A government survey conducted by PWC in 2015 found that 90% of large organisations had experienced a security breach and that there is a 9% year-on-year increase in the number of large organisations experiencing breaches (www.pwc.co.uk/services/audit-assurance/insights/2015-information-security-breaches-survey.html). A leading insurer has recently estimated that around £85 million has been stolen from law firms by hackers in the past 18 months.

Law firms are becoming increasingly attractive targets for cyber attacks. They store more information electronically than ever before and a huge volume of confidential and privileged material is commonly stored in one place. That information is open to exploitation if it is not properly protected. There have been surprising breaches in other industries where security has been high on the agenda for a long time. Banking and telecoms have seen recent high-profile incidents. The spotlight moved to law firms some time ago and many of the leading firms now have state-of-the-art protection. However, others are lagging behind.

There is a range of criminals interested in law firms’ systems, presenting a variety of threats. The traditional hacker is out for financial gain and has been around for a while. Espionage hackers present a risk for those working in particular sectors and are known to be sponsored, in some cases, at the highest levels of governments. Online campaigners are a concern for those with clients that undertake controversial businesses or express politically charged views. Politically or ideologically motivated hackers aim to embarrass individuals and companies, and reveal information thought to be in the public interest. Law firms, as both the custodians of commercially sensitive information and the trustees of large amounts of client money, are a potential target for all of these.

Protecting client confidentiality is one of the cornerstones of legal practice and is the area of greatest risk from a cyber breach. In order to comply with Principle 10 and Outcome 4.1 of the Solicitors Regulatory Authority (SRA) Code of Conduct 2011 (the Code), law firms must ensure that client confidentiality is protected. This means having adequate systems and controls in place. This has to be commensurate with the size and complexity of the firm.

The most basic online threat to confidentiality comes in the form of phishing scams, where criminals obtain information or passwords by deceiving staff into giving it to them. Firms may also be duped into believing that they are discussing confidential information with a client or a bank, or harmful malware software may be unintentionally downloaded from a seemingly innocent email. Different types of hacking, that is, gaining unauthorised access to computer networks, are becoming more prevalent as a means to accessing large volumes of confidential information.

Law firms acting for corporate clients are at increased risk of targeted cyber attacks to gain specific information that may be held on a law firm’s electronic file. Firms acting for financial institutions or large companies that hold commercially sensitive data are a particular target (see feature article "Cyber security: litigation risk and liability"). In these cases, enhanced systems and controls are required in order to provide adequate protection to the client and its data.

There are also other risks to law firms from cyber attacks. Data breaches pose a significant reputational risk to law firms. Consumer studies show that a considerable proportion of consumers would reconsider using a company if it failed to keep their data safe; law firms are not immune from this.

Cyber crime can pose a significant threat to the structural and financial stability of a law firm, as well as put the firm at risk of regulatory breaches. Principle 8 of the Code requires firms to run their business effectively and to apply proper risk management. In addition to attempts to access financial information relating to a firm’s client account and steal funds, there is an increasing threat of ransomware, in which data is held hostage in return for ransom money. Law firms are prime targets for these attacks as the need to preserve client confidentiality and the firm’s reputation may influence a firm to give in to these financial demands.

The Government Communications Headquarters, GCHQ, estimates that 80% of all online attacks could be prevented if firms followed simple guidance on the safe use of information systems (see feature articles "Cyber security: top ten tips for businesses"; "Cyber attacks: shoring up the defences"; and News brief "BIS advice on cyber security: batten down the hatches").

The SRA advises law firms to update software security, use more complicated passwords and always check if it really is the bank or client on the phone. Although these tips may seem obvious, simply updating a password can stop an unsophisticated hacker in his tracks.

Law firms need to prioritise cyber security at a senior level to ensure that it is at the top of the agenda. Investing in up-to-date technology is not something that is always prioritised by law firms but, with cyber security at the forefront of clients’ minds, ensuring that systems can deal with the rise in the frequency and sophistication of cyber attacks is now a client relations issue as well as a risk issue.

Law firms need to consider fully the likelihood and nature of any cyber attack based on the firm’s practice areas and client base, and implement systems and controls that are commensurate with their level of risk. Where firms are particularly at risk, they should consider taking specific advice from specialist cyber security experts to ensure that their systems are suitably secure to resist sophisticated attacks.

Cure is as much a priority as prevention. If an online attack does occur and results in a data breach, firms must have adequate processes in place to deal with the technical and reputational aspects of the breach, and insurance to cover the losses and liabilities that could result from it. Cover for data breaches will be limited under traditional solicitors’ professional indemnity policies, which will not, for example, cover first party losses resulting from a breach or the cost of regulatory exposure. Many law firms obtain specific cyber risk insurance, which should provide a fuller level of protection. Some of the best policies also provide helplines and other resources to help mitigate and manage the effects of a cyber attack. These response services should include technical, legal, public relations and notification services.