Following the recent £98,000 fine issued by The Information Commissioner's Office (ICO) to a law firm who suffered a ransomware attack on its system, we discuss the case and lessons learnt.
Alex, what are the common causes of data breaches/incidents in the legal sector?
A cyber incident, in short, is any disruption to a network – caused by a number of factors including:
- Failure or weakness of the systems
- Malware attack – a cyber attacker can plant malware onto your firm’s network, damaging it or holding it to ransom
- Data breaches - sending the wrong sensitive information to the wrong client by accident, or a cyber attacker who access the network, harvests all your data and sells it on the dark web
- Damage to data – an employee accidentally erasing a network drive or database or a threat actor hacking in and wiping the network, so it isn’t operable
- Phishing attacks – Phishing is a type of social engineering attack often used to steal user data, including login credentials and credit card numbers. It occurs when an attacker, masquerading as a trusted entity (such as a client or employee), dupes a victim into opening an email, instant message, or text message
We frequently hear multi-factor authentication (MFA) and patch management being used. What are they and should law firms have them in place?
MFA is a form of adding an additional layer of identification to sign in or access information. An example of this would be signing into an email account and being requested to confirm a code sent to a mobile device owned by yourself to access the email account.
Patch Management is the process of implementing and applying updates to your software.
Should all law firms have these? YES!
The lack of MFA, or no MFA, is one of the most common causes for ransomware attacks. Cyber insurers now require MFA to sign in for remote access, access to critical systems, access to backups, and privileged/administrator access, as an absolute minimum standard to obtain cyber insurance.
Patch Management is equally important, leaving software unpatched can leave massive holes in your cyber security, giving hackers easy access.
What should law firms do to avoid attacks and breaches as well as a fine from the ICO?
MFA is one of several processes that can improve your overall cyber security posture. With ransomware attacks increasing significantly, both in volume and value of the demands, it is important that you review the controls in place and ensure that you are working to protect the data you hold – both your own organisational data but also the data of third parties.
Other key security controls sought after by insurer are:
- Regular phishing training and awareness for all employees
- Identify and minimise the users on the network who have local admin rights/provisions
- Implement an Endpoint Detection and Response (EDR) solution
- Regularly review and carry out due diligence of any of your third-party vendors
- Implement tools to monitor administrator access
- Ensure backups are regularly tested and kept offline where possible
Are cyber incidents covered under a firm’s PI policy?
A professional indemnity policy may provide some cover for claims caused by cyber issues as part of the general negligence / civil liability cover, but there are likely to be exclusions and limitations. It is unwise to rely solely on such policy to provide proper protection against the cyber risks faced by a business.
A cyber policy is split into first- and third-party cover, significantly more than what PI covers. First party cover includes:
- Incident Response (this is important as reacting quickly is crucial)
- Business Interruption (a lifesaver as some firms may be out of operation for several weeks)
- Cyber Extortion (without this, firms will have to pay a ransom out of their pocket which many simply can’t afford)
- Digital Asset Loss
- Dependent Business Interruption (i.e a third party provider is shut down and causes a disruption to your business)
- Reputational damage
- Damages and claim expenses
- Media liability
Cyber insurance provides an insured with a back stop that will pay their costs incurred to help resolve a incident, repair damage and restore lost data following a cyber incident. It will also respond if a claim is brought against them from a third party because of that cyber incident.
‘Do I really need a cyber policy?’ is what clients frequently ask – what are your thoughts?
If a company relies on its networks to conduct business, holds sensitive personal data or is a possible target for activists, they should seriously consider a cyber policy because they will be targeted by cyber attackers who are now sophisticated criminal organisations.
If a hacker wants to get in, they will.
Crucially, a cyber policy helps with:
Digital Asset Loss- is where data and/or software is destroyed because of a network security failure or outside breach of a business systems or sometimes by an employee. A cyber policy covers the costs associated in rebuilding those systems.
Media Liability – a cyber policy provides cover for losses arising out of media content, usually a client’s online content. It also helps with reputational costs by paying for public relation services.
Incident Response Service – 24/7 cyber response hotline as well as IT forensic experts to help find the cause and extent of a security breach and a legal counsel to ascertain your obligations under the correct jurisdictions
Many firms, especially in the legal sector, don’t see cyber as a credible threat. A firm’s biggest weakness is believing they will not be a target and so therefore fail to protect themselves. To finish, here are some frightening cyber statistics:
- Over 400,000 reports of fraud and cybercrime in the UK in 2021
- Four in ten UK businesses report having a cyber security breach or attack in the last 12 months
- Average cost of a data breach in the UK in 2021 was USD3.88m
- 67% increase in security breaches in the past five years (globally)
- USD10.5tn – the anticipated cost of cybercrime per year by 2025
- 935% increase in “double extortion” ransomware attacks