"There is a huge criminal cyber threat to law firms," says Steve Hill, ex-deputy director in the UK government National Security Secretariat dealing with cyber security. "The hackers perpetrating these types of attacks will not be teenage boys – they are criminal gangs set up to exploit law firms for sensitive data or lock people out of the data in return for a ransom."

Hill, now a visiting senior fellow at King's College London University, was closely involved in the UK government's cyber security policy in his previous role, and his comments highlight growing concerns around the vulnerability of personal and valuable data to cyber threats such as the recent WannaCry ransomware attack.

The attack, which targeted NHS computers and many more IT systems around the world, illustrate how sensitive data can and will be compromised if a company's cyber security is not up to par.

In May 2018, the General Data Protection Regulation (GDPR) will come in to effect, harmonising data privacy laws across Europe and opening up organisations that do not comply to heavy fines. The GDPR and its complementary directive, the Network and Information Security Directive (NISD), will help with efforts to ensure companies are compliant with the new cyber protocols, in turn making them less susceptible to attacks of this nature. The new regulation will radically change how companies must collect, handle, process and store personal data, which can range from HR records to customer contact information.

Aristedes Mahairas, the FBI's special agent in charge of special operations/cyber division of the New York Field Office, says: "There has been a big increase in people trying to penetrate IT systems, who then try to identify the most valuable information, steal that information and find a way to monetise it.

"In the case of law firms, they are housing sensitive information related to M&A, corporate disclosure and intellectual property. That kind of data in the right hands can be easily looked at and traded upon in the market, making them a great target for cybercrime."

The fact that law firms make such a potentially lucrative target for hackers makes the GDPR a double-edged sword. On one hand, law firms need to make sure that they themselves are compliant. Under the GDPR, firms will have to report a cyber breach within 72 hours, and if such a breach is made public, it could be hugely damaging to a law firm's reputation. Of course, on the other hand, the new regulations force clients to seek legal advice to comply with the new regulation.

The first thing law firms need to do is recognise the insider threat. The major threat is the humans in the company

Once the GDPR is brought in, an organisation that is deemed to be in breach of the regulation can be fined up to 4% of its annual global turnover or €20m, whichever is greater. To put that into perspective, a firm such as DLA Piper, with turnover of more than £1.5bn, could face a fine upwards of £60m in the event of a breach. Currently, under UK law the maximum fine that can be doled out to a company for poor data handling or security is £500,000.

Hogan Lovells privacy and cybersecurity partner Eduardo Ustaran (pictured) says: "Data security and protecting yourself against hacking has always been a legal obligation, but GDPR enhances that and makes it more prescriptive. The overall toughening of data protection obligations will be hugely felt throughout Europe and beyond."

Ahead of the GDPR's introduction, getting their own shop in order is clearly the first priority for law firms. "The first and most obvious thing law firms or businesses need to do is recognise the insider threat. It is tempting to focus on the outsider dynamic, but the major threat is the humans in the company," says Hill. The practice of 'spear phishing' means that company employees can inadvertently become pawns for the hackers, by opening convincingly disguised fraudulent emails, which often use information gleaned from social media to add to their credibility. By interacting with these emails, employees can give hackers a window to gain access or spread viruses.

Hill continues: "There are a plethora of companies out there that can help boost your company's cybersecurity to deal with these kind of attacks. But if you are a board member, do not delegate this kind of thing to your tech team – see it as a risk management issue, not a tech issue, and take control."

It is worth noting that the GDPR will not just test the strength of a company's cyber defences to thwart hackers. The regulation will bring in a raft of new measures, such as the requirement to notify a breach within 72 hours and give the subject of the data more rights to access said data.

One aspect of the new regulation likely to raise concerns is that the reach of the GDPR extends beyond companies situated in the EU, to include any company that handles personal data relating to EU citizens.

When a major piece of legislation comes out like this, it is an extraordinary opportunity for law firms to get ahead of the curve

However, there is also a positive spin for law firms. Peter Beshar, general counsel of US professional services firm Marsh & McLennan, says: "One of the mindsets for law firms, particularly in Europe, should be to think of the GDPR as both a threat and an opportunity. First, you have to learn enough about it to put reasonable protocols and safeguards in place for your own operations.

"But for corporations like ours and so many others, we are going to need great advice on implementation, liability and managing exposure. So when a major new piece of legislation comes out like this, it is an extraordinary opportunity for law firms to really get ahead of the curve."

Clifford Chance (CC) technology partner Jonathan Kewley (pictured) adds: "We have a huge amount of US clients that are very concerned about the extraterritorial effect, and that has been under-explored and under-communicated. It effectively ports EU privacy law – which does not exist in the same way at all in the US – into the US, and that is a very significant change.

"The way we see the GDPR, though, is as a great opportunity for clients to perform a due diligence exercise. We have developed a sophisticated gap analysis of the data used, and based on that we developed a traffic-light tool whereby we can let them know what they should be investing in in the next 12 months, and where the key focus areas are."

According to recruiters, a knock-on effect of the new regulation is that data specialist lawyers are currently in high demand. In turn, firms are bolstering what they offer to clients by creating various apps and tailoring advice with the GDPR in mind. Hogan Lovells has just launched a new app, GDPRnow, which provides tailored advice on what organisations need to do to comply, based on their responses to a series of questions. Usteran, who has played a key role in the development of the app, says: "The purpose of the app is twofold: to make the GDPR a little more accessible for organisations; and to demystify the complexities of the regulation, but also to help businesses identify priorities and take action."

The regulation also has implications for M&A lawyers. Under the GDPR, company data handling techniques will be closely scrutinised during M&A deals to check if they comply. If a company does not meet these requirements, it will potentially have a huge effect on how attractive a company is to investors or potential acquirers.

The key point lawyers are trying to communicate to their clients is that the wheels should be in motion when it comes to preparing for the regulation. Kewley continues: "If businesses are not thinking about it and putting in preparations now, they are not going to be able to put a sticking plaster over it."

However, it is thought that a good faith effort may mitigate any potential fines, particularly in the early days of the new regime.

CC consumer goods and retail head Dessislava Savova (pictured) says: "The regulators will be focusing – at least in the beginning – on helping companies to comply with the new regulation. There are some areas in the regulation which are still a bit grey, where the companies need a bit more guidance, and the authorities are conscious of that.

"It will be a collaborative approach at the beginning between the authorities and the market players, provided there is a clear will, and the process has already started. The riskiest position is just to ignore it."