Accountants & Solicitors Ignore Cyber Risks
By Duncan Sutcliffe
As an insurance broker my clients expect me to appraise what is valuable and important to their business, assess the potential threats, the consequences of an incident and then advise on ways to reduce the risks and recommend relevant insurance to mitigate any potential losses. When it comes to Cyber Risk - and despite the constant warning from government, experts and the media - getting business owners to act responsibly is tough.
To provide an example I recently visited a solicitors practice and a firm of accountants. Both were SMEs; the Solicitors had 5 offices and about 200 staff, the Accountants had one office and about 30 staff. They were typical professional firms that could be found anywhere in the UK dealing with a mix of private and commercial clients who trusted them to handle their affairs professionally and responsibly.
The conversations with both were very similar. Firstly, being in regulated professions they both had to have Professional Indemnity Insurance, designed to cover them for accusations of errors or omissions in the professional service they provide.
To manage this risk they worked hard to ensure their staff received ongoing training and procedures were in place to make sure things were done properly and records were kept. All was good.
Like most businesses they also insured their equipment & property against eventualities like fire, theft & flood.
To reduce the risk they had in place property maintenance programmes, intruder and smoke alarms, fire extinguishers, locks on the windows and the Accountants even had security shutters on the ground floor windows. Again all good, but then the conversation came to their Information Technology, data and electronic communications…
Both firms were proud to tell me that they were moving to a more mobile and paperless system of working and agreed that data and communications were invaluable and essential to their business, far more important even than their equipment and even potentially many of their people, perhaps only on a par with reputation in terms of importance. This is a pretty common picture from SME firm especially those across the professions.
When we moved on to talk about how they managed the risks that came with more digital dependency things quickly appeared to get rather vague. They had ‘an IT chap’ to look after their systems and they thought that there were backups and maybe a firewall but beyond this the business owners didn’t really know much about the safety of their most important assets. There had been no high-level discussions with the ‘IT chap’ about the business and the owners hadn’t detailed what was important to them and their clients.
The people in the firm had no training in the safe use of IT [and of course there were no policies in place that set out procedures]. The staff were allowed to use their own phones, laptops and data sticks with barely any control over password and access processes. Generally, these firms, who were so proud to talk about how they were striding forward into a more digital future had little idea what they really needed to do to protect themselves from Cyber Risk.
It was clear to me that these firms needed to act and start looking at how they should be better controlling their Cyber Risk. One of the measures that could prove valuable was Cyber Insurance, a relatively new class of insurance that is designed specifically to cover costs of a breach and provide post-incident support. It is highly relevant to SME firms as the cover available varies and a good policy will provide crisis management from IT specialists, lawyers and PR consultants who can help restore systems, respond to legal issues and minimise reputational damage. In addition, it can cover a range of financial costs including litigation, fines, penalties, extortion and lost income.
Despite having acknowledged the critical importance of the IT & data their businesses depended on they simply did not think they were at risk at all and choose not to consider the benefits that better information security and cyber insurance would bring the firms. Of course, there was some concern over the cost of the measures needed, but as the businesses already depended on the systems and data they are taking a much bigger risk, one that could easily cripple their firms.
Both firms were making the same mistakes …
By assuming that their ‘IT chap’ had things under control they were wrongly thinking the chances of a breach were highly unlikely.
This was compounded by seriously underestimating the disruption, recovery costs and the potential damage to their reputation.
This, unfortunately, is not an unusual situation as far too many normally careful business owners consistently fail to appreciate the vulnerability of their systems and seriously underestimate the consequences of a breach contrary to the evidence. Reliable studies are repeatedly showing that SME firms are increasingly being targeted and the losses being experienced are increasing with the average cost of a data breach now over £50,000.
In addition, the Information Commissioner has recently singled out law firms for reproach due to lax data security across the profession, which is backed up by a PwC report showing 73 of the top 100 law firms in the UK had been targeted by cyber attacks in 2015. The Institute of Chartered Accountants England & Wales and the Law Society are both so concerned about the situation facing their members, they have launched a joint training package in an attempt to reduce the number of breaches and improve the reputation of their members.
Considering how central data is to these professions and the value of this data to the firms and clients, this lack of ownership was very worrying. The businesses were prepared to spend money on preventing and insuring against remote risks such as theft & flood, but were in complete denial when it came to the most valuable and vulnerable assets they were responsible for.
So what should Solicitors & Accountants do? Information and data management need to become central to the company culture and should be a board level concern as a data loss or breach could be fatal to that business and their clients.
A good start would be to aim for Cyber Essentials and IASME certification. This enables firms to achieve a sensible base level of cyber hygiene tailored to their situation and to achieve certification demonstrating to their clients that they are serious about the care of their data. Personnel would need to have training on cyber risk and be made aware of their crucial role in keeping information and the business secure and lastly, they should speak to a specialist broker about how cyber insurance can help with the costs of responding to a cyber event and mitigate other financial and reputational losses.