Cybercrimes cost Australian businesses more than $29 billion each year.
A cyber incident is reported to the Australian Cyber Security Centre every 10 minutes.
The average cost to a business per cyber breach is $276,323.
And this is 2019 data…
Typically seen as easy targets, no law firm is immune from cyber threats.
Since the data above was produced, the world has continued to battle the Covid pandemic. In the Australian legal market, it has brought about more legal staff working from home, much greater reliance on cloud-based technologies and remote systems of work, and as a result, increasing risk of cyber threats.
Law firm leaders and managers are under increasing pressure to protect against cyber threats. Responsibility can no longer be handballed to IT departments. Leaders and managers are obligated to protect their firms by maintaining the confidentiality of sensitive information, not only in relation to their client’s data, but also that of their own.
What is Cyber Risk?
‘Cyber Risk’ means any risk of financial loss, disruption or damage to the reputation of an organisation from some failure of its information technology systems. Identifying potential cyber threats is becoming increasingly difficult for law firm technology departments, as the sophistication of cyber criminals develops.
While law firms face many varieties of cyber threats, common types include:
- Fraud involving invoicing and electronic fund transfers by diverting funds and obtaining confidential information. In the UK, cyber criminals hacking into a law firm’s email server to intercept and send false emails (usually involving amending bank details) is the biggest threat to law firms. It makes up 80% of cybercrime reported to the Solicitors’ Regulation Authority (SRA). [1]
- Phishing attacks where staff are tricked into giving away confidential information. Around 80% of law firms in the UK have had at least one phishing attack in the past 12 months, according to a UK Law Society online poll. Phishing attacks often result in cyber criminals obtaining username or password details, therefore making it easy to steal confidential information and/or money.
- Malware involves harmful software encrypting files, stealing data, or spying on your activity. Ransomware, which effectively ‘kidnaps’ your files in return for a ransom payment, is the main malware threat.
Dealing with Cyber Risk
There are two very interconnected ‘pieces’ that law firm leaders and managers should consider when dealing with cyber risk:
- Risk Management which involves formulating and implementing an appropriate technology security response; and
- Risk Transfer which involves shifting cyber risk through insurance.
Anecdotal evidence suggests law firms are lagging behind other professional services and businesses generally in their response to managing cyber risk. The 2021 Gallagher Australia Cyber Insights Report found that only 28% of 600 respondents were confident their cyber incident or data breach incident response plan would meet their business and regulatory requirements. If this continues, then law firms must ensure they have appropriately transferred risk through cyber insurance.
Cyber risk policies are available to protect your law firm from various cyber exposures including, for example, costs to respond to an incident, loss of revenue incurred, cyber extortion, costs to repair and restore systems, insurable regulatory fines and penalties related to a cyber event, and cyber-crime coverage for loss of any funds through fraud.
However, most law firms spend less than what they should to protect themselves against cyber threats. One reason is that law firm leaders and managers have a limited understanding of the protections available to them, and what losses can be insured against. The Cyber Insights Report also found that only 43% of respondents were confident they had sufficient insurance in place to cover the associated costs of a cyber incident.
A cyber insurance policy can help your law firm recover quickly after a data breach. It might cover the lost revenue when your business is out of action, it might pay for the expert help you’ll need to recover your data and get your systems back online. Most of all it can ensure your firm is back up and running with as little disruption as possible.
Cyber risk is quickly becoming the greatest risk that all law firm’s face, no matter the size of the firm. As law firms are becoming increasingly targeted by cyber criminals, transferring cyber risk through insurance should be an essential element of all law firm’s insurance programs.
[1] Second quarter 2018.
About the Author
Andrew Price, Managing Principal, PSC Insurance Broking & Law Firm Advisor.
For 20 years Andrew has been working within professional services both as a lawyer, law firm CEO/COO of leading insurance law firms, legal management consultant and insurance broker. Andrew’s business provides insurance broking solutions to the legal market to both law firms and legal services providers ensuring legal businesses are appropriately protected against risk. Andrew has presented around the world at legal and insurance conferences on law firm management topics particularly related to the changing legal environment.