UK: Managing cyber threats in a law firm’s supply chain

Smaller firms can be especially vulnerable – though all firms are at risk

If cyber threats to your law firm keep you awake at night, you’re not alone. According to PwC’s Annual Law Firms’ Survey 2023, 85% of the top 100 UK law firms said they were extremely or somewhat concerned that cyber threats will stop them from meeting and/or exceeding their firm’s ambitions.[1]

Their concerns are valid. Research published last year by Cert-UK found that 65% of law firms have been a victim of a cyber-attack.[2] The legal sector’s insurance claims reflect the risks of the environment.

“In respect of both our solicitor professional indemnity (PI) and solicitor cyber claims, we have seen an increase of year-on-year open claims,” said Sharon Glynn, managing director of underwriting at Travelers Europe. “As a proportion of policies in force, cyber is seeing a significant uptick in claims, so there is a rising tide of cyber exposure that we cannot ignore.”

Law firms are attractive targets for cyber-crime due to the large quantity of sensitive information they store, along with the client funds they hold. Small- to medium-size enterprises (SMEs), which may lack the in-house IT support and resources of larger firms, can be especially vulnerable, though firms of all sizes are threatened.

These threats are evolving – and require vigilance and consistent management. Supply chain compromise is one of the most significant cyber threats law firms must manage now, along with phishing, data breaches and ransomware. Late last year, a cyber-attack on CTS, the IT provider to dozens of law firms, created a crisis for many conveyancing firms.[3] The event demonstrated how criminals are exploiting firms’ growing reliance on information and communication technology services provided by third-party vendors, using them as gateways to infiltrate firms’ networks and steal money or sensitive information. Such supply-chain attacks are usually high-profile as they impact multiple organisations – and they can be reputationally damaging if they cause problems to the public.

Understanding the threat landscape

The supply chain is a target-rich environment for cyber threat actors. In law firms, there are supplier-related systems ranging from case and document management systems to collaboration and compliance tools. Firms may also have Internet-connected devices such as CCTV systems, door access systems, environmental controls, or even connected appliances like coffee machines and internet connected fish tanks that have been successfully used by threat actors to gain access into an environment.

Law firms have layers of risk to consider as a result, notes James Doswell, senior risk management consultant at Travelers Europe.

“Perhaps your firm supplies legal software or platforms to other firms,” he said. “What happens if your code is compromised by a contracted developer’s poor practices – or worse, a developer takes a copy of your client data? Or, what if an employee accidentally clicks on a phishing link which successfully bypasses your defence software? These events all impact the supply chain to or from a firm, which also provides legal services to its own customers and is responsible for the integrity of that onward service.”

There are steps a firm can take to fortify its protection across the supply chain, but there is no single solution. It’s the defence in depth – and continuous oversight of the layers; that strengthen security.

“As we see every day in the media, and I see in risk discussions with some insured firms,” Doswell said, “some organisations are overconfident in their security architectures.”

Finding the right combination of protection

Strengthening a law firm’s security against cyber-attacks in the supply chain requires a multi-layered approach involving people, systems and insurance.

“Resilience is key,” Doswell said. But many law firms lack it. The Cert-UK research found that 35% of firms don’t have a cyber mitigation plan in place. To build one, firms can take actions such as these:

• Assess your IT assets and mission-critical systems. If you don’t know what you have, how can you protect it?
• Take ownership of your security. Adopt and maintain a security framework to support cyber hygiene internally. Be alert to potential points of failure in your firm’s systems and processes, as well as your vendors’ services.
• Look for the gaps. The systems you have may not deliver the protection you need.
• Plan for the worst. If a key system is lost, what is your fall-back plan? Review and test your business continuity, disaster recovery and incident response plans.
• Back it up independently. If your supplier is attacked, you should be able to recover / migrate away from them if needed.
• Keep the keys to your kingdom. Control of your domain name(s), for example, should be in-house wherever possible.
• Look for cybersecurity accreditations when tendering for your supplier. Ensure suppliers practise good cyber hygiene.
• Trust but verify. Suppliers may need access to your systems, and regular security audit reports should demonstrate their staff are only accessing in an authorised and controlled manner.
• Train your people to spot threats. Ensure you have a workforce capable of identifying and thwarting evolving threats. Education should be part of your culture, not a one-and-done task.
• Spread your risk. Avoid putting all of your eggs in one basket – that goes for hiring suppliers, migrating data to the cloud, or selecting insurance cover.

To transfer risk, cyber and PI insurance can be a powerful combination for a firm, providing support in the critical hours during and following a cyber breach, as well as protection against longer-term risks.

“PI and cyber policies dovetail well to maximise cover for an insured,” said Chris McMurray, managing director of cyber at Travelers Europe. “We saw an example of this recently where the cyber policy covered all of the first-party vendor costs involved in responding to the incident, including forensic IT costs, breach coach costs, the ransom negotiator, the ransom itself and any future business insurance claim. Then, when the cyber policy limit was looking like it was being eroded, the client used their PI policy to obtain an injunction to prevent publication of stolen data and therefore mitigate potential claims against them.”

Of course, all of these protections work best when there are people within the firm who are committed to keeping them strong.

“When it comes to security, people are often the weakest link in the chain in any business– and law firms are no different,” McMurray said. “Firms can put themselves in a much stronger place to defend themselves against cybersecurity threats if they evaluate their risks as a whole, and then put a multi-layered approach to protection in place that includes people at its heart.”

Contact the Travelers Cyber team to learn more about how cyber protection can protect your business – and consult this list of cyber acronyms to keep track of the latest tools you can use to strengthen your firm’s cybersecurity. 

Contact the Travelers Solicitors PI team to learn more about our Solicitors PI products.

[1] https://www.pwc.co.uk/industries/legal-professional-business-support-services/law-firms-survey.html

[2] https://www.lawsociety.org.uk/topics/blogs/are-you-the-65-percent-or-the-35-per-cent-65-percent-of-law-firms-cyber-attack-victim

[3] https://www.lawgazette.co.uk/news-focus/news-focus-cyber-attack-hits-conveyancing-firms-what-lessons-need-to-be-learned/5118101.article

This article is provided for general informational purposes only. It does not, and it is not intended to, provide legal, technical or other professional advice, nor does it amend, or otherwise affect, the provisions or coverages of any insurance policy issued by Travelers. Travelers does not warrant that adherence to, or compliance with, any recommendations, best practices, checklists, or guidelines will result in a particular outcome. Furthermore, laws, regulations, standards, guidance and codes may change from time to time and you should always refer to the most current requirements and take specific advice when dealing with specific situations. In no event will Travelers be liable in tort, contract or otherwise to anyone who has access to or uses this information.

Travelers operates through several underwriting entities in the UK and Europe. Please consult your policy documentation or visit the websites below for full information.

travelers.co.uk                                             travelers.ie