Cyber crime attacks reputations as well as systems
Planning can help firms limit the reputational damage of a cyber attack, explains Gus Sellitto
Ask any in-house PR what they see as the biggest reputational threat for their law firm and the risk of a cyber attack is likely to feature high up on their list. Indeed, the very words ‘cyber attack’ are enough to induce fear into any custodian of a law firm’s reputation. And that fear seems to be increasingly validated by data which shows such attacks are on the rise.
This year’s Natwest Legal Benchmarking survey generated a few more column inches than usual because of its findings on cyber crime. It shows that one in four of 269 law firms have fallen victim to cyber attacks. Larger firms have been most affected, with 36 per cent of London outfits having suffered at the hands of cyber criminals. PwC’s 2016 Law Firms Survey reported that 73 of the top 100 firms experienced an attack during the last financial year, up from 62 in 2014/15.
The fact that law firms hold valuable data about high-profile organisations and individuals – as well as large sums of client monies – makes them an obvious target. This hasn’t escaped the attention of both the Information Commissioner’s Office and the Solicitors Regulation Authority. Moreover, from May next year, when the EU’s General Data Protection Regulation is enforced, all businesses handling EU citizens’ personal data will have just 72 hours to notify data subjects of a breach. This means we are likely to see more data protection breaches being played out in public, with the added risk this type of exposure poses to law firms’ reputations.
Apart from the usual risk and compliance procedures firms invest in to try to prevent and plan for cyber attacks, they also need to think carefully about how they communicate in the wake of an attack or a data breach. Here are some of the steps we advise firms to undertake when devising reputation management plans around cyber risks:
Create communications protocols detailing how you respond in the wake of a cyber attack. They should include internal and external communications with identified spokespeople and a chain of command for escalating enquiries, together with scripts for reception staff;
Map out the various scenarios that could play out in the event of an attack and, in turn, how each scenario could impact your stakeholders (e.g. staff, clients, the media). Prepare a Q&A document which rehearses and responds to the questions each group might ask you;
Prepare reactive media and client statements to have ready to distribute, if the need should arise; and
Rehearse and revise your communications plans, protocols, and statements in light of your firm’s risk profile, new legislation, and wider technological and economic developments.
All the planning in the world won’t prevent these attacks from happening, as the criminals who perpetrate them become ever more sophisticated. However, having a suite of information ready to send out in an emergency means a firm will be much better equipped to communicate effectively during a crisis situation.
A cyber attack or a data breach can have a profound and negative impact on a firm’s business. Good communication planning and response in such situations can at least help to mitigate against enduring damage to your reputation.
Gus Sellitto is managing director of Byfield Consultancy