Sponsored by Marsh.
The ongoing #MeToo saga within in the legal profession was only a few chapters old last year when our annual risk and professional indemnity report with broker Marsh went to press. Fast forward a year and law firm risk managers and general counsel are faced with a harsher environment to navigate on many fronts. Not least is the Solicitors Regulation Authority (SRA)’s tougher stance on sexual misconduct allegations and calls for firms to have better procedures in place for handling internal complaints, as laid out in the regulator’s new Standards and Regulations (StaRs) rulebook last September.
As Stephen Morton, senior vice-president for professional risks at Marsh, observes: ‘It is striking how human the risks are now, compared to ten years ago after the financial crash when [they] were very much measured against loss strategies. There has been a shift to realising that the legal profession is fundamentally built on people.’
Despite the increased consciousness of human weakness, cyber security threats, such as hacking and data privacy breaches, keep their place as the most serious risks facing law firms. ‘IT security breach with commercially sensitive information stolen’ had an aggregate score of 6.9/10 for impact and potential in the risk profile chart (below), as did ‘Data privacy breach or destruction of data’.
‘Anything that calls into question a lawyer’s ability to keep information confidential is potentially damaging to the integrity and reputation of the lawyer and their firm,’ says Allen & Overy’s GC Andrew Clark.
However, both the impact and potential for IT and data privacy breaches on the risk profile have declined compared to last year. The aggregate score in 2019 for data privacy breaches or the destruction of data reached 7.5/10, suggesting that firms are becoming better at mitigating cyber risks and continue to invest in IT infrastructure upgrades, third-party security assistance and cyber insurance. Or, more likely, the collateral damage suffered by DLA Piper as a third-party victim of hacking in 2017 is still fresh in the mind. No firm wants a repeat of the malicious malware attack that crippled the global giant nor the kind of sensitive document leakage that led to the closure of Panamanian law firm Mossack Fonseca & Co in 2018.
‘The test has been lowered. An example the SRA put out is an advocate turning up late for court. Well, it’s going to get loads of reports then.’
Paul Haggett, Burges Salmon
‘Ten years ago I’d hear that law firms around the world were seen as a potential weak back door and a way for cyber criminals to access clients’ information. Firms were behind the curve on this, but they have definitely improved their responses over the years,’ says Chris Andrews, director of risk and compliance at Pinsent Masons.
Also, adds Hilary Battison, senior vice-president at Marsh, the nature of the threat has shifted, making possibilities for blackmail more diverse: ‘It used to be ransom demands based on disrupting access, but now hackers recognise the reputational harm to firms and so it’s threatening to release stolen data.’
Training around the dangers of clicking on malicious links online, has, therefore, become crucial: ‘You must bear in mind that once you’ve done all you can to manage the risk – like a continual cycle of refresher training – you can only do what you can do and often these things happen because the firm falls victim to human error, like somebody clicking on a link in an email despite the numerous warnings,’ comments TLT’s director of risk, Jon Green.
The role of human error in opening up firms to cyber attacks is unsurprising: procedural oversights, such as failing to complete key steps in a process, was ranked by respondents as a professional negligence situation with the most potential to occur in firms (see chart below). ‘I used to work for the Solicitors Indemnity Fund and I don’t think the cause of claims has changed much over 30 years. It’s not a lack of knowledge about the law but normally slip-ups in procedure; failing to file something at court, or failing to put a date on something,’ adds Green.
Few risk managers point to a particular trend in the rise or decrease of claims against the top 100 firms in 2019. ‘I don’t think firms have broken any ceilings for high, single-value claims. It’s not necessarily a huge trend in volume,’ says Morton. However, on professional indemnity (PI) insurance premiums are expected by heads of risk to grow in line with the steady hardening of the insurance market in the last few years. In 2018, Lloyd’s conducted a review of the PI market and concluded it was an underperforming line of business, putting pressure on insurers to turn the sector around.
Despite familiar calls that premiums will rise, 58% of respondents to our survey say the cost of the total limits of their PI cover has not changed compared with last year. ‘This is surprising, as there has been a lot of [insurance] provider exits from the market,’ says John Kunzler, risk manager for claim avoidance and reduction at Marsh. Sixty-three percent of firms surveyed also regard their PI cover as reasonably priced, with the average total coverage for the Legal Business top 25 firms £300m. ‘Pricing has increased, but firms are getting the better end of the deal. It has increased by 30-40%, but objectively it is a one-in-a-100-year risk that firms need to claim, so [they] still see the significant value in the cover,’ says Morton.
‘The level of claims being paid out means it’s good value for money – I have heard that paid-out claims of £3m are not unusual and there is an increase in the £50m-plus claims. The biggest worry for firms is the hardening of the insurance market and the reduction in the number of insurers,’ adds Claire Larbey, GC at Trowers & Hamlins.
Ask risk managers what their top priorities are for 2020 and complying with the StaRs and new anti-money laundering (AML) regulation comes out on top. New government legislation in the form of the Fifth Money Laundering Directive came into play in January, requiring firms to carry out more rigorous AML checks on legal matters. Compliance officers for legal practice recently had to confirm their firms had completed risk assessments and the SRA will do more inspections visits soon.
Scrutiny by the SRA over professional misconduct has become far more evident in the last three years. Two Clyde & Co lawyers were suspended last year pending an SRA investigation into alleged breaches of accounting rules. ‘Innocent involvement with fraudulent/money-laundering client’ scored reasonably high on aggregate on our risk profile chart, with an aggregate score for impact and risk of 5.8/10, while the new AML regulation has been identified by some risk managers as an area of cost increase in firms.
However, while risk management costs are expected to grow in line with general compliance and regulatory costs following General Data Protection Regulation implementation in 2018 and ongoing AML rule changes, law firms are not expecting recent regulatory changes by the SRA to affect their internal costs dramatically: 44% expect costs increases of £250,000 or less, while 36% predict no change.
AML rules aside, much of the focus by GCs and risk managers over the past year has been on complying with the StaRs, ushering in new sexual misconduct reporting obligations on solicitors as part of the SRA’s shifting remit to ‘promote a culture where ethical values and behaviours are embedded’, as its enforcement strategy says. This culture of being seen to be doing the right thing has filtered down from clients to law firms, with cultural pressures from ESG guidelines now demonstrating that business doesn’t just have to be legal; it has to be done the right way.
No GC or risk manager at a top-100 firm is likely to underestimate the potential for misconduct allegations, particularly those of a #MeToo nature, to seriously damage their firm’s reputation and now, for the first time, the SRA has explicitly spelt out sexual harassment as serious misconduct. Under the new code, it is now necessary not only to report any alleged misconduct to the SRA even before any internal investigation has been concluded by the firm, but also if misconduct is only suspected and no investigation has yet been launched. Much of the thinking behind this comes as Baker McKenzie faces prosecution by the Solicitors Disciplinary Tribunal (SDT) and was accused of ‘collective failure’ in December for the way it handled allegations of sexual misconduct against its former London head, Gary Senior.
Taylor Wessing’s director of risk Marianne Robson’s reading of the new rulebook is that it has more emphasis on the personal behaviour of lawyers. ‘We’ve been through the new code with a fine-tooth comb, and there’s much more emphasis on ethics and culture, but it’s not just the code – it’s the action taken by the SRA against issues in lawyers’ personal lives.’
However, some risk managers and GCs are quick to point out that the threshold for reporting misconduct has been lowered. ‘The test has been lowered. We are all alive to the lower bar. The concern is that this will swamp the SRA. An example it has put out is an advocate turning up late for court. Well, it’s going to get loads of reports then,’ says Burges Salmon’s GC Paul Haggett.
‘Lowering the threshold presents a challenge for the SDT. How will it manage the increased number of cases that will be brought by the SRA?’, adds Battison. However, Macfarlanes GC Jo Riddick notes: ‘The self-reporting threshold hasn’t lowered as such, but the trigger for reporting allegations is now earlier. That makes sense for the profession and it means risk departments need to work more closely with HR – that’s a new focus. HR is very alive to the need to involve risk teams.’
And yet, while the issue is critical, there is very much a sense that media coverage has exaggerated how much damage could occur from a risk perspective. ‘Sexual harassment/discrimination claims against partners’ this year only had an aggregate score of 5.3/10 on our risk profile for potential and impact, slightly down on last year’s total score of 5.7 for sexual harassment complaints against partners – and the 2019 report came at a time when the #MeToo crisis was gripping the legal profession. This is despite some high-profile cases since, coupled with increased regulatory scrutiny on sexual misconduct within the legal profession.
Freshfields Bruckhaus Deringer was rocked last year by the sexual misconduct case against former partner Ryan Beckwith at the SDT in October. The tribunal found Beckwith’s behaviour was in breach of principles two and six of the solicitors’ code of conduct, requiring solicitors to ‘act with integrity’ and ‘behave in a way that maintains the trust the public places in you and in the provision of legal services’. Although by late February this year Beckwith had filed an application to appeal the decision to the High Court, the reputational damage to Freshfields and Bakers – through its ongoing SDT hearing over Senior – is difficult to gauge.
Sarah Chilton, an employment law partner at CM Murray, says: ‘If a firm thinks it has no issues and it’s of a certain size, it just doesn’t know about those issues.’ She has, however, seen more client demand for her to conduct ethical behaviour training in law firms. ‘There has been a lot of training in place [in firms] and more rigorous internal codes of conduct. However, time will tell whether the actions taken have been effective,’ adds Kunzler.
Some firms have chosen to go further than others. A few have been cancelling skiing trips; in January, Linklaters introduced ‘sober supervisors’ at work social gatherings; and, last December, Freshfields voted in sweeping reforms to its handling of misbehaviour, including financial penalties, as a way of mitigating the #MeToo fallout. The move to establish a conduct committee followed a consultation and implements new enforcement protocols that mean partners who receive a final warning about their behaviour could face an automatic fine equal to 20% of their profit share for 12 months.
‘Policing alcohol is more of a sticking plaster, though probably it is necessary. There’s a bigger cultural issue. The problem is that people don’t realise where the line is and that’s why they cross it. They need more training on acceptable behaviour,’ says Chilton.
Tightening up of the SRA’s reporting procedures for sexual misconduct allegations are not without their challenges, as risk managers see it. The new code puts a legal and regulatory duty on a staff member in a law firm to report suspected misconduct, even if those reporting their suspicions do not want the matter to be taken further. ‘The potential difficulty is that the [new reporting conditions] might deter people from telling you if they don’t want it to be reported to the SRA. We had a big debate about this. We had to tell people that if they come to us with something they need to know that we will have to report it,’ says Robson.
And while sexual misconduct reporting is a difficult current issue firms face, an older, longstanding risk remains as potent as ever. ‘Acting where there is a conflict of interest’ has worked its way up the risk rankings this year, with an aggregate score of 5.8/10 compared to last year when impact/potential came in at 5.5/10.
Reasons for this are unclear, with the consensus being that conflicts are a perennial issue for law firms and will always remain high up on the risk register. However, Debbie Jukes, Eversheds Sutherland’s GC, reflects: ‘As we grow as a law firm, the likelihood of a conflict developing gets higher because of the wider and more sophisticated client base.’
‘As clients become more aware of their leverage, they are more likely to use their bargaining power,’ adds Andrews. ‘Maybe this has moved up the risk rankings and gained a higher profile as economic times have hardened and firms are looking more aggressively for work opportunities.’
Competition from New Law and alternative providers has also risen up the risk register with a combined score of 5.4/10 compared to 4.6/10 last year. Risk managers, however, are relatively relaxed about their potential disruption in the market. Not all risk managers assess their threat either. Says Riddick: ‘We don’t risk assess New Law providers, but we are aware of start-ups and we undertake some AI projects. To some extent, competition is good.’
Andrews echoes the point: ‘New Law providers appear on our risk register as an area of competitor risk, but we don’t see them as an immediate risk. If anything, they’ve acted as a catalyst to encourage us to look laterally or imaginatively at our offerings to remain competitive.’
In last year’s risk report, Kunzler expressed surprise that law firms were not more concerned about the rise of New Law and legal services of the Big Four accountants. However, a year on and he believes traditional law firms have adapted quickly to the challengers proliferating the market: ‘Law firms have created more products for clients, like using data sets and giving clients access to them. It’s hard for disruptors to penetrate then.’
Another major competitive challenge to revenues in recent years has been clients preferring to keep work in-house and expanding their own legal teams rather than referring matters to external advisers. As such, ‘clients of law firms insourcing more legal work in-house’ has moved up the risk profile rankings this year to reach an aggregate score of 5.5/10, compared to 5/10 in 2019, and has moved five places up the rankings for risk potential on last year, even overtaking ‘loss of a major client’.
Mind over matter
‘Impact to the business from exiting the EU’ came in with an aggregate score of 4.7/10 in our risk profile. With the bulk of Brexit-proofing operations seemingly behind most law firms, there are risk assessments to be done as the UK finally begins the transition away from the EU and there is still no certainty as to what shape the deal is going to take. Firms still need to prepare for a no-deal scenario and for the potential the UK will not be granted ‘adequacy’ status as a safe hub for data processing after Brexit. ‘That continues to be a concern, but we can’t do much to finalise planning until we get a definite answer from the EU,’ says Green.
For international firms with offices elsewhere in the EU, the situation also remains in flux. Says Jukes: ‘We have a Paris office and the situation in Paris is not yet clear. The French parliament passed a law to say that firms are essentially grandfathered in Paris if the UK left the EU without a deal. But it seems that if the UK leaves with a deal that doesn’t cover legal services, the position is also unclear.’
Undoubtedly, regulatory and cultural pressures are widening the risk landscape. But if Morton’s observation that risks are becoming more human-centric within law firms is true, it is likely a plethora of issues will bubble to the surface. One of these links a number of other concerns on the risk register: mental health. ‘One of the big priorities for risk teams this year should be moves to start thinking about risk assessing mental health. There’s been an increase in lawyers being really unwell as a result of work pressure – that’s a big risk,’ says Chilton.
The Mindful Business Charter, created by Barclays’ in-house legal team alongside Pinsents and Addleshaw Goddard, aims to cut down on workplace practices that contribute to stress and poor mental health among lawyers, such as encouraging people to be clear in emails when they need a response if sent outside business hours and not expecting people on holiday to be on call. These may be baby steps, but the direction of travel is clear for risk teams at leading firms: while business continuity, client protection and negligence are vital considerations, the human aspects of what is ultimately a people business continue to be paramount.
LEGAL RISK PROFILE 1: What impact would these situations have on your firm?
What is the size of your risk team?*
* Average number of individuals involved in each area of risk management either full-time or part-time
LEGAL RISK PROFILE 2: What is the potential for these situations occurring at your firm?
In your opinion, what are the biggest underlying causes of professional malpractice claims?
LEGAL RISK PROFILE 3: what is the potential of these professional negligence situations occurring at your firm?
Average total insurance cover
What are the main barriers to implementing a risk management culture and structure at your firm? (Selected comments)
LB100 top 25:
Bandwidth – too many new regs which are far too complicated to properly educate our people on and for them to remember/understand
Sheer complexity of different levels and types of regulation – always changing
Inexperienced staff not realising the importance of risk management
Telling a lawyer what they are doing is incurring risk is conceptually hard to get across
Getting board to realise that it’s not just about compliance and regulatory risk
Challenges of recruiting strong compliance candidates from the market
The size of the firm makes it difficult to educate everyone quickly and ensure they stay up to date with the change
Laterals not buying into the culture
Making risk register meaningful and not just a spreadsheet exercise
Fee-earner time required to comply with risk management procedures
Updating IT systems
Time and cost. No third
Ever-increasing regulatory requirements/shifting goalposts
Clients occasional reaction that certain elements such as AML procedures and/or conflict/confidentiality guidelines fail to match commercial necessities
Convincing staff there is a real risk
Business appetite in a low-risk firm
Local environment generally repugnant to complying with ethical rules
Understanding/accepting risk management methodology (stuck in the ‘never will happen’)
What part of the new regulatory framework causes you the most concern? (selected comments)
LB100 top 25:
The change in criteria for what you have to report – the lowering in the threshold along with the change in the burden in proof
It’s not very comprehensive
Extent of regulatory control of business
The interest of the regulator in the activities of individuals when they are not at work
Lack of prescription from the SRA, eg removal of indicative behaviours
The speed of change and the lack of uncertainty with Brexit
Its lack of detail and clarity; rules are better than principles
The requirement to report any matter which might be capable of amounting to a serious breach
The breadth and depth of the enforcement strategy
Foreign exchange control rules
The stupid exam the SRA is insisting on introducing
AML new requirements
A general simplification. This has a proven track record of being unsuccessful, for instance within the financial services industry and resurrection of the occupational pension transfers of the 1980s/1990s following from pensions simplification
Understanding the depth required in a risk assessment
Payment procedures under the exchange control regulation
The ad hoc risk outcomes-led nature of the framework, we strongly preferred a clear set of rules with worked examples, so everyone knew where they stood
In a handful of words, sum up your view of the new regulatory framework (selected comments)
LB100 top 25:
Depends on enforcement approach
More emphasis on conduct outside work
More work for risk lawyers
Not clear enough
More regulation, less guidance
Will it make a difference?
Too much room for interpretation
Comprehensive and straightforward
Wrestling jelly in a string bag
Challenging and uncertain
Closer to being fit for purpose
Ill-conceived, simplistic, misdirected
Burdensome, moving target, risky
Not an issue
Change without significant improvement
Finally catching up to other jurisdictions
Positive but more detail needed
Otiose, confusing, unhelpful and vague
It will increase the standards in terms of AML procedures within law firms