ÀÏ˾»úÎçÒ¹¸£Àû

Will demand for risk and compliance expertise grow, decline or simply stay the same in 2023?

The ÀÏ˾»úÎçÒ¹¸£Àû GLP Index pulls together the latest datapoints to provide some powerful predictions on the future of risk and compliance law.

Despite some noticeable peaks and troughs, demand for risk and compliance legal expertise is relatively stable - and predicted to increase in 2023.

That's according to the latest GLP Index, which pulls from hundreds of datapoints to predict demand for legal expertise across multiple practice areas.

The GLP Index shows demand for risk and compliance law has bounced up and down quite noticeably in recent years - although numbers hint at overall stability for the practice area.

In 2017, demand for risk and compliance expertise grew by a whopping 50% when compared to the previous year. This surge was no doubt brought on to some extent by the new General Data Protection Regulation (GDPR), which came into effect in the UK in May, 2018, and required a complete overhaul of marketing, sales, product and customer service processes for most businesses.

A similar surge in demand can be seen in 2020, with the COVID-19 pandemic causing a 37% spike compared to the previous year. The pandemic caused widespread disruption and change across the board - perhaps one of the most obvious being people working from home, which poses a number of security risks.

2022 also saw a smaller spike in demand, with a 6% growth. This can no doubt be attributed - at least in part - to the sanctions brought about by Russia's invasion of Ukraine.

Growth is expected to continue in 2023, with demand anticipated to grow by 7% when compared to the year prior.

Scroll down for in-depth research and analysis on the key trends driving change across risk and compliance law.

Risk and compliance law is predicted to generate 7% more work in 2023 than in 2022

One of the biggest risks dominating the R&C space right now is cyber security - while attacks are often easily avoidable, more than a third of businesses are still falling foul of breaches or attacks.

According to the , 2022 saw 39% of UK businesses identify a cyber attack in the last 12 months. However, the report also suggested that less cyber mature organisations could be unaware of attacks and under-reporting - so this percentage could be considerably higher.

Allison Wooddisse, the head of In-house, Compliance and Practice Management at ÀÏ˾»úÎçÒ¹¸£Àû, says phishing remains the leading cause of cybersecurity breaches.

"It’s estimated that up to 80% of cybersecurity breaches could be prevented by implementing basic good practices - phishing only works if someone is hoodwinked by a scam email."

The average estimated cost of all cyber attacks in the last 12 months sits at £4,200 - according to the DCMS, and climbs to £19,400 when considering medium and large businesses. However, other studies estimate the true costs to be much higher. A 2020 study by IBM found the average total cost of malicious cyber attacks globally sits at $4.27m (although this is of mostly larger companies) while Consultancy.eu reports that the average cost of cybercrime in Europe has risen to $57,000 (€50,000) per incident.

Your staff are your biggest risk and your first line of defence, says Wooddisse, who previously worked as a partner at Shoosmiths.

"Train, educate and reinforce, reinforce, reinforce. Phishing simulator products will engender a culture of constant vigilance. One of the most common mistakes is forgetting the simple stuff, technical measures such as firewalls, enforced password hygiene, software patching and deleting dormant user accounts."

Around four in five (82%) of boards or senior management within UK businesses rate cyber security as a ‘very high’ or ‘fairly high’ priority, according to DCMS - a significant increase on 77% in 2021.

But despite the growing awareness of this threat, as the ICO observed when imposing a £4.4m fine, the biggest cyber risk is complacency, not hackers.

From a legal perspective, check whether your supplier due diligence is up to date, Wooddisse recommends.

"Do you know what cybersecurity measures your suppliers implement and what contractual notification or liability clauses are in place?"

Wooddisse was also quick to stress the importance of thinking about how you'd respond to a cyber security breach now rather than later.

"You need to have a written plan up your sleeve, so you can focus your attention on dealing with the cyber breach calmly. Make sure your organisation has thought about cyber security insurance, review exclusion clauses and be clear on the claims notification procedure. Assess the overlap and potential coverage gaps between your cyber security insurance and any other insurance you may have, such as crime insurance or professional indemnity insurance."

If a cybersecurity breach happens, your DPO should decide whether to notify the ICO and any affected people, says Wooddisse. "The DPO may need some legal input from you. You will also need to review your contracts to see whether you have to inform customers or suppliers in any event."

The percentage of businesses suffering cyber attacks remains steady - but some fear under-reporting

Avoid unnecessary data protection risks

ÀÏ˾»úÎçÒ¹¸£Àû has a range of tools, templates and guidance that can help you in its Cybersecurity topic.

Take a look at our:
- Cybercrime risk assessment
- Information and cybersecurity questionnaire
Cybercrime prevention strategy and incident management plan
Cybersecurity training materials.

Putting a data breach strategy in place

ÀÏ˾»úÎçÒ¹¸£Àû has a range of tools, templates and guidance that can help you in its Cybersecurity topic and its topic.

Take a look at our:
- Guide on how to manage a personal data breach  
- Practical guide to cyber insurance
Data breach panic sheet
- Data breach plan
- Cybercrime prevention strategy and incident management plan.

Organisations may worry most about external cyber threats, but according to the Information Commissioner's Office (ICO) , the greatest cause of data security breaches is human error - emails, letters and faxes sent to the wrong person, unauthorised access, loss and theft of paperwork or IT equipment or (that old chestnut) data left in an unsecured location.

"Technical solutions can minimise the risk," says Wooddisse, "such as disabling email address auto completion, although this won’t help your productivity. Putting letters into the wrong envelope can be avoided by simply using windowed envelopes. Boring but effective. As always, educating your staff is key to managing data security risks."

In 2022, we saw a comparatively high 22 new enforcement notices issued by the ICO - only slightly behind 2016's 23 notices. Last year we also saw 35 new monetary penalties issued totaling over £16m. However, this pales in comparison to 2020, which ended with more than £40m in fines - one reaching over £20m and another over £18m.

A major data protection risk stems from direct marketing activities. The practice underwent a major transformation with the introduction of the General Data Protection Regulation (GDPR) back in 2018, but many are still getting stung with costly fines.

The is littered with eye-watering fines for breaches of the direct marketing data protection regime, says Wooddisse.

"It isn’t just rogue claims management companies that fall foul of the rules. No company is too big or too small to be penalised and fines often run into six-figure sums—sometimes seven figures."

According to Wooddisse, some of the most common mistakes are:

• failing to identify the correct lawful ground for processing under the UK GDPR
• not being upfront with people about what you intend to do with their data
• failing to screen against external ‘Do not contact’ registers such as the Telephone Preference Service (as well as internal suppression lists)
• not understanding how soft opt-in works for electronic direct marketing.

 "The direct marketing regime is a tangled web of complexity and some of these failures are understandable," she says. "However, when they’re combined with aggressive sales tactics, you can expect to incur the full wrath of the regulator."

The ICO has published dedicated , making its intention very clear, says Wooddisse, ignore the warning signs at your peril.

How to hone your information security policies

Our nformation security subtopic contains a wide range of guidance and tools, including Information security policy, Clear desk and screen policy, Password policy, various awareness campaigns and training materials

The do's and don'ts of direct marketing campaigns

The ÀÏ˾»úÎçÒ¹¸£Àû Direct marketing subtopic explains How to handle personal data for direct marketing and includes Decision trees, helping you to understand what is allowed for different types of direct marketing campaigns.

Another major trend impacting risk and compliance law is the financial sanctions placed on 1,300 Russian individuals and organisations as a result of Russia's invasion of Ukraine.

Financial sanctions are measures aimed at encouraging a change in the behaviour of a particular country or regime and are often employed where international peace and security has been threatened, says Laura Spooner, In-house, Risk & Compliance Specialist at ÀÏ˾»úÎçÒ¹¸£Àû.

"In practical terms, they prevent businesses from carrying out transactions for, or providing specified services to or on behalf of, an individual or organisation designated by the government under a financial sanctions regime." 

All businesses in all sectors must comply with financial sanctions measures, says Spooner, who prior to joining ÀÏ˾»úÎçÒ¹¸£Àû, was Risk & Compliance Manager at Collyer-Bristow LLP, where she established the firm's R&C function.

"This isn’t a new ‘thing’, but the Ukraine conflict has sharpened the focus for businesses. In 2022 we saw 17 sets of amending regulations relating to Russia sanctions alone, and almost 50 general licences were issued by HM Treasury, compared to just a handful issued before the Ukraine conflict."

Financial sanctions compliance is hard, says Spooner, as international regimes are broad, complex, overlapping and rapidly evolving and there are severe penalties for non-compliance. 

"Determining beneficial ownership, staying on top of lists of sanctioned targets, dealing with licences and breaches, and managing customer-supplier relationships all require specialist resources."

The trickiest bit, particularly in a fast-paced situation such as the Ukraine conflict, is keeping up-to-date, says Spooner, and it’s imperative that businesses do. 

Stay on top of new financial sanctions

The ÀÏ˾»úÎçÒ¹¸£Àû Financial sanctions page provides practical guidance and tools on financial sanctions and key materials on compliance. You can also read the Financial sanctions compliance resources, which provides a summary of and links to financial sanctions resources intended to support organisations in complying with Financial sanctions policy. For Russia sanctions in particular, see our trackers: Conflict in Ukraine—UK sanctions tracker, OFSI General Licence tracker, and Conflict in Ukraine news & analysis—tracker.