Article

Professional Indemnity Risk Alert: The growing threat of ransomware

Exploring the growing threat of ransomware and building your firms resilience to cyberattacks.

The Solicitors Regulation Authority (SRA)'s recent Risk Outlook report: Information security and cybercrime in a new normal highlights that IT security is more important than ever before. 

The SRA notes that the key types of IT threats it is seeing in cybercrime reports are:

Ransomware is one of the biggest cybercrime threats we face today. According to the UK National Cyber Security Centre (NCSC), in the first quarter of 2021, there were three times as many ransomware attacks as there were in all of 2019. Research suggests that 61% of executives expect this to increase in 2022. 

Despite many firms having cybersecurity controls in place, attackers will craft phishing emails that bypass controls via human error. Ransomware attacks are often initiated when an employee clicks on what looks like an innocent email attachment that downloads malicious software and encrypts the network. What makes ransomware attacks more concerning than other cyberattacks is that, as the name suggests, the malicious software is accompanied by a demand for payment. The attackers extort the business by suggesting that payment of the ransom is the only way to unlock the network or retrieve the captured data. 

Ransomware demands will vary in quantum depending on the cybercriminals' perception of a businesses' propensity and ability to pay. The recent Colonial Pipeline and Kaseya ransomware attacks are examples of some of the larger ransoms known about in the public domain, but many smaller businesses have faced demands in the high hundreds of thousands to million GBP range. Beyond the obvious costs of the ransom and the remediation, firms will also face the less-tangible but highly-consequential impacts of brand erosion and loss of customer confidence and trust. 

Key steps to help thwart ransomware and other cyberattacks:

Train your staff so that they can recognise suspicious emails and understand what not to do: they should not respond, not open any attachments and not click on any links. Staff should also know how and where to report suspicious emails.

Simulate phishing attacks to identify any ongoing training needs.

Build a no-blame culture to ensure breaches are reported immediately.
 
Back up your systems and have the ability to rapidly disconnect systems if an attack is detected. 

Review Mitigo advice for ransomware resilience (as promoted by The Law Society). 

Consider Cyber Essentials accreditation, designed to build minimum standards of cybersecurity in small and medium-sized businesses. For larger businesses, Marsh's 12 key controls framework identifies the controls that cyber insurers recognise as the most important. 

By taking these steps, you can reduce the threat to ransomware to your firm and improve your resilience to cyberattacks. 

Meet the authors

Image placeholder

John Kunzler

Managing Director

Image placeholder

Victoria Prescott

Senior Vice President