background imagebackground image

UK: As threat actors use AI to escalate cyber threats, how can law firms protect themselves?

  • Professional Indemnity Insurance
  • Cyber Insurance
The Knowledge
,
19th February 2024

In the past year, new developments in technology have ushered in transformative possibilities for how law firms operate. Specifically, more firms have begun using – and, in some cases, developing – generative artificial intelligence (AI) tools. The technology has the potential to reform law firms’ relationships with clients and employees, as well as their competitive landscape.

Just as there is potential for law firms to benefit from AI, cyber criminals can gain from it too. The cybersecurity industry has been alert to the possibility that AI will be used in the commission and automation of cyber attacks. What could this mean? James Doswell, Senior Cyber Risk Management Consultant at Travelers Europe, says an AI-driven attack could allow threat actors to unleash far more advanced and fast-acting malware on the organisations they target. While law firms might use AI themselves to manage, automate and analyse aspects of their security, there is still potential for this security mechanism to be trained by an attacker. As a result, law firms need the right protections against the cyber threats they face – and they must be able to implement them more quickly than before.

The risks are especially acute for law firms, which were appealing targets for cybercrime well before threat actors could harness AI in their attacks. According to research published last year by Cert-UK, the forerunner to the National Cyber Security Centre, 65% of law firms have been a victim of a cyber attack, yet 35% of firms don’t have a cyber mitigation plan in place. [1]  Research from Cyfor Secure Cyber Security found a concentration of cyber-attacks against large law firms, with 90% of the top-25 UK law firms experiencing a threat. Smaller firms are vulnerable too: often viewed as easier targets, they may lack the infrastructure to prevent and respond to a cyber attack, as well as the resources to recover from. [2]

That explains why 85% of the top 100 UK law firms cited that they were extremely or somewhat concerned that cyber threats will stop them from meeting and/or exceeding their firm’s ambitions, according to PwC’s Annual Law Firms’ Survey 2023. [3]

“We are seeing firms increase their security through the recruitment of dedicated cyber security teams, implementation of new systems, and purchase of cyber insurance, amongst other things,” said Sharon Glynn, director and underwriter in the Bond & Specialty department at Travelers Europe. “This is at a financial cost for law firms, but when you consider the costs of a successful attack – reputation, rehabilitation, business interruption, restoration, to name but a few – the spend starts to look more like an investment. The crucial part is to ensure that each part of the defence system covers people, systems and third-party suppliers. The increasing sophistication of threat actors means law firms simply cannot afford any gap in their defences.”

Improving safety with layered protections

It is nearly impossible to prevent a determined cyber attacker. However, just as a person can take steps to minimise their risk of a home burglary, a firm can take action to minimise the likelihood, and contain the scope of a cyber attack and subsequent damage it may cause. Security solutions all have pros and cons, so building up layers of protection in a well-planned structure can reduce risk – even from AI enhanced attacks.

An organisation’s cybersecurity protections will likely already include a combination of defences such as antivirus, MFA, to name but a few. Combined with up-to-date software and patching to remove vulnerabilities or enhance, the solutions chosen should complement each other to provide the depth of security necessary.

Proactive defence solutions, such as Endpoint Protection Platforms (EPP) in particular, can augment existing solutions to create exceptionally strong security architecture. They are used to prevent file-based malware attacks, detect threats, and can respond to security incidents as they happen. Some defences cope even if critical vulnerabilities are present that would normally provide an attacker full admin access to the system. These proactive solutions effectively lock down applications to only their authorised libraries on the computers being protected. This can provide exceptional protection against unknown threats such as zero day – or when there are very rapidly changing scenarios, such as a live attack.

As cyber risks evolve, human behaviour will need to evolve too – an elevation in staff awareness of phishing or fraud attempts is already taking place. Patching cycles will likely have to be carried out or secured differently – perhaps continually. Existing cyber protections will need to be reviewed on an ongoing basis to ensure they remain fit for purpose and deployed with no system left vulnerable. Employees will likely need additional education about the appropriate protections to use and how to apply them properly so they can make themselves harder targets. The firm may also have to review its cyber insurance protection and the steps it needs to take – both before an attack to limit risks, as well as in the immediate aftermath of a breach to access expert support quickly.

Anticipating the risks

Cyber risks are a moving target and will require continued vigilance from firms as threat actors employ increasingly sophisticated methods to target sensitive information. Even if AI-driven attacks haven’t yet materialised in law firms, it’s likely that attackers will eventually make use of this technology. AI has introduced both benefits and disadvantages when it comes to cyber risk, so it will challenge organisations to rethink their security and what checks they have in place.

As organisations weigh their threats, they must consider the business-critical information they hold, the risk to the business if that information is compromised, and their available resources to protect the business and recover following a cyber breach. Insurers can help clarify priorities. “Some security solutions suit certain circumstances better than others,” Doswell said. “I spend a significant part of my time helping clients assess their cyber threats and recommending appropriate protections. I also work closely with our underwriters to ensure we are keeping pace with the threat landscape. For our insureds, being proactive about cyber protections – understanding what works for the business, applying it correctly, and having additional safety mechanisms in place if something goes wrong will continue to be critical.”

[1] https://www.lawsociety.org.uk/topics/blogs/are-you-the-65-percent-or-the-35-per-cent-65-percent-of-law-firms-cyber-attack-victim#:~:text=But%20last%20year%2C%20Cert%2DUK,cyber%20mitigation%20plan%20in%20place.
[2] https://cyforsecure.co.uk/cyber-attacks-against-law-firms-are-increasing-is-your-firm-secure/
[3] https://www.pwc.co.uk/industries/legal-professional-business-support-services/law-firms-survey.html
DISCLAIMER
The information provided is intended for use as a guideline and is not intended as, nor does it constitute, legal or professional advice.
Travelers does not warrant that adherence to, or compliance with, any recommendations, best practices, checklists, or guidelines will result in a particular outcome.