cyber security for law firms
Storing sensitive data means that your law firm is at a higher-than-average risk for targeted attacks to access your data. Riela Cyber can provide you with a risk assessment to assess your current cyber security posture, before understanding your specific risk and building the best SOC services around your needs when moving forward.
Loss of confidential information can damage the reputation of your law firm and severely undermine your reputation as a trusted service. Inevitably, creating long-term negative impacts for your clients. At Riela Cyber we use protective SOC services to ensure that your data is secure. Our team of Cyber Engineers do this by actively hunting for threats which could impact your systems before they even arrive.
Unsurprisingly in the current climate, phishing scams & hackers are everywhere, attempting to get their hands on the sensitive information passed through the legal industry. However, what may surprise you is that often cyber breaches occur at the fault of the employees within a law firm. Not following passphrase security recommendations or being unaware of what a phishing scam could look like for them is one of the many reasons why so many companies fall victim to these scams. This is why we educate firms on cyber security by using methods of behaviour change, rather than just tick-box training which is easily forgotten.
In September 2020, the Isle of Man Financial Services Authority (FSA) updated their regulatory guidance on cyber security. The IA2008, CGC2020 and the CGC2018 contain provisions broadly requiring regulated entities to have the following in place for effective corporate governance. The following information is copied from the FSA’s original document, which can be found here.
FSA Best Practices:
- Promotion of organisation-wide support for cyber risk management by the board;
- Regular inclusion of cyber security on board agendas;
- Appointment of someone appointment of someone suitably senior within
the organisation to be responsible for cyber security matters;
- Establishing the risk tolerance of the firm and overseeing the design, implementation and
effectiveness of a cyber security framework which is tailored to the nature, size, complexity, risk profile and culture of the business;
- Articulating lines of reporting and escalation.
Where relevant legal and regulatory requirements apply, the FSA expects regulated entities to:
- Identify and assess risks associated with IT vulnerabilities such as cyber attacks as part of
their risk management framework;
- Implement appropriate and effective controls, for example systems, policies, procedures and training initiatives, to help protect against and manage the risks associated with cyber attacks;
- Proactively monitor activity within your network to detect potential cyber incidents;
- Review, and where appropriate revise, the controls associated with cyber threats at
FSA Best Practices:
- Identification of functions, activities, systems, assets, information, products and services –
including interconnections, dependencies and third parties – prioritising their relative
importance, and assessing their respective cyber risks;
- Implementation of appropriate policies and procedures, including procedures to verify the
legitimacy of all requests received by all methods of communication (the verification procedures should require the verification of all details, for example, including the beneficiary’s name and bank details rather than just the amount in relation to payment requests);
- Management and control of user privileges, control of removable media usage, and
monitoring of mobile and home working procedures;
- Ensuring that systems are secure, for example, by keeping operating systems, software and web browsers up to date, installing anti-virus solutions on all systems, backing up important information on a regular basis (it is advisable to store backup files in a secure offsite location), and ensuring that mobile devices with access to their systems are secure (e.g. via encryption and password protection using strong passwords);
- Monitoring the use of all equipment and IT systems to detect anomalies and events indicating a potential cyber incident;
- Ongoing cyber awareness and training initiatives to ensure that staff understand the risks
associated with cyber attacks and the procedures that have been put in place to mitigate the risks associated with the same;
- If a firm is involved in payment card processing or it stores, processes or transmits cardholder data and/or sensitive authentication data, it should consider the best practices set out in the Payment Card Industry (PCI) Data Security Standard;
Conducting cyber security tests, for example penetration testing of systems (firms may wish to consider engaging the services of an external specialist to carry out such tests);
- Keeping up to date on current cyber threats and where appropriate revising controls accordingly – being alert and responsive to new cyber threats is crucial given the escalating risks that cyber threats pose.
- Where the relevant provisions require a written agreement between the regulated entity and the service provider, that agreement should include the respective responsibilities of the parties to it. Consequently, such an agreement may need to include provisions dealing with each respective parties responsibilities relating to IT security.
- Whether an activity constitutes a material management or business function/significant outsourced function will depend, for example, on the nature of the business concerned and the services that have been outsourced. However, the significance of the risks that service providers pose is not necessarily proportionate to the materiality of the service that is outsourced or delegated. Therefore, the risks in relation to all outsourced services and delegated functions should be managed as part of the broader risk management framework, for example by taking measures to prevent access to systems and confidential data or taking appropriate measures to determine that service providers have appropriate and adequate cyber security standards and procedures in place to protect assets and client related information.
- Where relevant legal and regulatory requirements apply, regulated entities ought to have in place business resumption and contingency arrangements which would enable them to suitably respond to, and recover quickly from, a successful cyber attack.
- The associated policies and controls should clearly set out decision making responsibilities, define escalation procedures and establish processes for communicating with appropriate stakeholders (see also reporting incidents below).
- In the event that a cyber incident occurs, the response should also involve an assessment of scope, nature and impact of the incident and steps to contain and mitigate the impact of it, including removing any ongoing threat such as malware.
- The response and recovery plans should also take into account the fact that communication methods such as email may not be operational.
- The resumption and contingency arrangements should be tested and reviewed at appropriate intervals in order to make contingency planning effective.
- Recovery should include remediating vulnerabilities to prevent similar incidents occurring in future.
- Successful cyber attacks have the potential to cause significant and long term detriment to affected clients.
- Successful cyber attacks also have the potential to undermine confidence in the Island’s financial services sector as a whole.
- Therefore, relevant regulated entities should ensure that these factors are taken into account within their governance arrangements and risk management framework in the context of cyber risks.