Why cyber insurance isnt a substitute for cyber risk management

Many law firms which have been victims of a cyberattack held cyber insurance policies. That cyber insurance did not prevent them from being the next victim.

Of course, you will be glad you had the policy if the worst does happen, but it is essential to understand the difference between cyber risk management and cyber insurance.

Simply put, cyber insurance is the transfer of residual risk once you have taken the right steps to manage your cyber risks in the first place.

That includes carrying out proper cyber risk assessments and implementing robust cybersecurity controls.

What is not covered by cyber insurance?

There is no substitute for having proper cyber risk management in place.

Cyber insurance may allow some costs to be recouped, provide cyber specialists to help deal with the immediate crisis and may even allow payment of a ransom demand in some cases.

However, there are a range of issues that cannot be resolved by simply putting insurance in place. These can include:

• the valuable time lost spent on solving the matter
• fee earners being unable to work
• explaining to clients that their data has been breached
• reporting the incident to the Information Commissioner's Office (ICO), the Solicitors Regulation Authority (SRA) and law enforcement agencies

The National Cyber Security Centre (NCSC) notes that: “cyber insurance will not instantly solve all of your cybersecurity issues, and it will not prevent a cyber breach/attack. Just as homeowners with household insurance are expected to have adequate security measures in place, organisations must continue to put measures in place to protect what they care about."

So, it’s important that firms engage in cyber risk management, over and above any insurance they have.

Why is cyber risk management essential for law firms?

The legal industry is a high-risk sector when it comes to cybersecurity.

Criminals have found a variety of methods, including email account takeover and ransomware attacks to be particularly profitable in a profession where data protection and client confidentiality are crucial.

The major risks of failing to proactively implement strong cybersecurity measures that cyber insurance will not help with include:

Breaches of client confidentiality

A breach of client confidentiality will have implications for your clients, your cases and your reputation.

It is very hard to remedy the loss of confidentiality in any meaningful way and there is a substantial risk that major clients could look elsewhere for advice or representation.

Business disruption

Business disruption can also result in substantial losses, both in momentum and for clients who may lose trust in a firm that has failed to put adequate security in place.

The initial difficulties can be crippling, and the long-term issues can last for many weeks or months whilst those involved scramble to restore systems and databases and persuade clients not to jump ship.

Breach of legal and regulatory obligations

The SRA requires all law firms to comply with legislation. This includes compliance with UK General Data Protection Regulation (GDPR) for the protection of personal data.

Basic requirements include:

• providing relevant training to personnel
• having the right policies and framework in place in respect of governance
• regularly testing, assessing and evaluating the controls
• being able to provide evidence of compliance with the above

Failure to comply with legal and regulatory obligations can result in substantial fines – fines, by the way, that your cyber insurance policy won’t cover.

ICO fines – real examples

Firm one

Recently, the ICO fined a firm £98,000 following a ransomware attack that resulted in a data breach.

Files were encrypted by the hackers, including court bundles, and a number were offered for sale on the dark web.

The ICO found this was a result of the firm’s failure to implement appropriate technical and organisational measures and the firm had failed to process personal data in a way that ensured its security and protection.

The ICO stated that due to the confidential nature of data held, schemes such as Cyber Essentials and Cyber Essentials Plus were not sufficient security standards.

The ICO also highlighted breaches of the SRA Code of Conduct which it regarded as an aggravating factor. These included provisions relating to the need for:

• effective governance structures, systems, and controls for compliance
• identification, monitoring and managing all materiel risks
• keeping up to date and following laws and regulations
• safeguarding money and assets

Firm two

In the another case, the ICO fined the firm £4.4m over its failure to protect its employees’ data from cyberattacks.

The Information Commissioner said that companies should “expect a similar fine from my office” if they fail to put proper protections in place.

The ICO made it clear it will have regard to “relevant industry standards of good practice” such as:

• ISO 27001
• the National Institutes of Standards and Technology
• the various guidance from the ICO, NCSC and from any sector regulator

The importance of dealing with cybersecurity at partner level

Given that cybersecurity failures have the potential to devastate a firm, senior leadership must take control of security.

It is the senior partners who will have to face the consequences, answer to regulators, the ICO, clients, other affected third parties and their own colleagues.

The senior leadership team need to have the appropriate management information in place that is discussed regularly at partners meetings.

The government’s draft Cyber Governance Code of Practice, aimed at executive and non-executive directors and other senior leaders, highlights the fact that cyber risk should have the same prominence as financial or legal risks and that responsibility and ownership of cyber resilience is a board-level matter.

Proper cyber risk management also requires some independent assurance carried out by genuine cybersecurity specialists with in-depth knowledge of the latest security risks.

Who are Mitigo and how can we help?

At Mitigo, we offer specialist advice and cybersecurity services to law firms, barristers’ chambers and other legal businesses. We are not an IT company.

We know that you are a prime target for cybercriminals and our experts have the understanding needed of both your business and potential cyber risks to give you the protection you need.

We can work with your business and your IT partner to identify potential risks and eliminate them without delay.

So don’t rely on your cyber insurance to save the day. The only way of effectively protecting your organisation is to ensure that your security protocols and systems are as strong as possible.

Mitigo are affiliate partner of the Law Society of England and Wales, strategic partner to the Law Society of Scotland and service partner to the Bar Council.

Our bespoke service takes into account the particular requirements of the legal industry and the threats you face.