Time to look back – and forward
As the appointment of Marsh as Master Policy broker comes to an end, their final article reflects on cyber risk as a significant risk for the profession
It has been a privilege for Marsh and for all of the Marsh colleagues involved over the many years to have served the profession as broker to the Master Policy. As the appointment of Marsh comes to an end, and with that, the opportunity to communicate with all in the profession through this column on a monthly basis, we sign off with a view on the risk issue which is surely set to challenge all of us in the coming years: cyber risk.
What is cyber risk?
The Institute of Risk Management has described cyber risk as “any risk of financial loss, disruption or damage to the reputation of an organisation from some sort of failure of its information technology systems”. It may be a challenge for many of us to understand how IT systems are hacked or the damage that malware can do – but it isn’t difficult at all to understand some of the very practical consequences: the “blue screen of death”; firms subjected to ransom demands for access to locked systems or files; confidential information being made public; money stolen.
Risks associated with technology are not that new. Almost two decades ago, back in 1999, before many current readers had joined the profession, risks associated with technology were the focus of a number of articles by Marsh in this column.
Remember the millennium bug?
Articles in 1999 flagged concerns around a technology issue which was branded “the millennium bug” or “the Y2K bug”. What was the issue? Because many computer programs represented the four-digit year with only the final two digits (to save memory), the year 2000 was indistinguishable from the year 1900. That meant there was the prospect of incorrect display of dates, inaccurate ordering of dated records or events and other unpredictable results. Some were concerned about aircraft falling out of the sky. Many took the view that date-sensitive embedded control devices such as industrial monitoring and control devices, ATMs, and security systems would malfunction.
What were the concerns for solicitors? The risk of failure of electronic diaries or being held responsible for failing to warn clients how their transactions might be impacted by date recognition issues were among the risk concerns highlighted in articles in this column during 1999.
Y2K was expected by some to be a disaster, but instead went into the history books as a bit of an over-hyped non-event. There were no claims intimated to the Master Policy insurers. That is not to say that nothing went wrong. The BBC News website on 3 January 2000 included a report on US military satellites suffering a Y2K glitch, and an “unfortunate video-rental customer in New York who was charged a late fee of $91,000 for a movie that had apparently been out in his name for the past 100 years”.
While many remained very sceptical about the millennium bug, it is impossible to say to what extent the year 2000 transition proved to be a non-event because of the extent of preparation and planning.
Was it a non-event, or was it a significant risk management success story?
Failure of IT can of course be accidental, and a programming issue such as Y2K and other date recognition glitches are examples of that. However, as we have come to appreciate from all too frequent news reports, problems may be the result of malicious activity or cybercrime.
Mossack Fonseca: Most of us have heard of the Panamanian law firm Mossack Fonseca & Co because it received worldwide media attention in April this year. Why? Information about its clients’ financial dealings was made public following the release of an enormous number of documents which were leaked to the news media. The firm informed its clients that files had been obtained through a hack of the company’s email server. It has been suggested by some that the firm’s information security was poor.
ACS:Law: Perhaps fewer are familiar with ACS:Law, an English law firm which specialised in intellectual property law. The firm was known for pursuing parties allegedly infringing copyright through peer-to-peer file sharing. On 21 September 2010, the ACS:Law website was subjected to a DDoS attack suspected to be coordinated by online group Anonymous. When the site came back online, it was possible for a short period of time for anyone to access a backup file which included copies of emails sent by the firm. Some of the emails contained unencrypted Excel spreadsheets, listing the names and addresses of people ACS:Law had pursued for alleged illegal file sharing.
The alleged breach of the Data Protection Act became part of an investigation into ACS:Law by the Information Commissioner’s Office, which fined ACS:Law £1,000 for the privacy breach. The Information Commissioner was quoted as saying: “Were it not for the fact that ACS:Law has ceased trading so that Mr Crossley now has limited means, a monetary penalty of £200,000 would have been imposed, given the severity of the breach.” ACS:Law was criticised for having computer security measures that “were barely fit for purpose in a person’s home environment, let alone a business handling such sensitive details”.
Payment instruction fraud: If it seems to any of us improbable that our own firm would ever be targeted in the ways that ACS:Law and Mossack Fonseca were targeted, none of us can deny the reality of payment instruction frauds perpetrated by cyber criminals, who have targeted property and other transactions handled by law firms the length and breadth of the country. These frauds typically involve social engineering or con-tricks, but many of them appear also to involve hacking of the email accounts of solicitors or their clients. Criminals have also perpetrated frauds on law firms targeting online banking. Earlier this year, QBE, which at the time insured more than one in 10 law firms in England & Wales, reported that their latest data indicated that around £85 million had been stolen across
the legal market in the preceding 18 months.
Preparation, preparation, preparation
In all its guises, cyber risk is a significant risk concern for solicitors, and the threat level has been growing for several years. How do we deal with it?
As they say, “failing to plan is planning to fail”, and therefore to assist in planning risk management the Marsh website for Scottish solicitors (www.marsh.co.uk/login/lawscot) includes a Cyber Risks Management Action Plan suggesting, in outline, the following methodical approach to addressing cyber risk:
- Understand the firm’s cyber risks.
- Establish the firm’s use of technology.
- Control the type and usage of technology, e.g. by appropriate policies and training colleagues.
- Control the use of information, e.g. by appropriate policies and by training colleagues.
- Ensure adequate security, e.g. by regular scanning for malware.
- Control access, e.g. by limiting access to systems and applications.
- Allocate responsibilities for cyber risk, reporting and response.
- Assess adequacy of insurance protection, e.g. by referring to the insurance gap analysis.
Education, education, education
Although cyber security is often viewed as exclusively an IT issue, all colleagues must play their part in defending themselves and their firms from cyber risks, by understanding the issues and adopting best working practices to help minimise the risks. Training of colleagues on the risks, risk controls and the firm’s policies is therefore a key part of an effective cyber risks management plan.
While there is no requirement for all colleagues to be IT experts, it is essential for all of us to have an understanding of what “phishing” and “spear phishing” are and why they pose a risk. It is essential too to have an understanding of the risks associated with using the internet and social media and with opening suspicious emails and attachments. Through articles in this column and with risk alerts, we have aimed to inform and assist the profession with managing these risks.
Looking to the future
The way the profession has responded to the risk of exposure to payment instruction fraud provides clear evidence of how effectively solicitors have taken on board the warnings in relation to specific risk issues. The experience of the past few months of intimations arising out of payment instruction fraud indicates that solicitors are succeeding in tackling this risk. The majority of respondents to a cyber risks survey conducted by Marsh at the Society’s Annual Conference indicated that their firms provide colleagues with training on cybercrime, and have policies on information security, passwords and the use of the internet at work.
Nevertheless, a majority stated that their firms had suffered interruption to emails/IT systems in the past year and remain concerned about the risk of their firms falling victim to payment instruction fraud and breach of confidentiality as a result of cyber attack.
Cyber security is set to remain work in progress for all of us, requiring a continuous approach to understanding, assessing and addressing the risks.
The team at Marsh
Although our appointment by the Society as the broker to its Master Policy comes to an end on 31 December, the team at Marsh remains ready to assist solicitors with guidance on cyber risks.
We thank all readers for their interest and engagement in the risk management issues addressed in this column over the years, and we hope that our articles serve to demonstrate the commitment and care which we have aimed to deliver and will continue to provide to our clients going forward.
Alistair Sim and Marsh
Alistair Sim is a former solicitor in private practice, who works in the FINPRO (Financial and Professional Risks) Practice at Marsh, global leader in insurance broking and risk management. To contact Alistair, please email firstname.lastname@example.org
The information contained in this article provides only a general overview of subjects covered, is not intended to be taken as advice regarding any individual situation and should not be relied upon as such. Insureds should consult their insurance and legal advisers regarding specific coverage issues.
Marsh Ltd is authorised and regulated by the Financial Conduct Authority.