According to PwC’s UK Law Firms’ Survey 2024, ninety per cent of the top 100 firms consider poor cybersecurity as the greatest risk to their growth ambitions in the next two years. But the risk landscape extends further than that. ‘The combination of technological acceleration, geopolitical instability, and increasing societal pressure means firms need to rethink what resilience means in this time,’ says Gerwin Naber, specialist in Resilience and Crisis Management at PwC.
‘The traditional image of risk management is no longer adequate’
Risks are intertwined
Cyber risks, geopolitical risks, ethics, compliance, technology: many of the new lurking dangers are intertwined in a complex manner. According to Rik Blokhuis, Assurance Partner at PwC and chairman of the Business Services sector group, the traditional concept of risk management as merely a checklist is now inadequate. ‘We see that the most resilient firms do not necessarily have the most rules, but rather the clearest vision of what responsibility and trust mean to them.’
‘When confidentiality is under pressure, everything is under pressure’
Ransomware
Cybersecurity remains the biggest concern for law firms. This isn't surprising, as ransomware attacks are becoming more sophisticated, often infiltrating via third parties and directly threatening the core of legal work. 'Confidentiality is the heart of every law firm. When that is under pressure, everything is under pressure,' says Naber. The human element of cyber risk is evident from the fact that all the top 10 firms have faced incidents caused by phishing or human error. Yet, a third of large firms did not conduct any crisis exercise with senior management in the past year.
‘The chain of safety is only as strong as its weakest link’
The vulnerability of interconnectedness
A vivid analogy: a chain is only as strong as its weakest link, and for law firms, this often refers to the suppliers and partners they work with. Nearly half of the top 50 firms reported encountering an attack through third parties. Blokhuis: ‘We advise firms to scrutinise the resilience of their entire ecosystem. This means not only their own IT systems but also those of service providers, data centres, and external consultants. What measures are in place if something goes wrong there?’
Geopolitical pressure forces choices
Not only cybercrime but also geopolitical pressure presents strategic dilemmas for firms. The survey shows that 54 per cent of firms are concerned about geopolitical instability, a significant increase from last year. Conflicts in the Middle East, the war in Ukraine, and tensions between the US and China have a direct impact on the position of international firms. In the United States, this pressure is also legally felt. Large firms that defended opponents of the Trump administration faced political backlash, reputational damage, and even legal threats. ‘It shows how legal work can come under pressure due to political interests,’ says Naber. ‘And how important it is for firms to structurally test their independence, position, and client policy on integrity and risk.’ Increasingly, firms are reconsidering their international strategy, including through risk-based evaluations of their offices and client portfolio.
‘Resilience requires a moral compass and courage’
From control to culture
Resilience for law firms is not merely an IT project or a compliance checkbox exercise. It requires a fundamental shift in attitude and culture. ‘A firm that wishes to be robust in times of crisis must also be vigilant during peaceful periods,’ says Blokhuis. ‘This means leaders leading by example, people being trained in risk awareness, and fostering a culture where mistakes can be openly discussed.’
Effective risk management starts with a well-supported understanding of what risks represent for the organisation, its clients, and society. Naber: ‘Resilience requires more than a manual. It requires a moral compass, courage, and forward-thinking.’
Technology as both ally and threat
Technological developments also raise new questions. Generative AI, for example, offers opportunities for productivity, but also raises concerns about bias, data leaks, and the reliability of outcomes. ‘Many firms struggle with the question: how do we responsibly utilise this technology? That requires clear guidelines, governance, and ethical frameworks. The same principles that apply to Responsible AI also apply to resilient organisations: transparency, explainability, reliability,’ says Blokhuis.
Six steps to strategic resilience
What can law firms do to strengthen their resilience? Blokhuis and Naber mention six concrete steps:
- Conduct an integral risk scan across IT, governance, geopolitics, and third parties.
- Train the leadership team with realistic crisis simulations.
- Establish a risk committee with representatives from different disciplines.
- Realign the international strategy based on risk profile and compliance.
- Strengthen the cyber strategy with specific attention to human behaviour and suppliers.
- Foster a culture of openness and alertness, where risks can be openly discussed.
Finally: resilience is a choice
Building resilience requires investments in systems, people, and structures. But above all, it requires a decision: to take responsibility, to face risks, and to take the role as a legal beacon in an uncertain world very seriously. Naber: ‘Resilient firms don’t just think about what they need to protect, but more importantly, about what they want to stand for. That makes all the difference.’
