LexisNexis GLP Index: risk and compliance

Will demand for risk and compliance expertise grow, decline or simply stay the same in 2023?

The LexisNexis GLP Index pulls together the latest datapoints to provide some powerful predictions on the future of risk and compliance law.

Risk and compliance law in 2023

Demand for risk and compliance law has skyrocketed in the last decade or so - with all new risks, regulations and sanctions requiring subject matter experts to navigate these tumultuous terrains.

In recent years demand has been driven by an ongoing onslaught of cyber attacks, the introduction of hefty data protection regulations, the risks associated with working from home, and new sanctions evolving out of Russia's invasion of Ukraine.

These changes and more have generated waves of work for those operating in the risk and compliance space, particularly for those who specialise in practising the law.

While demand has bounced back and forth in the last few years, the LexisNexis GLP Index - which analyses historic data - forecasts growth in demand for 2023 as a whole.

This report captures a handful of the many trends driving change across risk and compliance - we hope it adds value to lawyers and risk and compliance experts alike.

Dylan Brown
Content Lead, LexisNexis

Overview of GLP findings

Despite some noticeable peaks and troughs, demand for risk and compliance legal expertise is relatively stable - and predicted to increase in 2023.

That's according to the latest GLP Index, which pulls from hundreds of datapoints to predict demand for legal expertise across multiple practice areas.

The GLP Index shows demand for risk and compliance law has bounced up and down quite noticeably in recent years - although numbers hint at overall stability for the practice area.

In 2017, demand for risk and compliance expertise grew by a whopping 50% when compared to the previous year. This surge was no doubt brought on to some extent by the new General Data Protection Regulation (GDPR), which came into effect in the UK in May, 2018, and required a complete overhaul of marketing, sales, product and customer service processes for most businesses.

A similar surge in demand can be seen in 2020, with the COVID-19 pandemic causing a 37% spike compared to the previous year. The pandemic caused widespread disruption and change across the board - perhaps one of the most obvious being people working from home, which poses a number of security risks.

2022 also saw a smaller spike in demand, with a 6% growth. This can no doubt be attributed - at least in part - to the sanctions brought about by Russia's invasion of Ukraine.

Growth is expected to continue in 2023, with demand anticipated to grow by 7% when compared to the year prior.

Scroll down for in-depth research and analysis on the key trends driving change across risk and compliance law.

Risk and compliance law is predicted to generate 7% more work in 2023 than in 2022

Cyber security continues to cause disruption

One of the biggest risks dominating the R&C space right now is cyber security - while attacks are often easily avoidable, more than a third of businesses are still falling foul of breaches or attacks.

According to the Department of Digital, Culture, Media and Sport (DCMS), 2022 saw 39% of UK businesses identify a cyber attack in the last 12 months. However, the report also suggested that less cyber mature organisations could be unaware of attacks and under-reporting - so this percentage could be considerably higher.

Allison Wooddisse, the head of In-house, Compliance and Practice Management at LexisNexis, says phishing remains the leading cause of cybersecurity breaches.

"It’s estimated that up to 80% of cybersecurity breaches could be prevented by implementing basic good practices - phishing only works if someone is hoodwinked by a scam email."

The average estimated cost of all cyber attacks in the last 12 months sits at £4,200 - according to the DCMS, and climbs to £19,400 when considering medium and large businesses. However, other studies estimate the true costs to be much higher. A 2020 study by IBM found the average total cost of malicious cyber attacks globally sits at $4.27m (although this is of mostly larger companies) while Consultancy.eu reports that the average cost of cybercrime in Europe has risen to $57,000 (€50,000) per incident.

Your staff are your biggest risk and your first line of defence, says Wooddisse, who previously worked as a partner at Shoosmiths.

"Train, educate and reinforce, reinforce, reinforce. Phishing simulator products will engender a culture of constant vigilance. One of the most common mistakes is forgetting the simple stuff, technical measures such as firewalls, enforced password hygiene, software patching and deleting dormant user accounts."

Around four in five (82%) of boards or senior management within UK businesses rate cyber security as a ‘very high’ or ‘fairly high’ priority, according to DCMS - a significant increase on 77% in 2021.

But despite the growing awareness of this threat, as the ICO observed when imposing a £4.4m fine, the biggest cyber risk is complacency, not hackers.

From a legal perspective, check whether your supplier due diligence is up to date, Wooddisse recommends.

"Do you know what cybersecurity measures your suppliers implement and what contractual notification or liability clauses are in place?"

Wooddisse was also quick to stress the importance of thinking about how you'd respond to a cyber security breach now rather than later.

"You need to have a written plan up your sleeve, so you can focus your attention on dealing with the cyber breach calmly. Make sure your organisation has thought about cyber security insurance, review exclusion clauses and be clear on the claims notification procedure. Assess the overlap and potential coverage gaps between your cyber security insurance and any other insurance you may have, such as crime insurance or professional indemnity insurance."

If a cybersecurity breach happens, your DPO should decide whether to notify the ICO and any affected people, says Wooddisse. "The DPO may need some legal input from you. You will also need to review your contracts to see whether you have to inform customers or suppliers in any event."

The percentage of businesses suffering cyber attacks remains steady - but some fear under-reporting

Avoid unnecessary data protection risks

LexisNexis has a range of tools, templates and guidance that can help you in its Cybersecurity topic.

Take a look at our:
- Cybercrime risk assessment
- Information and cybersecurity questionnaire
- Cybercrime prevention strategy and incident management plan
- Cybersecurity training materials.

Putting a data breach strategy in place

LexisNexis has a range of tools, templates and guidance that can help you in its Cybersecurity topic and its Data breach topic.

Take a look at our:
- Guide on how to manage a personal data breach  
- Practical guide to cyber insurance
- Data breach panic sheet
- Data breach plan
- Cybercrime prevention strategy and incident management plan.

Data protection fines are back in full force

Organisations may worry most about external cyber threats, but according to the Information Commissioner's Office (ICO) Data security trends report, the greatest cause of data security breaches is human error - emails, letters and faxes sent to the wrong person, unauthorised access, loss and theft of paperwork or IT equipment or (that old chestnut) data left in an unsecured location.

"Technical solutions can minimise the risk," says Wooddisse, "such as disabling email address auto completion, although this won’t help your productivity. Putting letters into the wrong envelope can be avoided by simply using windowed envelopes. Boring but effective. As always, educating your staff is key to managing data security risks."

In 2022, we saw a comparatively high 22 new enforcement notices issued by the ICO - only slightly behind 2016's 23 notices. Last year we also saw 35 new monetary penalties issued totaling over £16m. However, this pales in comparison to 2020, which ended with more than £40m in fines - one reaching over £20m and another over £18m.

A major data protection risk stems from direct marketing activities. The practice underwent a major transformation with the introduction of the General Data Protection Regulation (GDPR) back in 2018, but many are still getting stung with costly fines.

The ICO’s news page is littered with eye-watering fines for breaches of the direct marketing data protection regime, says Wooddisse.

"It isn’t just rogue claims management companies that fall foul of the rules. No company is too big or too small to be penalised and fines often run into six-figure sums—sometimes seven figures."

According to Wooddisse, some of the most common mistakes are:

  • failing to identify the correct lawful ground for processing under the UK GDPR
  • not being upfront with people about what you intend to do with their data
  • failing to screen against external ‘Do not contact’ registers such as the Telephone Preference Service (as well as internal suppression lists)
  • not understanding how soft opt-in works for electronic direct marketing.

 "The direct marketing regime is a tangled web of complexity and some of these failures are understandable," she says. "However, when they’re combined with aggressive sales tactics, you can expect to incur the full wrath of the regulator."

The ICO has published dedicated Direct marketing guidance and resources, making its intention very clear, says Wooddisse, ignore the warning signs at your peril.

How to hone your information security policies

Our Information security subtopic contains a wide range of guidance and tools, including Information security policy, Clear desk and screen policy, Password policy, various awareness campaigns and training materials

The do's and don'ts of direct marketing campaigns

The LexisNexis Direct marketing subtopic explains How to handle personal data for direct marketing and includes Decision trees, helping you to understand what is allowed for different types of direct marketing campaigns.

Financial sanctions soared in 2022

Another major trend impacting risk and compliance law is the financial sanctions placed on 1,300 Russian individuals and organisations as a result of Russia's invasion of Ukraine.

Financial sanctions are measures aimed at encouraging a change in the behaviour of a particular country or regime and are often employed where international peace and security has been threatened, says Laura Spooner, In-house, Risk & Compliance Specialist at LexisNexis.

"In practical terms, they prevent businesses from carrying out transactions for, or providing specified services to or on behalf of, an individual or organisation designated by the government under a financial sanctions regime." 

All businesses in all sectors must comply with financial sanctions measures, says Spooner, who prior to joining LexisNexis, was Risk & Compliance Manager at Collyer-Bristow LLP, where she established the firm's R&C function.

"This isn’t a new ‘thing’, but the Ukraine conflict has sharpened the focus for businesses. In 2022 we saw 17 sets of amending regulations relating to Russia sanctions alone, and almost 50 general licences were issued by HM Treasury, compared to just a handful issued before the Ukraine conflict."

Financial sanctions compliance is hard, says Spooner, as international regimes are broad, complex, overlapping and rapidly evolving and there are severe penalties for non-compliance. 

"Determining beneficial ownership, staying on top of lists of sanctioned targets, dealing with licences and breaches, and managing customer-supplier relationships all require specialist resources."

The trickiest bit, particularly in a fast-paced situation such as the Ukraine conflict, is keeping up-to-date, says Spooner, and it’s imperative that businesses do. 

Stay on top of new financial sanctions

The LexisNexis Financial sanctions page provides practical guidance and tools on financial sanctions and key materials on compliance. You can also read the Financial sanctions compliance resources, which provides a summary of and links to financial sanctions resources intended to support organisations in complying with Financial sanctions policy. For Russia sanctions in particular, see our trackers: Conflict in Ukraine—UK sanctions tracker, OFSI General Licence tracker, and Conflict in Ukraine news & analysis—tracker.

Useful risk and compliance resources

Cybersecurity

Tools, templates and guidance that can help hone your cyber security strategy.

Information security

Access a wide range of information security guidance and tools.

Financial sanctions

A summary of financial sanctions resources to support compliance.

Wanting to increase the productivity of your legal team?

A University of Manchester study found:
Lawyers using Lexis+ for legal research and guidance save...

8 minutes and 41 seconds

on average per legal task

1 hour and 41 minutes

on average over the course of a day *based on the average lawyer working day of 10 hour and 18 minutes

8 hours and 28 minutes

on average over the course of a week *based on the average lawyer working day of 10 hour and 18 minutes