In the wake of the last years’ cyber-attacks on three barristers’ chambers1, law firms are getting tougher with their counsel regarding cybersecurity posture. Overall, statistics show that the professional services sector is still one of the most targeted by hackers2. Doxing sites hold data stolen from law firms all over the world; the key concern is that such data includes personal data and client confidential information relating to sensitive matters. Just think of the publicity surrounding the Panama Papers and more recently the Pandora Papers.
This is not the beginning of law firms being targeted by both threat actors and nation states, with historic attacks reaching back as far as ten years.
Not only is there concern with organisations that receive data from a law firm, but also those organisations who have a foothold of access within the firm itself to provide services. The sophistication of Kaseya3 and Solarwinds4 has shown that a degree of privileges across a law firm’s electronic network can act as a ‘back door’ for malicious software. Whilst this is troubling for firms, it also shows the difficulty in managing an incident where the majority of information is required from another entity reeling from an attack.
The risk profile of a law firm spreads across multiple practice areas and business services. As firms move towards automation and outsourcing, client data is shared to provide the best service to the client. Often when considering third party risk, employees are overlooked due to the client focus.
When considering the response to these incidents, timing is critical. A law firm is reliant on the relationships with its clients but also its staff. There may be legal and regulatory requirements to notify various entities in the event of a cyber-incident; the Solicitors Regulation Authority (SRA) is paying ever closer attention to cyber risk.
Client relationship partners may want to advise their clients as soon as possible, however, early notification may result in more questions than answers. Often during these incidents the response team is working to investigate and contain the extent of the compromise, pausing for thought rather than rushing to notify a client of only partial information can be preferable.
Notwithstanding the risks outlined above, the most critical issue is the loss of information which would ordinarily be subject to legal privilege. Loss or publication of such information may have a critical impact on an ongoing legal case or severely disadvantage a client in ongoing negotiations.
Many law firms outsource a number of employee functions such as payroll, employee assistance programmes and benefits, typically, these platforms contain sensitive personal data which can have a dramatic impact in the event of a personal data breach.
The response to an employee data compromise is perhaps even more critical than client response as the employees are required to be onside from the outset. A particular risk exists from data breach claims emanating from disgruntled ex-employees or those who departed in the wake of an incident.
It is not surprising that third party relationships are called into question following an incident as the contractual obligations most questioned are around the cybersecurity requirements and notification provisions; this emphasises the importance of firms seeking to get these in-line pre-incident. A robust framework will allow for smoother notifications from providers, in addition to a broader awareness for the firm in the first place to develop its communications strategy.
What then, are the key factors for law firms to consider in the first 48 hours of a ransomware attack?
Leadership & Teamwork
Whilst the immediate ‘on the ground’ response to a ransomware attack will be technically led, a much wider crisis team must be established quickly to manage the organisation’s wider response to the incident. The crisis team should bring together the leaders of key business functions, such as:
- Operations Lead, Internal Communications, External Communications (media and stakeholders), HR, DPO, IT Lead (containment recovery), IT (investigation).
The crisis team leader will often depend on the firm’s size. Ultimately, the crisis team must have senior level empowerment to make urgent critical decisions whilst remaining sufficiently close to the response itself and implement actions immediately.
Firms should not shy away from bringing in external expertise early on, as they can bring much needed experience and expertise from similar incidents, or simply provide additional capacity and resource. Typical external support will assist with investigations into how the attack occurred whilst the organisation focusses on the recovery of services; drafting preparatory communications and statements; and, dealing with regulators and other stakeholders. External experts typically include:
- Legal, IT (recovery), IT (Forensic Investigation), Communications Specialists, Notification Specialists (see data exfiltration below).
The crisis team should also ensure that any insurance has been engaged at the earliest possible stage. Traditional liability insurance programmes will typically only operate once liability claims come forward. Cyber insurance, however, will usually operate from the point of incident, covering the costs of the external experts above. Indeed, the insurance may specify the experts to be used. We address this further below.
Once convened, the crisis response team should action a response plan, ideally drafted and rehearsed in advance. Whilst there are many approaches, a structure based on the ICO’s guidance may be helpful.
- Containment & Recovery. This will include the actions taken to ensure that the spread of the attack is stopped, vulnerabilities are closed, and systems and data are recovered safely and securely.
- Assessment. What systems and data were affected will determine who and what needs to be informed or notified. External cyber experts can help recover, analyse and interpret evidence and provide additional capacity to do so quickly.
- Notification & Communications. Who, what, why, when and how to notify and communicate can be very difficult decisions in the early stages when information is scarce. External assistance from legal and communications experts, who have experience of similar incidents, can help decision makers.
- Evaluate. As well as dealing with the immediate decisions, the crisis team should use any available time to plan for “what next”. The adage of “plan for the worst, hope for the best” is a useful mantra.
Over the last 18 months, ransomware perpetrators have increasingly threatened to leak (or indeed leaked) the stolen data online as added leverage to extort a ransom payment5. This has meant that the ransomware response has moved from a technical recovery problem, to managing the fall out of a large data breach, which further highlights the importance of including the wider business functions and external experts in the crisis team from the outset.
Often an incomplete evidential picture emerges as to whether data was, or was not, taken in the attack, this inevitably raises legal and practical questions as to what an organisation should do.
Where data is published, it can be a race for the organisation to review, assess and inform those affected. The work required can be substantial, and again, specialist external resources can be of great assistance to ensure timely notification.
It is often the case that those who advise so extensively on cyber vulnerabilities are also the targets and victims. Robust plans and relationship management is critical to responding to any cyber incident and the fact that firms are now taking a more pragmatic approach should lead the way for others to follow.
If, following a ransomware attack, any payment is to be made the regulatory context requires attention, the external advisors and breach counsel should assist on this. Factors to consider include (for any relevant jurisdiction):
- Anti-money laundering (AML) laws and regulations;
- Counter-terrorism laws and regulations;
- Sanctions laws and regulations; and
- Suspicious activity laws and regulations as applicable including any required notifications to authorities.
An additional part of a law firm’s armoury for protection from the effects of a cyber incident is its professional indemnity insurance. The increasing exposure to cybercrime and inadvertent data breaches faced on a daily basis by professional service firms, including law firms, has led to regulators considering their Minimum Terms and Conditions of insurance and how they address cyber risk. The SRA, RICS and ICAEW have all undertaken a review, with distinct approaches in addressing cyber risk. Reference has been made by all to modern insurance market clauses including the recent Professional Indemnity clause IUA 04-0176.
For their part, the SRA opened a consultation on adding a new clause to the MTCs that makes it clear that the consumer protection afforded by PII arrangements equally applies if the loss arises from a cyber event. The SRA’s response to the public consultation was published on 21 October 2021 confirming that the draft clause had been submitted to the Legal Services Board for approval. The SRA have clarified that “The cover is for client and third-party protection - losses to the law firm (first-party losses), except for certain costs of investigating and defending a claim, are not covered. Firms can choose to purchase a separate cyber policy for other risks.”
The SRA added that they will monitor the impact of the change and issues about the level of cover for cyber incidents as part of a wider review of PI insurance to be undertaken by the LSB.
It is in this context that the recent roll-out of a Lloyd’s of London mandate on silent cyber has impacted the professional indemnity insurance market. The requirements of Lloyd’s Bulletin Y5277 mean that all professional liability policies must exclude or affirm cover for cyber risk. This has prompted a number of carriers in the Lloyd’s insurance market and further afield to reconsider their approach to cyber risk with inevitable knock-on consequences for law firms when they look to consider the insurance cover they now require; it is crucial to address all principal components of cyber risk, including cyber acts, cyber incidents and data privacy liability.