What to do after a cyber attack

If you’ve been hacked, you should follow your response plan to alert the right members of staff, take actions to stop the attack, and reduce the damage.

This may involve:

• disconnecting from the internet
• disabling remote access
• installing any pending security updates or patches
• changing passwords
• maintenance work on your firewall

Document the attack and the steps you took to fix it. You’ll need these records if you need to report the attack, for example under GDPR.

Find out what happened

Investigate the hack to understand the extent of it. Do not delete any files as this could make the situation worse.

If you have a website hacker protection service, the monitoring service should give you an early warning that you’ve been attacked.

Taking down your website

If your website is badly attacked, you may decide to take it down in the short term.

If you do not already have a back-up plan in place, ask your hosting provider to back up your website data.

You can use external website hack cleaning services to scan, diagnose and fix your website.

Your reporting duty will depend on the kind of cyber attack you’ve experienced and what the damage was.

If money is lost

You must tell the Solicitors Regulatory Authority (SRA) immediately if you lose client money or information through an attack, even if you later recover it. It will expect you to:

• tell the client
• repay any money you lost
• take steps to reduce risks of a further attack

You should also contact:

• your bank to find out whether it will be able to replace the funds
• your professional indemnity insurer

If sensitive personal data is lost

Under the GDPR, if you’ve lost sensitive personal data you must report this to the Information Commissioner’s Office (ICO).

You may also wish to report attacks to the SRA and Action Fraud to raise awareness of risks and allow others to learn from the event.

Telling clients

You may need to tell your clients if the attack is likely to negatively affect their personal data or privacy. You do not need to do this if you can prove the data was protected with encryption or a similar security measure.

ICO’s guide to personal data breaches and notification form

You should have a PR strategy in place to handle any incoming questions from clients. Tell your client-facing employees what your position is and give them any Q&As that may be useful.

At an appropriate point, review the attack with your employees:

• how it happened
• what the impact was
• what went well in responding to the attack
• what improvements could be made

Resources

How to protect your firm from cyber attack

You should be aware of client confidentiality when talking to your insurers.

Professional indemnity insurance

Under the terms of your professional indemnity insurance (PII) policy, you must tell your insurer about any circumstances that may lead to a claim.

You’ll also have to give some details of your insurers to clients and/or claimants – see the SRA Indemnity Insurance Rules and the Provision of Services Regulations 2009. These regulations apply only to the compulsory element of the insurance.

You should not give information about your insurers beyond what is necessary. Ideally, get your insurer to agree what you may tell clients and other parties.

Do not admit liability or offer a settlement to any third party without consent from your insurers.

Cyber insurance

If you have cyber insurance, you might be able to get help with:

• stopping the attack
• the cost of responding to a data breach
• investigating the cause of the attack
• restoring systems and recovering information
• informing clients
• repairing reputational damage
• fines (where insurable by law)
• cyber extortion

Read more on cyber insurance