In July, the National Cyber Security Centre (NCSC) published a report entitled The cyber threat to UK legal sector. Like many industries, the cyber threat to the legal sector is significant, as recent examples including DLA Piper and the infamous Panama and Paradise papers hacks demonstrate.
The financial and reputational impact of a cyber attack on a law firm can be considerable. Law firms hold large volumes of sensitive business and client data which makes them tantalising targets for cyber exploitation. The SRA reports that over £11m of client money was stolen in cyber crime in 2016-17. Furthermore, any firm which suffers a successful attack will face a loss of trust from current and potential clients, not to mention the prospect of liability claims.
The overall cyber threat to business is rising, and law firms are not exempt. According to the 2017 PwC Law Firm Survey, 60% of firms reported an information security incident in the last year, an increase from 42% in 2014. In the new GDPR environment, it is possible this figure may be even higher now. The increasing moves to offer digital legal services also offers new opportunities for hackers or malicious parties to target law firms.
The NCSC report warns that the most significant threats law firms should be aware of are:
- Data breaches
- Supply chain compromise
Legal Week’s Benchmark study, entitled ‘Locked Down?’, in association with Stroz Friedberg, found that only 35% of law firms have a response plan in place for a cyber-attack, compared with 52% of non-lawyers.
Law firms need to take the cyber threat seriously, and invest in resources and ongoing monitoring, and training for employees designed to incubate a resilient organisational culture. Cyber security should be treated as a strategic risk management issue, not merely an IT issue, as it is unfortunately so often dismissed as.