This section highlights the growing importance of Information Security at all law firms due to the increasing number of security incidents being experienced across the sector. In addition to adequate defences, there is a need for detailed, robust and well-tested business continuity plans (BCP) and crisis management procedures to ensure that if an attack penetrates the firm’s defences, the organisation is able to respond appropriately, contain the event and return to full operations as quickly as possible.
Read our 'at a glance' preview below for more on this section.
• Information Security remains one of the foremost risks to the legal sector, with targeted attacks of organisations on the rise over the past 12 months. As law firms hold large volumes of client monies and confidential information, they remain a greater target from external threats.
• 60% of firms reported suffering a security incident during the year (consistent with 2017 at 61%).
• Whilst in 2017 33% of firms reported a security incident related to their own staff where there had been a loss or leakage of confidential information, this has risen to 46% in 2018. This statistic serves to highlight the importance of ensuring that staff are adequately trained to ensure that confidential information remains secure.
• With General Data Protection Regulations now live, it is important for firms to quickly identify and understand the nature and level of breaches, and to have a clear incident response plan to deal with reportable events.
• Only 27% of respondents were very confident that their IT Disaster Recovery testing has fully demonstrated that end to end operable services can be recovered in line with business recovery requirements.
• Only 54% of senior management have participated in a crisis management exercise in the past 12 months, with 14% of firms saying that senior management have not participated in the last 18 months.
• The statistics above suggest that in the event of a serious incident, some firms may not be fully prepared to respond appropriately.
• Scrutiny in relation to financial crime controls such as anti-money laundering, sanctions compliance and counter-terrorist financing is likely to be magnified in the foreseeable future.
• Not only is the regulatory net tightening around those perceived to be the ‘enablers’ of this activity, including lawyers, but the formation of the Office for Professional Body Anti-Money Laundering Supervision (‘OPBAS’) will also increase the attention paid to bodies such as the Solicitors Regulation Authority (and in turn, we expect the SRA to make more visits to law firms to check adherence to the rules).
• The emphasis is also changing: having systems and controls to mitigate financial crime risks is no longer going to be sufficient. Senior management will need to demonstrate that they have arrangements in place that are assessing the effectiveness of these controls.