Those who thought this seminar would provide the answers will have been disappointed. Rather, its purpose was to target any complacency around the topic and raise the questions that every practising lawyer, and law firm manger, needs to ask – regularly. Anyone who attended and thought the risks had been overstated wasn’t listening!
The subject is topical as evidenced by the SRA October update, and the Law Society August 2015 Practice Note. It has suddenly become even more topical as evidenced by the Talk-Talk cyber attack the following day. Many people are critical of Talk-Talk over the state of their preparedness for such events. Our seminar questioned the state of your preparedness, and the impact of an attack.
Our speakers were Stephen Robinson, founder and CEO of xyone cyber security, and Chris Kirk-Blythe, CEO of LBS Legal. Whilst xyone’s client base is obviously far wider than the legal profession, it does work extensively with lawyers in awareness training, risk assessments, asset protection, and systems planning and is familiar with the SRA Handbook. LBS Legal has “high level expertise in providing guidance and support in every aspect of professional conduct, regulatory compliance and practice governance”. Chris has worked for the Law Society (Manchester) and is also a non practising Solicitor and has been employed by a number of large regional firms in his career to date. This enables him both to be incisive in supporting firms’ compliance processes and knowledgeable as regards any dealings with the SRA. The information in the brochures distributed by both companies is readily available on their web-sites by using the links provided above. Copies of the slides used by both speakers to illustrate their talks have been distributed to attendees and are also available below.
Stephen’s talk focussed on the exponential rise in the number and seriousness of cyber attacks and the way in which they happened. He ranged over the nature of the threats. Solicitors are particularly vulnerable to targeting. In the main they are small businesses and therefore likely to be unsophisticated in their approach to IT communication, and yet they transfer and receive large sums of money on a regular basis – for instance in Friday afternoon completions. The only protection is regular review of IT systems, good internal control processes, and robust internal audit and dealing with system breaches. Whilst most people think of breaches relating to financial systems, loss of information is also important. Irrespective of client confidentiality, reputation etc. there is also the question of investigation by the Information Commissioner’s Office for data protection breach, and the heavy penalties that can be imposed in addition to compensation. He commended “Cyber Essentials” certification, which is increasingly becoming a necessary accreditation for winning governmental and commercial contracts.
Chris dealt with security in terms of the SRA Principles and Handbook, giving a graphic account of a case which the victim had put into the public domain (as a warning to others) an account of an apparently inadvertent security breach by a very successful sole practitioner. The impact was an intervention into her practice, immediate suspension followed by disciplinary proceedings, and ultimately the loss of her livelihood, financial security, and health. Chris described Regulation 8 as a “game-changer” stating that almost 100% of alleged breaches of that regulation result in an SRA prosecution before the SDT. The regulation is a catch-all cover to the rules which makes the SRA very powerful and the “only way out” is to construct a strong mitigation. In any prosecution, it is probably open to the SRA to allege breaches of most of the Principles. The reality is that the fact of prosecution usually has the effect of destroying a career irrespective of outcome.
It is therefore essential to be able to show that there are robust and well-documented risk management systems, which identify all reasonably foreseeable risk areas. Risk assessments, risk mitigation planning, and implementation of control measures all need to be documented and available for inspection to demonstrate that risk has been brought within acceptable parameters. This needs to be coupled with well-documented regular testing and correction measures. There is no “one size fits all” in terms of “how to do it” because processes need to be adapted to the style and business of each individual business.
Both speakers touched on the question of professional indemnity insurance. There is the probability of premiums being mitigated where well documented risk management systems incorporate robust cyber security, and the corresponding increasing likelihood of cover becoming more difficult in the absence of such systems. More critical is the risk of denial of cover by insurers in the event of a claim were insurers able to argue successfully a breach of policy condition arising out of failure to take reasonable precautions for the safety and security of clients’ assets.
Below are links to slides and information provided at the seminar: