Cyber Risk for Law Firms

On 31st October, we were pleased to host our 29th Annual Law Firm Survey launch, reflecting on how the sector has demonstrated resilience in the face of major challenges from Brexit to the continued legacy of the Covid-19 pandemic. It was also an opportunity to explore how emerging technology trends, not least cyber security, are an increasing priority for law firms today.

The legal sector is a highly attractive target for cyber security threat actors due to the sensitive client information and large sums of money that law firms routinely handle. Firms of all sizes - from small high street practices to large international corporations, face an increasingly complex array of cyber threats from hostile actors spanning organised crime, nation states, corporate competitors, hacktivists, and malicious insiders.

The shift to remote working since the Covid-19 pandemic, a reliance on external IT suppliers, and ongoing digital transformation efforts whilst beneficial in many ways have also created a challenging environment for law firms to manage. As such, as recently confirmed by the Solicitors Regulation Authority (SRA), nearly three quarters of the UK’s top 100 law firms are now known to have been victims of a cyber-attack*, with subsequent disruption being both costly and reputationally damaging.

A report from the UK’s National Cyber Security Centre (NCSC) earlier this year detailed the broad array of attacks that law firms are currently facing. The most prevalent type of attack continues to be that of phishing, in which an email, message, or text is used to trick members of staff in order to deploy malicious software or otherwise dupe an unsuspecting user into doing something they shouldn’t. Law firms have also reported regular instances of business email compromise, ransomware, password attacks, and supply chain targeting via third-party suppliers.

These threats highlight the necessity for law firms to improve their cyber resilience. Senior leadership and boards must be engaged with cyber risks and ensure active backing and support for security management initiatives spanning people, processes and technology. Every firm in the legal sector will be in a slightly different “current state” position regarding cyber defence and response capabilities and will need to tailor their efforts to strengthen specific elements of their cyber security framework. Some organisations may need to invest in technology transformation, controls, and cyber security training whereas others should prioritise incident readiness and management training.

A universal truth, however, is that all firms in the sector need to consistently reassess and respond to cyber risks, as highlighted by the NCSC’s work. Legal practices should also be prepared to work with and report to relevant authorities, particularly in the event of a security incident. These include NCSC, the Information Commissioner’s Office (ICO), and the SRA.

Here at Evelyn Partners, we provide tailored advice and support to help law firms address these risks. We will help you understand your cyber posture through security threat analysis, maturity and risk assessments, and the development and delivery of proportionate improvement initiatives.

*Source:. 75% of Law firms have been the target of a cyber attack (nwcrc.co.uk)

Ref: 23113500