Posted by Karen Edwards, head of professional development at Legal Futures Associate the Institute of Legal Finance & Management
Edwards: Disaster-recovery plans help firms recover more quickly
As our reliance on technology continues to grow, so too does the potential for problems when it fails. Although law firms are (or should be) well-versed in risks to cyber-security, data protection and malware attacks, the recent impact of the CrowdStrike outage reinforced the need for up-to-date disaster recovery and incident response plans, as well as highlighting many firms’ reliance on external providers.
What can we learn from the CrowdStrike incident and how can we mitigate those risks for law firm clients in future?
Access denied
On 18 July, users of Microsoft systems (i.e. the majority of UK law firms) were alerted to the fact that access to systems may have been impacted by a faulty update to the Falcon virus protection system operated by CrowdStrike – a global IT security company.
The main issues affected users’ ability to access their emails and other communications, document management systems, and other business-critical IT functions.
Although thankfully the outage was not as far-reaching as first thought, it did impact a number of UK property lawyers in particular, who were left facing delays in completing property transactions, with the Bank of England’s transfer systems being affected.
The incident caused interruptions in accessing necessary documents and communication systems, leading to slower transaction times, disgruntled clients and uncertainty over when payments would or had been made.
Risks to be aware of
Email, document management and other compliance systems were particularly affected, causing potential for communication breakdowns with clients and other stakeholders. This led to a backlog of pending transactions and increased response times.
Issues with the Bank of England’s payment transfer systems added to these delays, particularly affecting property deals requiring timely financial transactions and causing possible legal risks due to delayed filings and responses.
Some of the potential risks the incident highlighted for lawyers to be aware of included:
Missed deadlines – for documents such as property deeds or regulatory filings which could lead to legal penalties and the loss of legal rights for clients;
Missing contractual obligations – many property transactions are governed by strict contractual timelines. Delayed responses or filings can be seen as a breach of contract, potentially leading to claims from the affected parties;
Transaction delays – Delays can cause financial losses due to postponed property transactions, affecting the liquidity and financial planning of the clients involved; and
Reputational damage/impact on client service – although the incident was due to an issue with a third-party supplier, missed deadlines and delays inevitably frustrate clients and can erode trust. Serious delays could lead to breaches of service level agreements, and even claims for compensation, reduction in legal fees, etc.
So, what can firms do to ensure these risks are mitigated, to the best of their abilities?
Implement robust IT systems with contingency plans: Ensure that technology and cybersecurity systems are resilient and have back-up plans to handle disruptions. Firms with well-prepared disaster recovery plans managed to mitigate the impact more effectively, ensuring continuity of operations despite the disruption.
Client communication: Maintain transparent communication with clients about potential delays and their implications at all times. Consistent and clear communication goes a long way in maintaining good relationships, especially in times of difficulty.
Regular training: Provide ongoing training to staff on the importance of meeting deadlines and managing delays effectively (including aforementioned communication with clients).
Compliance monitoring: Regularly review and update compliance policies and procedures to ensure adherence to legal and regulatory requirements and IT best practices.
It remains to be seen whether the CrowdStrike incident will result in legal ramifications but it has provided a timely reminder for law firms of their reliance on technology and acted as a helpful prompt to review and strengthen cybersecurity measures and IT resilience strategies.
Leave a Comment