Sponsored by
After a succession of years in the public eye and with no lack of controversy in 2020, it was going to take something seismic to prevent the perennially relevant slew of misconduct claims dominating the law firm risk agenda. Last year, that seismic event happened, with the world plunged into chaos as a result of the Covid-19 pandemic. Unsurprisingly, our annual risk and professional indemnity report with broker Marsh shows this has caused a serious shake-up of risk registers, with firms understandably more cautious about the potential data security pitfalls of enforced home working as well as reduced workforce availability.
Perhaps a less-predicted consequence of the pandemic, however, was the widespread rise to prominence that many law firm risk managers and general counsel (GCs) experienced last year. Suddenly, risk professionals became more integral to all aspects of the law firm business, making connections and having conversations in a way that did not take place before 2021.
As Marianne Robson, director of risk at Taylor Wessing, says: ‘The pandemic has put risk front and centre in so many things. We are involved in business development, IT and everything else much more than ever before to make sure we’re compliant. Business services teams have worked together in a very impressive way to get firms through this.’
A sophisticated threat
Even before the pandemic, firms were extremely wary of the risk of cyber attacks and other data and IT security mishaps. It was only as recent as 2017 when DLA Piper became the first high-profile victim of a sophisticated malware attack and the pandemic appears to have amplified this concern, with ‘IT security breach with commercially sensitive information stolen’ amassing an aggregate risk score of 7/10 for both impact and potential (see ‘risk profile’ charts), with ‘Data privacy breach or destruction of data’ closely following in second place with an aggregate risk score of 6.9.
‘Tech-savvy people are more used to doing everything online, which is why I’m so keen to push data ethics and governance. You might put your entire social life on Snapchat, but you need to treat your business data differently.’ Debbie Jukes, Eversheds Sutherland
There is a general agreement among risk managers and law firm GCs that the pandemic has only made matters worse, however that is not the only factor. Robson argues: ‘I don’t think people’s systems are any less secure than they were, the difficulty is people trying to breach the security have ramped up in a serious way. There have been many more attacks than pre-pandemic, with new things being invented all the time, like the Post Office scam texts. I’ve had to tell my mum about 15 times not to respond to those texts!’
She insists that cyber attackers are aware that ‘people are carrying their laptops around all the time’, and that it ‘makes you more of a target’. She also highlights the dangers involved with many younger lawyers and other law firm staff working in a flat-share environment, where data can be compromised simply by someone looking over your shoulder.
Paul Haggett, GC at Burges Salmon, points to the Solicitors Regulation Authority (SRA)’s thematic review conducted in September 2020 on cyber attacks, and how its findings suggested that this will be an ongoing and endemic threat. Of the 40 firms the SRA spoke to as part of its review, three-quarters reported having been the subject of a cyber attack. Haggett summarises: ‘There are steps you can take but it’s not something you can ever feel fully protected against.’
John Kunzler, risk and error management and professional liability specialist at Marsh Specialty, predicts law firms to rise to the mounting cyber challenge, albeit at a heavy price: ‘Risk strategy relating to cyber issues at law firms is changing, as insurance coverage, availability and pricing alter the cost-versus-benefit balance of retention and transfer. Law firm responses to these changes will demonstrate their risk maturity.’
On the added complication of enforced home working due to the pandemic, Haggett reports that Burges Salmon staff have been given a thorough warning as to the dangers of being careless with data, both at home and in the office: ‘People have had a big warning against keeping hard copy information at home during the pandemic. What firms have been trying to do is take that back to the office by removing printers too, but that hasn’t gone down well!’
Debbie Jukes, GC of Eversheds Sutherland, takes a different view, arguing that working from home has not changed her firm’s risk appetite for data security much. She says: ‘Our lawyers have always had laptops and travelled between offices, so loss of office infrastructure was less of an issue for us.’ However, she certainly agrees with the consensus that the cyber security threat is only increasing and becoming more sophisticated. The firm is employing some concerted training efforts as a result. ‘We are doing loads around authentication of systems, controlled sign-off. Constantly upgrading. Lots of testing people’s reactions to phishing, lots of education and training. There was a great one sent allegedly by our chief executive asking for information. Can’t remember how many responded! The response rate is falling though.’
‘The reduction in risk of harassment claims is due to a combination of policy and people being at home. Firms have spent a huge amount of time making sure people are aware of their responsibilities.’
Paul Haggett, Burges Salmon
Jukes also considers whether the growth of a younger, more tech-savvy generation of lawyers will see the threat of cyber attacks diminish in the coming years. She says there are ‘pros and cons’: ‘Tech-savvy people are more used to doing everything online, which is why I’m so keen to push data ethics and governance, because we can’t rely on our IT tools. You might put your entire social life on Snapchat, but you need to treat your business data differently.’
For Jukes, the enforced home working has raised a very different risk consideration: wellbeing. She says: ‘One of the biggest risks of everyone working at home is people feeling isolated. I’ve been in my spare room for 15 months, and it’s been tricky. At least I have a spare room, other people don’t. You have to be really cognisant of that.’
No lack of appetite
Of significance in this year’s survey was concern around sexual harassment remaining low on the risk agenda. This is somewhat surprising given that public scrutiny has hardly abated in the past year, during which former Freshfields Bruckhaus Deringer partner Ryan Beckwith prevailed in his appeal in the High Court against the Solicitors Disciplinary Tribunal’s findings against him in a high-profile and controversial sexual misconduct case.
The respective points related to the SRA’s code requiring solicitors to ‘act with integrity’ and ‘behave in a way that maintains the trust the public places in you and in the provision of legal services’. The case raised burning questions as to the expectations and responsibilities of lawyers in senior positions, and further blurred the boundaries between what constitutes proper workplace decorum and what constitutes private and consensual activity.
Nonetheless, ‘Sexual harassment/discrimination/misconduct allegations’ achieved an aggregate risk score of just 5.4 for both potential and impact, barely inching up on last year’s 5.3 figure.
So to what extent has this falling risk been due to increased confidence from more robust internal procedures, rather than the pandemic reducing the social opportunities for unwanted behaviour?
‘Many firms deserve credit for having tackled these issues head on. Law firms as a group do not appear to be lagging behind other professional services firms or institutions in their approach and effort.’
John Kunzler, Marsh Specialty
Robson insists that more robust procedures play an important part, but that there is also a much-needed culture change taking place: ‘Undoubtedly people have more robust procedures in place, it’s being taken very seriously. Everyone knows that in the past there was an unhealthy culture but I don’t think it exists anymore. There is a different focus on events and BD these days, going out and getting drunk with your clients isn’t what people do anymore. There can still be celebrations of course, it would be a very boring world without them!’
She reports that Taylor Wessing has a variety of ‘point out’ procedures in place to identify and stamp out any unwanted behaviour, and says that ‘women are much less afraid to make complaints now, and that’s very important’.
Haggett takes a similar line, but also highlights the SRA’s own difficulties getting to grips with new ways of working: ‘The reduction in risk of harassment claims is due to a combination of policy and people being at home. Firms have spent a huge amount of time making sure people are aware of their responsibilities. There are also difficulties for the SRA in prosecuting these things, with messy outcomes in the Freshfields and Baker McKenzie investigations. It’s made people wonder how many more of these probes there are going to be.
‘The SRA would not accept that they have lost any appetite for it. It’s worth remembering they’ve had to take a breather as well with all their people working from home.’
Robson also recognises that the SRA has been slower in their investigations over the last year due to ‘having to adapt to working from home themselves’. But she does not expect harassment claims to rise significantly once the majority of law firms are working back in the office: ‘I don’t think that negative behaviour will increase as soon as they’re given the opportunity to do it. People are very aware of the risks now. They can’t fail to be, as we tell them about it all the time! It’s never going back to the bad old days.’
Kunzler praises firms for getting their acts together: ‘Many firms deserve credit for having tackled these issues head on. While no business can be complacent, increased diversity and inclusion effort also has helped set the tone. Law firms as a group do not appear to be lagging behind other professional services firms or institutions in their approach and effort.’
The observation that firms are toughening up on these kinds of issues is supported by partnership and employment counsel. Beth Hale, partner and GC at CM Murray, says: ‘In my experience, firms are getting more alive to these issues.’ Jo Keddie and Bettina Bender, employment partners at Winckworth Sherwood, similarly praise firms for their efforts, noting: ‘A continuing and heightened awareness following on from the #MeToo movement that such conduct is unacceptable, which has been reflected by firms in more training, better policies, as well as better channels to complain about such conduct.’
‘Law firms have always been very careful with reputation management, but you have to balance that out with a client’s right to legal representation.’
Marianne Robson, Taylor Wessing
However, Hale says she is ‘surprised’ that the risk of misconduct claims is so far down the agenda, theorising that the Beckwith decision may have led firms to feel that it is ‘less of an issue’. She is also surprised after reporting no downturn in law firm clients seeking misconduct advice last year, although the nature of the advice has changed: ‘We had semi-serious discussions at the start of the year as to whether our work would dry up, because it’s much harder to engage in inappropriate behaviour with someone when you’re at home! But our advice has stayed consistent, instead focusing on issues like cyber bullying and inappropriate comments on messaging systems and through Zoom and Teams. There’s been no drop-off.’
Hale also raises the valid contention that home working may have actually led to an increase in inappropriate behaviour being reported as a result of the alleged victim not being forced to confront the perpetrator in the office every day.
Pepsi vs Coke
‘Reputational damage due to firm connection with unsavoury/unethical client or client activity’ featured highly in this year’s risk register, and is almost certainly a reflection of the increasing environmental social governance (ESG) agenda, which seeks to hold big corporates to account on a range of associated issues. The factor had a combined potential and impact score of 5.8.
Generally, the tension is found in the perceived hypocrisy of a law firm representing a client that does not comply with the firm’s own lofty ESG standards, leading to reputational damage. In March this year, Australian firm MinterEllison found itself the subject of a RollOnFriday dressing down after its chief executive, Annette Kimmitt, penned an internal email to staff expressing how the firm’s decision to represent an alleged rapist ‘triggered hurt’ for her. Critics on Twitter were quick to pour scorn on the firm for representing such a potentially unsavoury character, while senior lawyers at the firm were upset at Kimmitt’s decision to buckle to the public pressure.
Haggett is acutely aware of the reputational risks from such perceived hypocrisy, and reports that Burges Salmon has a ‘risk committee’ of partners and other business professionals that assesses the viability of controversial matters.
A common counter argument to being picky over potential clients is that everyone has a right to legal representation, however Haggett explains this away with a shrewd soda comparison: ‘Everybody has a right to legal representation but not by a particular firm. It’s the classic Pepsi v Coke dilemma. “You can act for us as long as you don’t represent them.”’
Robson takes a more serious tone however and is alert to the risk of abandoning an iron-clad legal principle: ‘Law firms have always been very careful with reputation management, but you have to balance that out with a client’s right to legal representation. It depends on the nature of your practice. Taylor Wessing has a large private client practice and a big reputation management practice, so sometimes you will be acting for people who others might consider unsavoury. But if they don’t have a right for representation then we would be living in a very sorry world.’
She says that any such reputational risk ends up on her desk, although claims she has never had to consider a hypocritical instruction of this nature. In addition to being morally complicated, Robson stresses that it can often be logistically complex to separate the rights from the wrongs: ‘If we were approached by a company who had made its money through hardcore porn, we would say “no”. But sometimes it’s difficult to work out exactly where the money comes from.’
‘It is superb to see that law firms have identified the significance of risk teams and we are experiencing overall growth in a period when we would usually expect decline.’
Victoria Prescott, Marsh Specialty
Kunzler contends that ‘ensuring there is justification for how their choices align with their principles, to an increasingly wide group of internal and external stakeholders’ is becoming ‘more necessary’ for law firms. However, he also cautions against abandoning legal precedent: ‘Stakeholder education as to the importance of the right to representation and the effect of independence also needs to be part of this debate.’
Eversheds Sutherland currently has a group of ‘senior members’ who assess matters for ESG reputational risk on a case-by-case basis, but Jukes says there are plans to ‘formalise’ the process within the next year – an indicator of the issue’s rising importance. For her own part, Jukes is quick to point out that ESG is still very much in its infancy: ‘There’s a big difference between acting for someone doing something obviously illegal and a client not fitting with one’s own moral principles. I’m pretty much vegetarian for ethical reasons, but I wouldn’t say we shouldn’t act for anybody involved in the meat industry. We will find a balance, but it’s an evolving process.’
Tough as nails
It has been rare during the decade that the risk report has run that firms would complain about professional indemnity insurance rates in what has been a very soft market. Complaints this time around are hardly unwarranted: 57% of respondents to our survey reported that the cost of their insurance increased in the last year, but strangely 66% said they thought their insurance was reasonably priced. A potential explanation for this is Lloyds of London’s claim that the market is currently overcorrecting for previously historically low rates.
Robson describes professional indemnity insurance as ‘a nightmare for everybody’. She adds: ‘The market has hardened. It’s gone from practically soggy to tough as nails. Everybody, without exception, has had huge increases in their professional indemnity.’ Haggett contends: ‘They keep telling us they have no money and what we are seeing now is a market correction – we should have been paying more for many years. From a firm’s perspective the concern is the limited number of players in the market. We have a good relationship with our insurers but at the moment there aren’t many large insurers looking to get into the market. The hard market can’t go on forever – it’s forced many firms to look at their policies more carefully.’
There is optimism that there will soon be more competition in the market according to Robson, although she is still concerned: ‘I don’t know how the smaller firms are managing. The capacity of the market is still quite limited at the top end. It can be quite difficult to buy that insurance that used to be available at such a cheap price it’s ridiculous.’
But in brighter predictions, it seems that the unprecedented year we all experienced may spell good fortune for the future of the risk profession. As a result of risk becoming an even more endemic part of day-to-day law firm business, teams are set to grow in both size and importance. Having a supportive executive helps, says Robson: ‘Risk really has been front and centre as a result of the pandemic in a way it hasn’t been before. I’m lucky to have a managing partner who takes risk very seriously, so I’ve had a level of support some firms don’t have.’
Jukes says that her team has roughly doubled in size over the last few years, attributing the growth to increasing regulatory requirements such as GDPR, but also the previously-discussed ESG scrutiny: ‘There’s a lot of pressure from clients now, who are very prescriptive in what they want from us in terms of data security. They want to be ethical and responsible businesses so we have to show everything we do works for them.’
And this is good news for Victoria Prescott, fellow risk and error management and professional liability specialist at Marsh Specialty: ‘Normally in times of economic crisis we observe notable cutbacks by firms in all non-profit making roles. It is superb to see that law firms have identified the significance of risk teams in the current climate and we are experiencing overall growth in a period when we would usually expect decline.’
Overall, despite the struggles of the last year and the ceaseless intensity of the spotlight on law firm risk teams, the profession is set to benefit from an invigorated next generation. As Haggett concludes: ‘There’s a regular SRA conference in Birmingham which attracts over 1,000 attendees, all risk professionals from law firms. It’s interesting to think that it didn’t exist ten or 15 years ago. It shows it has become a real career choice for young people.’ LB