Cyberattacks against the legal sector are on the rise – it is not a matter of whether a cyberattack will occur, but a matter of when and how bad it will be. When cyber-attacks occur, having cyber insurance can help your organisation recover and get back to business quicker.
According to the Law Society, the legal sector are facing a considerable increase in their cyber insurance premiums, due to the global coronavirus pandemic. Simon Davis, Law Society President, explains: “insurers are reluctant to take on new risks just now and many are not seeking new clients. This cautious approach means firms will be expected to provide more information up-front, such as details about risk management, firm finances, continuity planning and evidence of ongoing profitability.”
It is vital that you accurately audit and assess your firm’s or chambers’ potential vulnerabilities, building a detailed picture of your cyber risks and your ability and preparedness to manage them. Carrying out this kind of research can be a daunting and time-consuming task. However, it can be very insightful when structuring your cybersecurity strategy, as well as being useful when buying cyber insurance for underwriting purposes.
Be prepared – follow our checklist below to ensure you are ready to open a dialogue with a cyber insurance provider at any time.
- Build your business profile
Collating general information about your law firm or barristers’ chambers will provide insight into the degree to which your business is at risk of a cyberattack, and therefore, allow the insurer to provide the most suitable cover for you.
To assist your insurer to build a profile of your business, you should offer information on what sector you operate in, what types of products and services you offer, who your clients are, your annual turnover, and how much you set aside for your IT security budget.
The legal sector deals with highly sensitive and confidential data and information. In order to assess how at risk this data may be, insurers will need to know what category of and how much data is managed, where this data is stored, who within the business is responsible for handling data, what cyber protection measures are in place, and how you work to comply with any relevant regulations.
Additionally, the development of a risk profile will enable you to identify possible areas of risk before an event were to happen. Certain technologies can enable better risk management, such as optimising Case Management Systems to include fields and tags which will support you to collate the aforementioned information in a centralised database and monitor any changing trends or potential risks. Identify exactly what data you are required to collect to insure your business, and the data you will need to provide if you were to make a claim, then build this into your CMS. This will speed up time spent reacting to a breach or cyberattack and recovery of any data lost.
- Consider the human component
The human component is a vital element on cybersecurity, and so, you must have the ability to demonstrate that your firm or chambers has cybersecurity training embedded into your company culture.
Due to height of human error, the insurer is likely to want to learn about how your operational teams are managed and trained regarding cybersecurity, as well as how they handle sensitive data such as client records and documentation. This information can act as a key indicator, to the insurer, of your legal practice’s ability to mitigate damages and/or losses brought about by employees.
- Set aside a budget and be aware of changing premiums
According to the SRA, in the first half of 2020, it was reported that approximately £2.5m had been stolen from law firms via cyber breaches – more than triple the amount reported in the first half of 2019. As a result, this has led to higher cyber insurance premiums, which have increased by an average of 32% since last year.
Keeping abreast of any changes to prices will enable you to plan your budget effectively. As with cyber security, a cyber insurance budget should be carefully planned and included within your IT strategy to ensure that you are fully prepared and able to protect your sensitive data.
- Make a detailed record of all your IT systems
For the insurance company to understand the level of insurance protection required, you should create a map of all your IT systems both inside and outside of your business, as well as what data is located within these systems.
Additionally, information on your different networks demonstrates how networks are segmented, network security measures, levels of redundancy, and access controls to server rooms, which will demonstrate how prepared you are if an outage or breach were to occur.
Finally, it is important to inform the insurer on what policies are in place for the management and upkeep of your networks and systems, particularly when it comes to updates and maintenance, as this will complete the overall picture of your firm or chambers’ ability to face any potential cyber risks.
Preparing the above information will not only aid your discussion with your insurer, but also give you in-depth insight into how prepared your legal practice is when it comes to cyber risks, both in terms of preventing them and of reacting appropriately and effectively should an incident occur.