A Collection is a selection of features, articles, comments and opinions on any given theme or topic. It allows you to stay up‑to‑date with what interests you most.
Login here to access your saved articles and followed authors.
We have sent you an email so you can reset your password.
Sorry, we had a problem.
Tags related to this article
Published 20 June 2016
Cyber risk and incidents remain a regular feature in news headlines around the world, most recently illustrated by the colossal breach of Panamanian law firm Mossack Fonseca. The threat is so wide ranging that tackling the subject and deciding how to mitigate the risk can be a real challenge for solicitors.
In some ways the term "cyber" has been helpful in raising awareness of technology-linked risks but at the same time this term can be confusing when it comes to identifying what the related risks are. If national governments and global financial institutions have yet to agree the scope of cyber risk (there is no comprehensive framework for the risk assessment of cyber catastrophes), then there should be a healthy dose of sympathy for a typical solicitor’s firm trying to do the same.
One simple view of “cyber risk” is to break it down into two concepts: operational and informational risk.
Operational cyber risk arises out of a firm's unprecedented reliance on electronic systems and the devastating effect on business that can occur when those systems are interrupted or interfered with. In January, Lincolnshire County Council lost access to its systems for over a week following a fairly unsophisticated cyber attack.
In February 2016, as part of a seminar on cyber business interruption, we considered a case study involving a fictional law firm called Uber Law which fell victim to a malware attack and suffered 3 days of interruption as it had to rectify 300 infected computers. You can watch a summary of the case study here, and the entire seminar here.
The financial losses suffered by law firms due to operational cyber risks are typically not insured under the Minimum Terms and Conditions, driving demand for new dedicated cyber coverages either as standalone policies or as an “add-on” to existing policies.
Informational cyber risk arises out of the legal and commercial risks attaching to data and information. Solicitors firms are no different to any other company in holding ever increasing volumes of electronic data.
The massive data breach suffered by Mossack Fonseca grabbed headlines around the world and demonstrated the informational risk that solicitors firms carry not only for their clients, but their clients’ clients. For many years, cyber security commentators have warned how professional services firms, including solicitors, are high risk targets as they act as “aggregators” of sensitive information.
The Panamanian breach and other high profile data breaches in the UK have served to highlight how unacceptable it is for companies not to have a clear understanding of what data they hold, what they are doing with it, and how it is secured. One security commentator remarked that Mossack Fonseca showed an “astonishing” disregard for security.
When considering the operational and information aspects of cyber risk, it quickly becomes clear that cyber is a risk that can only be mitigated and not eliminated. Therefore, companies should also prepare and rehearse for cyber and data breach incidents, and even consider purchasing cyber insurance coverage.
The following precautions may help minimise the risk of a data attack:
London - Walbrook
+44 (0) 20 7894 6925
+44 (0)20 7894 6900
Andrea Ward, David Williams
David Williams, Peter Allchorne
Adam Burrell, David Williams, Peter Allchorne
Claire Laver, Angela Byrne
Claire Laver, Helen Laight
Jasminka O'Hora, Kieran Mitchell
Andrew Parker, Joanna Folan, Adam Ballard
Mark Roach, Rebecca Austin, Chris Lewis
Catherine Chung, Colin Bissett
Stefan Desbordes, Matthew Breakell
Chris Baranowski, Charlotte Miles