Cybercrime – how exposed is your firm?
Our recent joint webinar on cybercrime looked at various areas where firms are potentially exposed; we were joined by Practical Vision, a supplier of cyber-related solutions, who shared some of the common challenges their customers are currently facing.
While cybercrime is on the increase as a consequence of criminals trying to take advantage of Covid-19, there were already a number of existing challenges for firms, including a lack of understanding about current cyber risks, lack of investment in IT protection and confusion around cyber insurance.
Regulators, including the Solicitors Regulation Authority (SRA) and Information Commissioner’s Office (ICO), have said that they will take a pragmatic approach to enforcement. However, the SRA has also said that it expects all firms to have appropriate and effective business continuity plans in place to mitigate the risks presented by Covid-19 and the increase in staff working from home; cybersecurity should be a key element of this.
The SRA, ICO and the National Cyber Security Centre (NCSC) have all published useful information about how to avoid becoming a victim of cybercrime, which is well worth reading and considering when creating/updating your cybersecurity strategy.
It is worth noting that the SRA has said, “it may be better to ask when, not if, you will be targeted by online criminals”. It’s clear that the SRA feels cybercrime should be anticipated, and therefore it is likely you will be expected to take appropriate steps to reduce the risks around it; insurers will also take such a warning into account when faced with claims for any losses which could have been avoided if appropriate precautions had been taken.
A report published by the Department for Digital, Culture, Media & Sport (DCMS) showed some real areas of concern related to cybercrime:
- £4,180 – the average cost for dealing with a cyber breach
- 31% - the number of firms that carried out a cyber risk assessment in the last 12 months
- 33% - the number of firms that had cyber policies in place.
This data clearly shows the potentially high costs for dealing with breaches, but also highlights how many firms are not taking basic steps to protect themselves.
The SRA Risk Outlook has identified information and cybersecurity as a major risk area, with issues such as email modification fraud, phishing and vishing, malware, ransomware, CEO fraud, and identity fraud, being of particular concern. In addition to these, the Financial Action Task Force (FATF) has identified some new risks specifically related to Covid-19, for example, fundraising for fake charities, medical scams, tax refund scams, etc.
What can you do to avoid becoming a victim of cybercrime?
- Record cybercrime in your risk register, create appropriate risk mitigation plans, and review this risk regularly
- Train all staff on cyber-related topics
- Change passwords in line with your password policy
- Don’t click on suspicious email links/attachments
- Ensure software security is updated as appropriate
- Use encryption where required
- Utilise online checking systems that verify bank account/client data.
Many firms believe they are insured for cyber-related losses, but aren’t; even for those that are, policy wording is very narrow and many exclusions apply. In a report published by Mactavish and CTS, 45% of cyber policy claims were disputed and it took three years for disputed claims to be resolved; disputed settlements averaged 60% of the amount claimed.
Where there is cybercrime there is also likely to be some form of data breach. With the high number of firms now working remotely, it is worth carrying out a Data Protection Impact Assessment (DPIA) so you can see what the data risks are for you and what you could do to mitigate these. If such breaches occur it is important that you report these to the ICO, SRA and clients, as required.
During the webinar, we polled attendees on some key areas, and you may find the results interesting:
- 5% of attendees have staff working from home using their own IT equipment
- 43% of attendees with staff using their own IT equipment for work purposes have not checked to ensure it is secure
- 12% of attendees have not provided cyber-training to staff in the last six months.
Based on the above poll data some firms are clearly at severe risk from cybercrime and data breaches, so action will need to be taken quickly to address these areas.
We are committed to helping our customers in these difficult times, and can provide various resources and services that can help you protect your firm, all of which can be accessed remotely, including:
- Compliance helpline
- Compliance webinars with Q&A sessions
- eLearning training library
- Learning management system (LMS)
- Policies & precedent bank
- Risk & compliance system and advisory services
Download our legal brochure for more details
