How to combat the rise of ransomware
Lockton partner Brian Boehmer says ransomware presents severe risk to a firm’s operations and reputation, but an insurer’s security incident response team and the appropriate level of cyber insurance will help to manage and mitigate the aftermath of an attack
Solicitors have long been targets for cybercriminals due to their vast amounts of sensitive client data and funds. However, in an era dominated by digital transformation the legal sector faces ever-evolving cyber risk.
Ransomware payments on the rise
In the UK the most significant of these threats is ransomware — a method of attack that has become an even greater problem in recent years due to the value in extorting and publishing sensitive data. Previously attackers would infiltrate a firm’s systems and encrypt data, hoping the disruption would push firms to pay a ransom. Firms with uncompromised backups could often recover without paying.
To improve their leverage in ransom negotiations, cybercriminals have now started to exfiltrate data during ransomware attacks, which they can then threaten to publish online. As a result, even if a firm has backups in place, the potential damage to reputation caused by having data published online may make them more inclined to pay the ransom demand. This is a particular vulnerability for law firms, given the volume of records and personal information held.
Evidence suggests this strategy is working. The cybersecurity firm Sophos revealed ransomware payments have nearly doubled in the past year, with UK companies paying more than the global average. They found that average ransomware payments globally rose to US$1.5m, up from US$812,000 the previous year. In contrast, the average payment made by UK organisations stood at US$2.1m. The National Cyber Security Centre has also raised concerns about ransomware’s rise with artificial intelligence, which could impact firms’ cybersecurity operations.
Ransomware risk transfer — a claims case study
Ransomware attacks can be devastating and happen instantly. One simple click of a link in a hacker’s email can potentially inflict serious operational and financial harm. In one example, a solicitor’s services firm suffered an elaborate ransomware attack in which all its computer systems and data were encrypted, including customer data. The ransomware also encrypted the company’s backups. Unable to afford the ransom demand, the company contacted its insurer. Within minutes the insurer’s security incident response team contacted company employees to diagnose the damage and minimise further loss.
In less than 24 hours the response team worked with the claims team to secure ransom demand on the company’s behalf, and to facilitate the decryption of the company’s files. A member of the incident response team was then present onsite to help restore the company’s files, performing forensics, and enabling the company to return to full operations. The total time to resolution from the initial compromise was 48 hours. That said, this isn’t always the case. In some instances, recovery can take weeks to restore a company’s system fully.
Fortunately, the client’s cyber insurance policy covered the business interruption loss, the forensic and data restoration costs, as well as the cyber extortion itself.
Cybersecurity best practice — minimum controls for law firms
In response to the heightened risk landscape, leading experts in both insurance and risk management argue that investing in robust cybersecurity measures is not a luxury, but a strategic necessity. The cost of a cyber breach, in financial and reputation terms, far outweighs the initial investment required to fortify digital perimeters.
Insurers now require certain cybersecurity standards before offering coverage. Key controls include:
- Multi-factor authentication (MFA) for remote network and email access
- Endpoint detection and response, with updated antivirus and firewalls
- Data backups that are encrypted, air-gapped, tested weekly, and stored offline
- Training for all staff, including phishing simulations and safe use protocols for devices
- Critical patches implemented within 30 days and email filtering for malicious links.
Additional controls like privileged access management, business continuity planning, and 24/7 monitoring capabilities, are also recommended.
Law firms should see these controls as an opportunity to enhance their security. A culture of cybersecurity awareness at all levels is crucial. Not only is a resilient cybersecurity infrastructure less likely to be compromised by cyber risks, it’s also the best and only method to reduce cyber insurance premiums.
For more information, check out Lockton’s Solicitors’ Guide to PII or contact any member of the Lockton team for a second opinion.
Get in touch by emailing brian.boehmer@lockton.com, or visit our Solicitors page.