Cyber risks are a major concern. Widescale attacks such as the SolarWinds attack which affected Microsoft and many others, and an attack on Microsoft’s Exchange Server software, use of which is widespread, are among many, and providers of software to law firms are already being targeted. It may only be a matter of time before a case management system used by large numbers of law firms is attacked, leaving large numbers of firms exposed, with perhaps little recourse against suppliers due to restrictive contract terms and/or limits of insurance cover.
Firms are, rightly, encouraged to use two factor authentication, preferably with an authenticator app rather than SMS messaging. We have however heard of two instances of this being breached. A relatively sophisticated example resulting in loss of client money was reported by Australian law firm insurer, Legal Practitioners’ Liability Committee here. Another example, not involving a law firm, arose where an employee received a push notification log in request and approved it instinctively without giving it further thought.
A consultation on reduction in cyber cover under the SRA Minimum Terms and Conditions (MTC) is expected imminently. While cyber cover is widely available, we understand the market there is hardening too, and cover may be subject to many exclusions and limitations not found in the MTC. Some risks are not strictly cyber anyway and may require crime cover. Social engineering is also increasingly a threat: some people should be more cautious about the information they give away about themselves on social media and even in out of office replies and home working photographs.‹ Back to Publications