With the legal sector a key target for cyber-attacks, it is critical to focus on building a cyber-risk strategy, including education, technology and data governance.
In the 2019 KPMG CEO Outlook, 42 percent of Australian CEOs agreed that becoming a victim of cyber-attack is now a case of ‘when’ and not ‘if’.
For law firms, which are routinely trusted to collect and hold significant volumes of sensitive data, including personal information, intellectual property, and commercially sensitive material that relates not only to their own practice, but also to their clients and third parties, the impact of a cyber-attack can be far reaching.
The issue of cyber security in law was explored in detail by KPMG professionals and industry guests at KPMG events in Melbourne and Sydney in May 2019.
This article provides some key takeaways for the legal sector to consider around cyber-attack preparation, mitigation and response.
Paul Black, Partner, KPMG Forensic, said that cyber risk threat comes predominantly from organised crime.
“Typically, organised crime attacks originate from offshore, and attackers favour email to launch ransomware attacks [locking up a user’s data unless they pay a ransom],” he said. “Unlike some other attackers, organised crime groups don’t specifically target any organisation – instead, they take a scattergun approach.”
In addition to organised crime, Black said cyber-attacks can originate from:
Black said it takes a combination of people and technology for organisations to mitigate cyber-attacks. And no strategy can be ‘set and forget’, but rather must be continually updated as the risk environment changes. He said that incident response planning and preparedness is critical.
“I can tell you from dealing on a daily basis with organisations that have been breached, it’s not a good place to be if you’re trying to determine who is going to help you with your incident response; where responsibilities lie; who is going to write communications; what the messaging is going to be to staff; how are we going to tell our clients; and what are our obligations to report,” Black said.
Once these fundamentals are understood, firms can build a cyber-risk strategy based on people and technology.
“It really is a question of having constant monitoring in place to identify anomalies within an environment.”
– Paul Black, Partner,
Data control is another key step to mitigating a cyber-attack. Kelly Henney, National Data Privacy Lead, KPMG, said it is vital for law firms to understand exactly what data they have, to collect only the data that they need, and to control access to the data.
Law firms receive very disparate data from very disparate groups. Henney said it is vital they have good governance in place to ensure that data is safely received, understood and protected.
Emma Cronin, Senior Underwriter, Cyber Liability, Berkshire Hathaway Specialty Insurance, joined the KPMG panel, and shared insights into what insurance is now available and how it can respond in the event of a cyber-attack.
Cronin said there has been a rapid evolution in insurance firms offering cyber liability insurance – with around 35 insurers offering policies in Australia.
Currently, organisations are looking at first-party cover – covering the cost of incident response, and third-party cover to mitigate against data breaches down the line – although this is less common.
Typical cyber-attack claims include email compromise, crypto locking and denial of service. There are also simpler (less sinister) breaches, such as when staff inadvertently send an email to the wrong person.
Before offering cover, Cronin said insurers will ask what current cyber security strategies are in place. For example, staff education, technology protection, recovery time for critical systems in the event of an attack, the likely business impact, and the resilience and responsiveness in how the business can respond to an event. This investigation is often a good trigger to focus on what needs to be improved.
– Emma Cronin, Senior Underwriter, Cyber Liability,
Contact KPMG to discuss how we can help your organisation achieve a defensible position in relation to cyber risk. We can help you focus on data strategy, data governance and third party oversight.