The constant risk of cyberattacks is a pressing concern in today’s interconnected digital world. Certainly, it’s a principal risk for many in the legal sector.

Cyberattacks pose significant risks to sensitive client information, business assets, business continuity, and professional reputation. For legal professionals, there can be two roles here. Firstly, for those of us involved in protecting our own business, we must implement appropriate cybersecurity measures to safeguard the business and its assets. For others, it’s simply to be assured that any information shared is protected given that it may be privileged, confidential and/or we owe duties of care to our client.

Given the increasing cyber risk and following a wave of cyberattacks impacting barristers and their chambers in 2021, the Law Society and the Bar Council convened a Cybersecurity Working Group. That group consisted of a small group of solicitors, barristers and information security personnel from across the legal sector. I was fortunate to be part of the group, given my role and experience over the years as data protection officer for DAC Beachcroft, as well as working on its information security, cybersecurity and business continuity.

Over the past few years as cyberattacks emerged, many solicitors’ firms reacted by sending their respective security questionnaires to barristers and their chambers. This was so that firms could be assured that any shared information was appropriately protected. In some cases, chambers were receiving questionnaires that were all different in content and format and would have taken considerable time to complete.

The pinch for DAC Beachcroft, like many law firms at the time, was that we sat between a client (demanding to know that their information was appropriately protected) and chambers (who were not geared in the same way as a law firm, with dedicated security resource). The unique set-up of chambers, and their relationship to their respective collective of self-employed barristers, only made the situation harder to navigate.

To address this issue, in spring 2022, the joint Cybersecurity Working Group of the Law Society and Bar Council published its first version of a simple, standardised Information Security Questionnaire, that could be sent to chambers for completion in relation to common shared IT systems that their barristers use. Although the questionnaire could not cover in detail all aspects of data protection, cyber and information security, it contained 24 questions aimed to ensure compliance around key security areas.

Whilst I can’t speak of the approach taken by other law firms, DAC Beachcroft sent the questionnaire to all chambers where its barristers had been instructed over the proceeding two-year period. Following a successful completion rate of over 90%, and a seemingly decrease in the number of cyberattacks impacting barristers and their chambers since the release of the questionnaire to the legal market, the questionnaire seems to have fulfilled its role. Of course, the success of the questionnaire can be partly attributed to the legal market adoption by many law firms and chambers in using one standard form since it was released. Not only did the questionnaire help chambers implement appropriate base controls, but it also acted as an educational guide to recognise the importance of having the appropriate information security measures in place.

Fast forward to 2024 and the Cybersecurity Working Group has published a second version of the questionnaire, which expands on some new areas of security. Coupled with this, a voluntary Cyber and Information Security Affirmation has also been published that can be automatically appended (within a case management system) to an instruction to a barrister. Its aim is to act as an aide-mémoire to ensure the protection of data being shared.

Although the questionnaire and affirmation can’t mitigate all risks, they are great tools to deploy to ensure an agreed baseline understanding and application of controls to protect information being shared. Fundamentally, it allows legal professionals to maintain the trust of our clients not only through the protection of their information but also in high quality legal services delivery.

 

Mathew McGee is partner in DAC Beachcroft's Office of the General Counsel and a member of the joint Law Society-Bar Council Cybersecurity Working Group

 

Topics