Risk Management in Law Firms for SRA and GDPR

An IT outage, howsoever caused, can impact on the structural and financial stability of a law firm in a number of ways and as such it is critical that the Senior Partners have a thorough business understanding of their plans for coping with such an eventuality. Aside from the lost productivity, lost revenue and potential reputational damage an outage can cause, having a disaster recovery plan is vital to meet law firm’s SRA compliance obligations, as well as the forthcoming GDPR legislation.

Many of the law firms and solicitors practices that I work with have no in-house CIO, and as such sometimes I find that the senior partners are incorrectly reassured by the presence of an IT disaster recovery plan that was perhaps put together some years ago and has sat in the fireproof safe ever since. This is a myth that I wanted to expel, as unfortunately, my experience is that this document needs to be constantly evolving, as our use of technology in the industry has moved on apace, and what was an acceptable recovery plan a couple of years ago may now be totally inadequate. In addition, our systems are constantly changing, with software updates and security fixes being installed on a regular basis, all of which can impact on the technical success of a recovery. So in order to ensure ongoing compliance and relevance, I always recommend to the Partners of law firms that we work with to continually re-assess and test their plans around resilience, backup and disaster recovery, against the operational needs of their firm and regulatory compliance requirements. Some points to consider would include:-

• How long could you afford for each of your various IT systems to be down for?
• How much data, if any, could you afford to lose?
• When did you last try a test restore of your data or email? Did it work?
• Have you tried a test of your full disaster recovery plan lately? Did it work? How long did it take? How much data was lost? Did the results demonstrate that recovery times and data loss met your current business requirements and compliance obligations?
• Where are your backups held, and could you access them in the event of a disaster that say incapacitated your premises (or in a situation where the emergency services would not allow you access to your offices?)
• In the event of a major disaster, what hardware would you restore your backups on to?
• If your offices were incapacitated where would you work from and how would you connect to your recovered system?

With ever increasing regulatory and market-driven pressures, the advancement of technology and changes to working practices, coupled with constantly evolving cyber security threats , my experience is that the disaster recovery plan needs to be a living, breathing document that is constantly reviewed and re-assessed to reflect the changing landscape in which law firms operate.

If you would like help with reviewing or testing your disaster recovery plans to make sure that they meet your current regulatory and business requirements, please do not hesitate to contact me on (01494) 444065 or email david.wills@epoq-it.co.uk