Updated: Apr 16
Many of our legal clients ask us how can we de-risk or mitigate cyber threats. An important question and certainly one that needs to be addressed given the high-risk nature of this profession. Law firms are keepers of valuable and very lucrative information which in the wrong hands could be destructive for the legal firms and/or for their clients. Therefore the risk vs. reward calculation a cybercriminal would perform would often lead to the conclusion that minimally-protected legal firm is a perfect target. The data also supports it. According to a survey conducted by the American Bar Association 26% of respondents experienced a security breach in 2019. Additionally ,19% of responded reported that they do not know whether their firm ever experienced a breach. Ignorance, in this profession, is a far cry from bliss since the duty of care holds practitioners to uphold high standards.
In future posts we will cover cyber threat management but this seems like the right place to reframe the discussion. The risk is not “cyber risk”. It is rather a business risk that exists because of cyber threats. The understanding that this is a business risk allows us to leverage and apply various risk-management frameworks to manage cyber threats specific to given firm. So, which business risks could emerge post breech?
Reputational Damage – Cyber attacks comes in various shapes and colours but all share a similar goal of stealing valuable information and/or to hinder your ability to operate. While the attack type may vary the consequences in this respect will not. Existing clients and prospects could lose trust in your organisation and it’s ability to be a confidant and keeper of sensitive information. Moreover, the breech ramifications could spill over and impact your credibility and reputation as a legal professional. In our opinion, given the legal competitive landscape, loss of reputation is one of most serious threats for a law firm.
Privileged Client Information Leakage – Lawyers’ work involves managing confidential client information. Legal firms are privy to the most sensitive of information such as: financials, intellectual properties, commercial details, material risks and so forth. A Legal practice that experience a cyber attack which results in privileged client information leakage might experience multiple consequences such as clients departure, litigation actions, bar association punitive measures and more.
Financial Damage to the firm/firm’s clients – There are multiple types of cyber attacks which are financially oriented. The attacker will take over part of the payment process and will fraudulently route clients’ or the firms’ funds to rouge bank accounts. The level of sophistication is so high today that most of the time those funds are virtually not recoverable. This is especially noticeable in small to medium sized organizations mainly because firms usually invest less on protecting themselves against cyber crime or lack the knowledge to properly analyse and address the risks.
Compromised communication channels – Secured communication channels is a key enabler to allow normal business conduct for any attorney today. Unfortunately, we often see poor cyber hygiene and awareness which results in communication channels (voice, data, applications on desktop and mobile) used by attorneys being compromised. Beyond giving foothold and access to all privileged information to an unauthorized 3rd party, the threat of having compromised communications channels, might lead to losing the competitive edge and the element of surprise in a court case, for example. Ever felt like the other side is always a step or two ahead?
Impact on productivity – Many are familiar with the word ransomware, but from our experience, few understand the meaning or impact of ransomware. Imagine waking up on morning, sitting at your desk and your computer is locked. You can’t access, but you are not the only one, so are all your colleagues in the firm. The outcome? Everything is put on hold, the firm freezes operations (think billable hours) while trying to remedy the issue. If you or your firm invested proactively in cyber defense you might be able to resume operations in a day, two, or three. Less cyber-ready firms, unfortunately, spend weeks operating at loss of 70%-80% from normal productivity levels and then struggling for weeks if not months trying to recover.
The threat of cyber for legal firms is real and, according to the data, imminent. Cyber attackers constantly evolving the ways they are able to penetrate organisations and cause damages. It is important, not treat cyber risk as an “IT problem” but rather as a business risk that can result in serious and even going concern problems as we have detailed above.
Legal firms are in an elevated risk environment since they draw attention on both their own and their clients accounts. We have seen cases were breeches of legal firms were just a collateral damage and the true target was actually a client with better cyber protection.
How protected are you? If you cannot easily answer this question it is time to asses your cyber posture in order to protect your business. Don’t let years of your hard work disappear overnight.