Cybersecurity issues central as experts agree firms should view them as a serious business risk

We have brought together leading experts to discuss cybersecurity risks to coincide with our spring update to the Risk Outlook.

Our roundtable involved leading agencies and experts from a range of sectors to discuss how businesses can tackle the risks of cybersecurity. As well as us, there were representatives from the Information Commissioners Office, Barclays, Advent IM, National Crime Agency, IASME & UK Cyber Forum, bgi.cyber.uk ltd, Pelican Underwriting, QBE Insurance, Cyber Strategies, PA Consulting and Microsoft.

There was general agreement that law firms are an attractive target for criminals not only because they can hold large amounts of money but also valuable client information. Three key themes from the roundtable were that:

  • Too often cybersecurity is viewed as just an IT risk. It is a business risk that requires engagement and ownership at a senior management and Board level. Training staff is important, but businesses also need to develop a culture where cybersecurity is treated as a serious priority.
  • People and processes are as crucial as technology. Law firms should consider having rigorous and unambiguous procedures for when clients notify them of any changes to their personal information or bank details during a transaction.
  • The use of unsupported software increases an organisation’s vulnerability. In addition to addressing this risk, businesses should also consider the benefits of implementing Cyber Essentials – a Government-backed scheme to help organisations protect themselves against common cyber attacks.

The roundtable coincides with the publication of our spring update to its Risk Outlook, which highlights seven priority risks for the legal sector. It shows that three quarters of all cybercrimes reported to us involve email modification fraud. Half of all such reports are email modification frauds against conveyancing proceeds. It says any field of work which involves client money is at risk, with probate another common target.

We are committed to taking a constructive and engaged approach with firms when they fall victim to cybercrime. However, the risk update does highlight that we will take action where firms are not proactive. For instance it has this year issued rebukes in cases where a firm has failed to report the loss of client money or been slow to remedy client losses.

Paul Philip, SRA Chief Executive, said: “We all benefit from information technology, but that means we are all vulnerable to cybersecurity risks. These risks evolve rapidly. Whether it is money or sensitive client information, law firms are an obvious target. It is the job of firms to take steps to protect themselves and their clients, but we want to help.

“So in addition to regular updates and conversations with firms, we also want to make sure we learn from insights across all sectors. It was clear from our roundtable how similar the issues are. By working together we will be in much better place to stay cybersecure.”

The update of the Risk Outlook is available here:

Go to the update

We published a detailed report into the IT security at the end of 2016:

Go to the paper