Sponsored content: Kye Brown, business development manager at Coalition, explains how professional services firms can be impacted by the threat of cyber attacks

In November 2023, a cyber attack on IT provider CTS caused downstream chaos for dozens of law firms that depended on the technology.

Kye Brown Coalition

Kye Brown

A single event led to a ripple effect, damaging company reputations and delaying sales.

Maintaining trust and ensuring client data privacy are significant concerns for the professional services sector. And legal firms, in particular, have a duty to protect client privilege and confidentiality.

Cybersecurity must be a priority for these and other organisations that provide professional services and manage client data, yet many professional services firms – particularly SMEs – still do not have the budget or resources for a fully developed security posture.

And many don’t consider the security of the service providers they rely on for their day-to-day operations. Moreover, many of these organisations don’t have cyber insurance, making the aftermath of a cyber incident potentially messy and costly.

This case raises important considerations for the professional services sector and the insurance brokers who help it manage cyber risk.

Understanding third party risk

Professional services firms handle a huge amount of client data through customer relationship management systems, document management systems, legal practice management software, payment processing software and, of course, email.

Keeping all these channels secure is a challenge, to say the least.

There are many types of third party risks that these organisations should know about to keep their clients’ data secure. Like the CTS example, if a threat actor takes a vendor’s systems offline, its clients’ operations are impacted – while the client waits for its vendor to restore systems, it may experience significant business interruption and reputational damage.

Third-party risk may also impact professional services firms if threat actors compromise a software provider because the threat actors can directly access clients’ data and documentation within the system and hold it for ransom.

Last, third parties may be ripe targets for funds transfer fraud. For example, many businesses often bill vendors or suppliers or vice versa. With this constant exchange of payments, threat actors can become the middleman, intercepting transactions to reroute and steal funds.

Security solution

Cybersecurity is often left to internal IT departments to handle – who might be operating with limited resources – or companies will outsource their security to managed service providers, opening them to third-party risk.

While cyber insurance may not be the obvious security solution for SME professional services firms, today’s cyber insurance providers are doing more than transferring risk and helping organisations pick up the pieces after an attack.

Coalition, for example, provides attack surface monitoring and risk management technology to policyholders to help them check their own open security vulnerabilities, as well as the vulnerabilities that impact their third party vendors.

This broad monitoring is useful for due diligence before signing a contract and as part of ongoing security vigilance. Many insurance providers, like Coalition, also offer threat alerts on the latest vulnerabilities.

The professional services sector handles massive amounts of sensitive data, works with many disparate parties and typically has to maintain some level of confidentiality.

This combination of qualities also means increased cyber risk.

Armed with an understanding of these unique risks, brokers can help their clients not only better manage their own risk, but also better protect against cyber threats they take on via their service providers.