ARTICLE
Cyber risk and the legal practice – what creates risk and how to begin managing it
“All firms are now tech firms.” This has become a commonly repeated mantra within business circles over the last few years. The real implication of this phrase is not to imply that all businesses provide technology services to their clients, rather that digital technology is now integral to the working of almost all business. Mainstream news regularly covers cyber incidents, such as data breaches and denial of service attack. It is thought that 46%1 of UK businesses have fallen victim to a cyber breach in the last year. With cyber risks ever increasing, where does the legal profession sit? The key is to understand why a cyber criminal might specifically target a legal firm, how they might go about doing it, and the critical actions firms can take to manage the threat. Why target a legal firm? By their very nature, many legal firms hold significant amounts of sensitive client data. Information around mergers and acquisitions, pending legal action, and shifts in the market could be directly monetised by cyber criminals. These are the obvious targets, though this model is still reliant on finding a buyer for the stolen data. Ransomware attacks circumvent this necessity by cryptographically locking digital files, before demanding a ransom for their return. Ransomware is fast becoming one of the most prevalent type of attacks, because it can be extremely financially rewarding for cyber criminals. This involves using malicious software to encrypt information or lock computer hardware, restricting access unless 20 | CENTRAL LONDON LAWYER
a decryption key is provided. Typically, this password can only be retrieved through a ransom payment. In 2020, the average ransomware demand has risen to $84,0002 (£64,500), but demands in the millions are commonplace. In the event of such an attack, legal firms must be confident that they can continue providing the important services that clients rely on. In the worst-case scenario, a lack of preparation for such an incident can create an extinction event, whereby all operations cease. Regardless of the ransom demanded, the loss of clients, reputational damage, and remedial costs could prove much higher. At the same time, the regulatory backdrop has changed with the advent of GDPR, the consequences of which could see significant fines of up to 4% of global turnover. As for paying the ransom itself, this could mark you as an organisation that will pay and might encourage other attackers. Similarly, there is also a chance that the attackers will not actually decrypt data, either because they do not want to, or because their malware is faulty and they can’t. The Solicitors Regulation Authority encourages solicitors to ‘consider their duties to the public interest and the rule of law when deciding on ethical questions such as this”. As more businesses have mitigated ransomware attacks by restoring from offline backups, the “ransom or dump” approach has emerged. In these instances, criminals steal victim data and threaten to dump it onto the open Internet if the ransom is not paid, exponentially increasing the pressure on the victim to pay. Aside from the obvious ways to monetise data, legal entities are particularly appealing to cyber criminals not only for their
