Managing cyber threats in your supply chain

If cyber threats to your law firm keep you awake at night, you’re not alone.

PwC’s annual law firms’ survey 2023 found 85% of the top 100 UK law firms were concerned that cyber threats will stop them from meeting or exceeding their firm’s ambitions.

Law firms are attractive targets for cybercrime due to the large quantity of sensitive information they store, as well as the client funds they hold.

Small- to medium-size enterprises can be especially vulnerable, as they may lack the in-house IT support and resources of larger firms.

These cyber threats are evolving and require vigilance and consistent management. Supply chain compromise is one of the most significant, along with phishing, data breaches and ransomware.

In 2023, a cyberattack on CTS, the IT provider for dozens of law firms, created a crisis for many conveyancing firms.

This incident demonstrated how criminals are exploiting firms’ growing reliance on technology services provided by third parties, using them as gateways to infiltrate firms’ networks and steal money or sensitive information.

These supply-chain attacks are usually high-profile and can be reputationally damaging, as they often impact multiple organisations and can cause problems to the public.

The legal sector’s insurance claims reflect the risks of this environment. Sharon Glynn, managing director of underwriting at Travelers Europe says:

“In respect of both our professional indemnity insurance (PII) claims and cyber insurance claims, we have seen an increase year on year in open claims, and cyber is seeing a significant uptick in claims, so there is a rising tide of cyber exposure that we cannot ignore.”

Understanding the cyber threat landscape

Law firms’ supply chains are a clear target for threats, with systems used for case and document management, collaboration and compliance potentially being vulnerable, along with internet-connected devices such as CCTV, door access and environmental controls.

Even internet-connected appliances like coffee machines have been used in the past to gain access.

Because of this, law firms have layers of risk to consider, says James Doswell, senior risk management consultant at Travelers Europe.

“Perhaps your firm supplies legal software or platforms to other firms. What happens if your code is compromised by a contracted developer’s poor practices – or worse, a developer takes a copy of your client data?

“Or what if an employee accidentally clicks on a phishing link, which successfully bypasses your defence software?

“These events all impact the supply chain, which also provides legal services to its own customers and is responsible for the integrity of that onward service.”

Putting the right protections in place

There are steps a firm can take to strengthen its protection across the supply chain, but there is no single solution.

Ultimately, it’s the continuous oversight at every step – from people, systems and insurance – that will improve a firm’s resilience.

However, many law firms don't have a cybersecurity mitigation plan in place.

So, what are some actions you can take?

• Assess your IT assets and mission-critical systems – if you don’t know what you have, you can’t protect it
• Take ownership of your security – adopt and maintain a framework to support cyber security internally. Be alert to potential points of failure in your firm’s systems and processes, as well as your vendors’ services
• Look for the gaps – the systems you have may not deliver the protection you need
• Plan for the worst case – if a key system is lost, have a back-up plan. Review and test your business continuity, disaster recovery and incident response plans
• Back it up independently – if your supplier is attacked, you should be able to recover data and migrate away from them if needed
• Keep the keys to your kingdom – control of any of your domain names, for example, should be in-house where possible
• Look for cyber security accreditations when tendering – ensure your suppliers practise good cyber hygiene
• Trust but verify – suppliers may need access to your systems, and regular security audit reports should demonstrate their staff are only accessing in an authorised and controlled manner
• Train your people to spot threats – ensure you have a workforce capable of identifying and stopping evolving threats. Education should be part of your culture
• Spread your risk – avoid using the same systems for everything; that goes for hiring suppliers, migrating data to the cloud or selecting insurance cover

Cyber insurance and PII can be a powerful combination for a firm, providing support in the critical hours during and following a cyber breach, as well as protection against longer-term risks.

This protection works best when there are people within the firm who are committed to keeping them strong.

Chris McMurray, managing director of cyber at Travelers Europe says: “When it comes to security, people are often the weakest link in the chain in any business, and law firms are no different.

"Firms can put themselves in a much stronger place to defend against cybersecurity threats if they evaluate their risks and put in place a multi-layered approach to protection that includes people at its heart.”