Cyber-security: Why are some law firms not taking the cyber threat seriously?
The Solicitors Regulation Authority (SRA) recently published a report on its thematic review of cyber-security within law firms, and although it found plenty of good practice going on, it also found some concerning failings.
Three-quarters (30) of the firms the SRA visited reported having been the victims of a cyberattack. Worse still, for 23 of those firms that were directly targeted, over £4m of clients’ money was stolen and had to be repaid by the firms and/or their insurers. Not a cheap exercise when you start adding the other costs associated with cyber-attacks such as increased insurance premiums, lost fee earner/management time, upgrading IT systems etc.
Money can address many things, but one thing it can’t address is the loss of your reputation and clients defecting to competitors that have better cyber-security arrangements in place. Evidently it is far better to protect client assets and money properly from the outset, rather than waiting until something has happened.
So, what were some of the areas for concern found by the SRA during its visit to 40 law firms of various sizes?
1. Policies and controls
Just over 25% of the firms were found to have inadequate cyber-related policies, with 10 having poor controls. How are staff expected to protect their firms and clients from cyber-attacks when appropriate policies and controls are not in place and policed?
It would be interesting to know how many of the firms were Lexcel/CQS accredited, as not only would they have been breaching the SRA Codes of Conduct but also the obligations they have under these accreditations.
2. Training
Worryingly, 20% of the firms visited had never provided staff with specific cyber training and 50% had not recorded details about the training they had provided. In light of this, it is challenging to see how individual solicitors and their firms can sign-off their competency statements. Not to mention proving that their staff as a whole have acted in the best interests of clients and have been in a position to protect clients’ assets and their money.
3. Data security
With all the publicity there has been around data protection over the last few years it is hard to understand why 50% of firms have allowed unrestricted use of external data storage media, with 25% of firms not encrypting their laptops.
Allowing staff to use external storage media not only exposes firms and their clients to viruses being introduced to systems but also for staff to remove client data. Additionally, a lack of encryption puts client data at risk when staff are working out of the office or travelling on public transport.
4. Reporting cyber incidents
Seven significant incidents were not reported to the SRA when they clearly should have been, with another 24 firms not keeping specific logs of cyber incidents. Seven firms said they kept details but were unable to produce them when asked to do so by the SRA, exposing themselves to potential action for misleading their regulator.
5. Budgets
It could be said that firms take matters seriously if they set aside a specific budget for a specific risk area, however, as 35 firms had not allocated an annual budget for cyber-related activity, it could suggest that cyber-crime is not presently seen as a high priority.
How we can help
How we can help In partnership with Practical Vision (Lawyer Checker), we look at more findings from the SRA’s thematic review and discuss client funds transfer fraud. Watch our webinar on-demand for insights on how to mitigate your risk.
We are committed to supporting our customers in these difficult times and can provide various resources and services that can help you protect your firm. Discover our full eLearning course collection for the legal sector today, which includes our best-of-breed CQS training.
