Under attack: dealing with a cyber-breach
Your firm’s computer systems have been compromised by a hacker, who gained access when an employee unwittingly clicked on a malicious link in an email. Faced with this unwelcome scenario, you’ll have to answer any number of difficult questions:
- When did the hacker get access?
- Are they still able to access the system?
- How much confidential client data has been compromised?
- What should we do first?
- When should we notify the regulators?
- When should we tell our clients?
While it can be easy to become overwhelmed by uncertainty in the immediate aftermath of an attack, answering these questions correctly and decisively is critical if the cyber-breach is to be contained, and possible financial and reputational damage minimised.
What data has been hacked?
The first task is to establish the extent of the cyber-breach. You can’t do anything until you know how much data has been compromised. Has data been stolen? Which files have been accessed? Whose email accounts have been targeted? It is unlikely that many firms – particularly smaller firms – will have access to the sort of in-house IT expertise that can answer these questions and repair the breach. This is where third-party IT forensics experts play such a critical role. It also helps your firm tell a better story – given you will be likely to have to advise regulators and clients – in terms of how you have engaged independent experts to help manage the breach. Additionally, the relationship is protected by client privilege, which adds a layer of protection for your firm.
You will also probably need independent legal advice, in the same way that you would if there was a professional negligence claim being brought against you. This advice will help you understand which regulators need to be notified and when, and while larger firms might have this expertise, there is again that question of getting an independent view which adds credibility to the external story that will need to be told.
What do you tell the regulators?
Once you have a clear idea of what information has been accessed and when, you can make decisions about what to tell regulators and clients. The timing of this is largely dictated by the General Data Protection Regulation (GDPR) which, if personally identifiable information (PII) has been accessed – and it usually has – requires UK firms to inform the Information Commissioner’s Office (ICO) within 72 hours after the firm has become aware of the breach.
What do you tell your clients?
Another source of assistance you could bring in is around advice for external client communications. The bigger the breach, the more likely you will need external public relations help to deal with possible interest from the media, for example. There is, of course, a risk that clients will leave your firm as a result of the breach, which means communications has a big role to play in managing your firm’s reputation and mitigating the concerns of clients. There is another risk in telling clients too early if you don’t yet have full details at your disposal; similarly, leave it too late and you open yourself up to allegations of concealing an issue which clients need to know about, particularly if there is an associated risk. Again, independent advice can help manage this tricky tightrope.
What do you tell your employees?
You need to be careful how you share information about the breach within the business. Don’t be tempted to tell everyone internally on day one, for example. The more people who know about it, the greater the chance of an external leak, which will compromise your strategy for dealing with external communications and might mean you have to communicate earlier than you intended to. Establishing a crisis management team on day one should be a core part of every law firm’s response to a cyber- or information breach, which for some small firms might be self-selecting, but for bigger firms, might be some of the partners plus representatives from IT, HR, communications and marketing.
How can you stop future attacks happening?
The majority of the breaches we deal with on behalf of our clients are as a result of human error by someone in the business. People are usually the weakest link in any company’s cyber-defences. You can have the best cybersecurity measures in place, but it won’t help if someone opens a file that they shouldn’t, which is why staff training in cyber best practice – such as good password management and how to recognise suspicious emails – is key.
Keep it in perspective
Cyber-incidents need to be kept in perspective. The number of companies being hit by cyber-attacks is rising all the time – in the Hiscox Cyber Readiness Report 2018, 45 per cent of the 4,000+ organisations surveyed were hit by at least one cyber-attack in the past year – and it is a question of ‘when’, rather than ‘if’, for most law firms. Firms are more likely to be punished for a poor response to a breach or cyber-incident than they are for the incident itself. As law firms are prime targets for hackers due to the sensitive information they hold on behalf of clients – and because many of them control a great deal of their clients’ money – making sure you are prepared to deal with a cyber-attack with access to the right experts before an attack happens is an important part of cybersecurity readiness.
Hiscox is a Law Society partner and provides cyber- and data risks insurance, designed to support and protect your practice in the event of a data breach or malicious hack of computer systems. Find out more about their insurance or call 0800 840 2781. Law Society members save 5%.