Is your cyber door unlocked?

Most of us wouldn't leave our home unlocked or a window open when we go out. So, the news from the Office for National Statistics that we are 40 per cent more likely to be a victim of cybercrime than burglary is perhaps not surprising. Criminals have long since realised that there are easier rewards from going through an easy to open cyber 'door' than there are from carrying out a physical break-in to a locked home or an office.

Almost half of professional firms fall victim to cyber attack

These figures are further backed up by the Hiscox Cyber Readiness Report 2018 - a survey of more than 4,000 organisations from across the UK, Europe and the US - which found that almost half (45 per cent) had been hit by at least one cyber-attack in the past year. For professional services firms (including legal firms), the figure was slightly higher, at 46 per cent.

The most frequently reported cyber-attacks according to the Hiscox report are viruses, ransomware and distributed denial of service (DDOS) - where a single computer system is targeted with the aim of bringing it down. New methods used by criminals include methods like payment diversion fraud which typically involves a fraudster's email appearing to come from a legitimate supplier or a colleague advising a change of payment bank details.

Treat cybercrime as seriously as any other potential crime

Part of the problem is that many firms do not treat the risk of cybercrime like any other crime whether it's burglary, embezzlement, theft or fraud. But the penalties can be much higher. Take the theft of data by a hacker which can lead to reputational damage as well as a high financial cost of putting things right. The recently introduced General Data Protection Regulation (GDPR) - which the UK has indicated it will retain after leaving the EU - imposes fines of up to four per cent of a firm's turnover, or the equivalent of €20 million (whichever is higher) if it fails to protect personal data. Where a personal data breach poses a risk to individuals, firms have to notify the Information Commissioner's Office without undue delay and, where feasible, not later than 72 hours after having become aware of it. Where there is a high risk, they also need to communicate the breach to everyone affected by it. Again, the costs of having to take these measures will be significant.

There are further legal implications to the partners of a firm who could, following a data breach, be found in breach of their statutory duties as set out in the Companies Act 2006 if they don't have the appropriate insurance in place.

The steps every legal firm should take

While no business can ever guarantee that it won't fall victim to cybercrime – much as no building can ever be completely safe from being burgled – there are a number of steps that every legal firm should take. The UK government's Cyber Essentials initiative provides a number of simple steps, including the use of a firewall to keep the internet connection safe; secure settings for software and devices; and protection from viruses and other malware.

Cyber-insurance can be an important part of that protection and legal firms should consider buying cover if they have a website; hold sensitive customer information such as names, addresses or bank details; are reliant on computer systems to run their business; and/or are subject to a payment card industry (PCI) merchant services agreement.

A good cyber-insurance policy will meet the immediate costs of a data breach such as notification costs, as well as the IT costs of putting things right and any loss to the business of systems being unavailable following a hack. It will also pay the costs of any claims made against the business and civil penalties where the law allows. But how much cover is right for the size of each business?

Understanding the level of insurance cover needed

To get the right level of cyber- and data insurance, it's important that every firm assesses the risks specific to their business. This will involve understanding how much personal data is held by the business and how sensitive that information is; the size of the firm; and its dependence on computer systems to operate.

Through a combination of taking basic precautions and purchasing cyber- and data insurance, legal firms can take a big step towards preventing a successful cyber-attack and, should the worst happen, minimising the reputational and financial costs. Perhaps the biggest part of the challenge though is for every law firm – no matter its size - to recognise that they are now more likely to be a victim of cybercrime than they are of conventional crimes.

Hiscox Cyber and Data Risks Insurance is available to Law Society members with a five per cent discount. To find out more, visit Hiscox's website or call 0800 840 2781.