Over the past week you may have seen a number of articles in the legal press concerning a cyber-attack and subsequent major security breach suffered by Simplify group. Below, I have produced  an overview of what occurred, and a suggestion for one method to help mitigate the risk of your business suffering from a similar event.

What happened?

The Simplify Group, who own several well-known conveyancing brands such as Premier Property Lawyers & JS Law, suffered a cyber-attack. As a result, systems have been down for 10 days, scuppering home moves for many. Websites have been adversely impacted and phone lines understandably congested, leading to potential reputational damage to the law firms involved. Despite two weeks elapsing since the incident occurred, Simplify are unable to confirm if the issues have been fully fixed but they have confirmed “restored IT systems sufficiently to enable clients to move.” The nature of the breach remains undisclosed and is under investigation with the police now involved.

The firms within the Simplify Group would have had clients looking to exchange or complete on their homes naturally meaning immediate personal upheaval for those involved.Clients have not only been unable to complete on their homes, but importantly a secondary loss has occurred - personal details may have been stolen; as many had given over bank details, addresses and copies of driving licenses or passports that can result in fraudulent activity.

This is money.co.uk cites:

Rob Hailstone, a former property conveyancer and chief executive of Bold Legal Group, which represents 700 legal firms who carry out conveyancing, said: 'Simplify firms carry out hundreds of thousands of transactions each year, along with their introducing partners. My estimate would be that they do around five per cent of all transactions, if not more. (1)

It has not made clear if any compensation will be available for customers who have seen their house purchases fall through. Simplify have said they had been contacting customers who had exchanged by phone to complete their transactions and enable them to move, and that those who had a fixed completion date between 8th and 12th November had now completed. It does therefore look like the affected law firms are now clearing the backlog and transactions are now well underway.

How you can protect your business?

The risk is very real and as the vast majority of these attacks are not targeted, your firm could easily be the next victim either directly or indirectly. Whilst your PII provides protection for losses suffered by third parties (clients), there isn't protection for your own costs in the event of a cyber-attack, such as the one suffered by Simplify Group. At Lockton, we have a cyber insurance solution that provides protection and assistance in the event of a cyber emergency. When considering the Simplify incident, there has now been over two weeks of IT work being undertaken, the cost of which will likely be extensive. This alone highlights the utility of the protection afforded to firms via a Cyber Insurance policy. Whilst such a policy has not yet been mandated by the SRA, in light of this recent event and others, it is most certainly now considered best practice amongst PII Insurers.

The Lockton Datalock policy offers a tailored cyber solution for Law firms, offering necessary financial and expert support in the event of a cyber-breach. I attach a guidance note to this article that gives an overview of the coverage provided. Please do contact your Lockton representative or a member of Lockton team who will be able to advise you of what will be required in order to obtain a quotation.

Cyber Insurance does not eliminate the ever increasing threat of an attack against a law firm, however, what it does represent is the opportunity to transfer such risk, that examples such as Simplify have highlighted, lead to significant cost and the potential for reputational damage. I urge every law firm to re-visit your own internal procedures and risk management. This would include  a continuous review of your own IT security,ensuring it is continuously upgraded to reflect any possible weaknesses in order for you to stay one step ahead. Sadly, this problem is not going away and instances are increasing every year. Law firms will always be a very attractive target for the criminals, please don't think it won't happen to me.