Cyber risk management and the SRA Principles
Cyber risk management is an important - if not explicit - requirement of the SRA Principles, explains Mark Carver. He provides an overview of the requirements and a cyber defence checklist.
Cyber risk is a growing and increasingly significant risk facing law firms. It is impossible to quantify how many law firms have been victim of a cyber attack because, worryingly, firms do not always realise that they have been subject to one, and, even when they do, concern for reputational exposure often prevents them from disclosing the details.
Whilst not explicitly stating so, the SRA Principles 2011, specifically principals 4, 8 and 10, do require law firms to seriously consider cyber risk. As a result, every law firm should establish the risk, the impact it could have on its clients and its business, and should also consider the extent to which that risk could be transferred via insurance.
Principle 4 requires law firms to protect the personal and confidential information of clients. Law firms hold significant personal and confidential information in their case files. Firms also hold personal information in respect of partners and staff.
Such personal information can include:
- telephone numbers
- bank accounts and
- credit card details.
Solicitors have a duty to protect such information. Some insurance protection will be offered by the firm’s professional indemnity (PI) insurance policy, however, the firm will still have to deal with losses that stem from loss of employee personal data, notification, and credit monitoring costs.
Principle 10 requires firms to protect client money and assets. The role solicitors play in client transactions and the fact that solicitors often have control over substantial sums of client money makes the profession a particularly attractive target for cyber criminals. It is commonplace for solicitors to use emails to accept and validate instructions from clients. Without the proper systems in place, such emails can be intercepted by fraudsters, who then provide false bank account details and instruct the solicitor to pay monies to a different bank account.
Principle 8 requires firms to run their business with proper governance and sound financial and risk management principles. In order to meet this requirement, cyber risk needs to be on the agenda and should be the responsibility of the management board, rather than delegated to the IT department. Additional risks to consider include the reputational risk to the firm and the impact on the business of not being able to use the IT system. Given that GCHQ estimate 80 per cent of cyber attacks could be prevented by following best practice, it is clear that cyber risk should be central to any risk management policy. Solicitors should also consider specific cyber insurances, rather than rely on their PI policy, in order to transfer many of the risks and provide support services in the event of a breach of cyber security.
Cyber defence checklist
- Hire an expert to conduct an independent assessment
- Update all processing systems
- Upgrade firewall and virus protection
- Encrypt sensitive data
- Employ ‘bring your own device’ rules
- Conduct penetration test of systems
- Procure comprehensive cyber insurance
- Develop crisis response plan
Chancery Pii offers a dedicated service for 1 to 4 partner firms, providing A+ rated (Standard & Poor’s) or equivalent cover from a unique panel of insurers not accessible to brokers.