes
- create processes that may affect the privacy of data
Privacy enhancing technologies (PETs) can help you apply ‘data protection by design’ in your firm.
PETs protect privacy by minimising personal data use and maximising data security. They also empower data subjects by giving them the ability to manage and protect their personal data.
Data protection by default
To comply with the GDPR, you must only process data which is ‘necessary’ for your specific purpose.
Before the processing starts, data protection by default means you need to:
- specify the data you’re using
- tell the data subjects
- only process the data you need for your purpose
You should also consider:
- using a ‘privacy-first’ approach for system settings
- giving data subjects enough choice and control over how their data is used
- not processing additional personal data unless the data subject agrees
- making sure personal data is not made publicly available unless the data subject agrees
Level of security
The level of security (or protection) you need for your data depends on the risks involved in your processing.
To understand the risks, you should review how valuable, sensitive or confidential the data is.
You should also consider:
- risks with your firm’s computer systems
- how many staff can access personal data
- risks involved with personal data held or used by a processor acting on your behalf
You must have an ‘appropriate’ level of security to protect data. To achieve this, you should follow the NCSC and the Information Commissioner’s Office (ICO) security outcomes.
The security outcomes should:
- manage security risk
- protect personal data against cyberattacks
- identify security events
- minimise the impact of a data breach
Reporting a personal data breach
After a cyber attack, you need to check if personal data has been lost. If it has, you may need to report the breach to the ICO.
You must report a personal data breach within 72 hours of first finding out – even if this is outside working hours.
You may want to consider using cloud computing for your firm’s IT needs.
Cloud computing is the delivery of services (for example, storage and computing power) over the internet by a supplier.
Benefits of cloud computing
- your data storage and handling capacity is increased
- your IT infrastructure and support costs could be lower
- your cloud capacity can be increased simply
- you have access to your files anywhere, on any device
- your software updates are completed by suppliers
- your data is backed up
For these reasons, small to medium-sized firms in particular may benefit from using cloud computing services.
Risks of cloud computing
- client data is at risk if the cloud is breached
- if the cloud server is unavailable you will not be able to access your data
- you may have less visibility and control of your data
Choosing a cloud supplier
To minimise risks, you may like to check your supplier:
- is reputable and well-established
- can comply with regulatory obligations, for example under the GDPR
- is ISO 27001-accredited, the international standard for information security management
- has security measures to protect data from hacking
- encrypts data in storage and in use
- has added security measures – for example, two-factor authentication, which is another method of confirming someone’s identity beyond a username and password
Cyber insurance covers your costs and losses if you experience a data breach or cyber attack. This can supplement your professional indemnity insurance (PII) cover.
Some insurers will ask about security in your firm as it may lower PII premiums. Your firm should already have appropriate security.
What PII covers
A standard compulsory minimum terms and conditions PII policy will cover you for civil liability and most third party cover.
However, it will not cover other risks linked to cyber incidents, such as:
- reputational damage
- costs of a forensics investigation
- business interruption
What cyber insurance covers
Cyber insurance policies have different levels of coverage:
- first party cover – damage caused to your firm
- third party cover – damage caused to clients and others
First party cover
First party cover includes:
- breach costs – for example, costs of getting experts to investigate the cause and scale of the breach
- restoration costs – for example, costs of repairing damage to software and data caused by a hacker, such as removing malware
- response management – for example, getting expert advice to help develop communication strategies to limit reputational damage
- business interruption – for example, paying back fee income that would have been earned
- costs relating to cyber threats – for example, paying ransom costs
Third party cover
Third party cover includes:
- privacy protection – defence costs and settlements following legal action or investigation after a data breach, invasion of privacy or breach of confidentiality
- media content liability – defence costs and settlements following legal action as a result of content on the firm’s website or social media
Risks not covered
Third party cover does not include theft from your firm’s office account by either third parties or employees. You would need to buy a policy with a crime insurance element to cover this.
Buying cyber insurance
Before you buy cyber insurance, you need to understand the potential threats to your firm and the level of risk you'll accept. You should create your own risk management process.
Assessing the risk
When assessing the risks your PII policy does not cover, you should consider:
- how much sensitive information your firm holds
- what the reputational damage would be if you experienced a data breach
- if you would need expert help to identify and respond to a cyberattack
- how well you could recover from an attack – the costs of restoring software and data, avoiding bad publicity and not losing fee income
Using a broker
You should discuss your firm’s insurance needs with a specialist broker who is an expert in cyber and crime policies.
Discuss removing unnecessary elements in the policy, such as cover for regulatory fines and penalties, that are already covered by your firm’s PII policy. This may lower your cyber insurance premiums.
Your broker should advise on issues relating to your cyber and PII policies, including:
- if both will be triggered by a cyber attack
- how coverage disputes can be avoided
- how excesses will be dealt with
- if there are any exclusions in the policy