UK Law Firms Remain in Cyber Criminals’ Crosshairs

There is not a day that passes without a news report concerning individuals or organisations becoming victims of a cyber-attack. Through 2019, law firms, in particular, will be targeted, due to their organisational makeup and the client data and money they hold. Joanne Cracknell, legal PI specialist and Divisional Director in the FINEX Global team at Willis Towers Watson, explains what to look out for, and how vigilance can help to better protect your firm.

 The impact of cybercrime has escalated within law firms and is of growing concern to members of the profession, regulators and those who ensure legal firms against indemnity risks. The past 12 months have seen the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679 (GDPR) and the Data Protection Act 2018 usurp cybercrime at the top of Risk Managers’ action lists.

Although cybercrime is not a new crime, it is a relatively new issue for the legal profession.  The SRA first recognised cybercrime as a threat to law firms in its 2014 Risk Outlook publications[1].  However, by July 2018 cybercrime was categorised as a priority risk on its own[2], rather than it featuring as part of information security risk.  In addition, the National Cyber Security Centre (NCSC) recognised the threat of cybercrime to law firms and published a specific report in July 2018.

Whilst cyber vulnerabilities are prevalent, it is how they are managed and how the impact of such risks are quantified that is important.

Why law firms will remain a prime target?

Cyber criminals have taken the opportunities presented by the exponential growth in the use of technology, including within the legal profession: an industry that routinely processes confidential/sensitive client data and has access to vast sums of client monies.  As these are both considered to be extremely valuable commodities to cyber criminals, it is no surprise the profession is a prime target with firms falling victim to scams, supply chain risk, fraudulent activity, theft of client monies, unauthorised access to client information and third-party data stores.

Whilst cyber vulnerabilities are prevalent, it is how they are managed and how the impact of such risks are quantified that is important.  It is essential that cyber risk is considered to be a core business concern and a culture of education and awareness about the risks of cybercrime and data protection should be a priority within law firms as it will help identify, monitor and manage the threat.

The consequences suffered by a law firm following a cyber-attack could be catastrophic and may result in:

 

• Theft of client monies and assets
• Breaches of confidential and sensitive information
• Structural and financial instability
• Disruption in business continuity
• Reputational damage
• Damage to IT infrastructure
• Loss of clients

The SRA consider this method to be the most frequently used method of cyber-attack against the legal profession.

These consequences were observed when the international law firm DLA Piper very publicly fell victim to the large scale ransomware NotPetya attack in June 2017 (along with many other companies), creating a significant interruption in business and operations.

The offshore law firm, Mossack Fonseca announced it was closing in March 2018 as a result of irreversible economical and reputational damage as a consequence of the impact of the Panama Papers incident, when more than 11.5million documents were leaked, exposing sensitive information about the firm’s wealthy clients and public office clients in April 2016. Similarly, in October 2017, another offshore law firm, Appleby experienced a catastrophic data breach which became known as the Paradise Papers, exposing names and financial information of high profile and high net worth clients.

These high-profile attacks and the annual increase in cyber-attacks being reported to the SRA and the Information Commissioner’s Office (ICO), highlight how vulnerable the legal profession is to cybercrime.  The common cyber crimes and scams that continue to affect law firms include:

 

• Email Modification Fraud, Business Email Compromise (BEC)

 The SRA consider this method to be the most frequently used method of cyber-attack against the legal profession.  Cyber criminals intercept and/or falsify emails between clients and law firms and bank details are changed from the originating account to that of the cyber criminal.  Monies are stolen as a consequence of the interception. A common example of BEC being experienced by the legal profession is ‘CEO fraud’.  Cyber criminals pretend to be a senior partner or finance director by spoofing that individual’s email address in an attempt to get a junior member of staff to transfer monies to the account in the email.

 

• Phishing, Smishing and Vishing

This method of cyber-attack involves criminals sending emails in order to obtain confidential information, such as passwords, bank details or other sensitive information, or unintentionally downloading malicious software (malware) onto their system.

 

• Ransomware

We have seen the effect ransomware attacks can have on organisations from the WannaCry attack against the NHS last May.  Data can be ‘taken hostage’ as a result of malicious software infiltrating IT systems, and ransom monies are requested by the cybercriminals to release the data.  However, paying the ransom does not always guarantee access to data and/or devices.

In addition to the above, there is risk of an increase in complaints or claims from clients if law firms fall victim to cyber-attacks.  This may have a financial impact on law firms because of the time spent in dealing with complaints or claims.  There may also be an increase in professional indemnity insurance premiums as a result of any claim, unless the claim falls under a separate cyber insurance policy rather than under (typically “silent cyber” coverage afforded by) a professional indemnity policy.

By implementing effective policies and procedures to deal with cybercrime and creating a culture of cybersecurity awareness, law firms will be establishing strong foundations to minimise their exposure to cybercrime and the threats that stem from cyber security failures.

How to minimise the threat of cyber exposure in 2019?

It is essential that law firms comply with both their regulatory and legislative obligations, however, should be aspiring to best practice rather than regulatory compliance.  Technological controls are important, but not sufficient.  Addressing cyber risk is a holistic issue, addressing all aspects, from governance to culture as well as controls and risk transfer.

Cybersecurity is a business issue that is here to stay and should be an integral feature of business strategies objectives and budgets.  It is necessary for law firms to understand what information they hold on their IT systems and appropriately address how to maintain the confidentiality, integrity and availability of those assets.

The legal profession has a duty to keep their clients’ affairs confidential, and any monies and assets entrusted in the firm secure.  Effective measures must be implemented to prevent confidential information from being disclosed.  This obligation is further imposed by the infamous GDPR and the duty to report personal data breaches which adversely affect an individual’s rights and freedoms to the ICO within 72 hours of becoming aware of the breach.

Cybercrime (and wider cyber risk) needs to be factored in to law firms’ risk management strategies and business continuity measures especially as the profession places a high level of dependency on IT infrastructure.  If systems crash as a result of an attack this may result in a significant disruption to business and client service, as well as the risk of the loss of confidential client information or monies.

The SRA reports that over £11 million of client money was stolen due to cybercrime in 2016-17[3].  Any client account deficiencies may expose clients and others to a risk of financial loss and damage to public confidence.  The legal profession has a duty to replace any shortfall suffered in their client accounts without delay in accordance with the SRA Accounts Rules 2011.

By implementing effective policies and procedures to deal with cybercrime and creating a culture of cybersecurity awareness, law firms will be establishing strong foundations to minimise their exposure to cybercrime and the threats that stem from cyber security failures.

 

Joanne Cracknell

Legal Professional Indemnity

www.willistowerswatson.com

 

Willis Towers Watson (NASDAQ: WLTW) is a leading global advisory, broking and solutions company that helps clients around the world turn risk into a path for growth. With roots dating to 1828, Willis Towers Watson has 45,000 employees serving more than 140 countries and markets.

[1] Solicitors Regulation Authority.  (2014).  Risk Outlook Spring Update 2014.  Retrieved from the Solicitors Regulation Authority website.  https://www.sra.org.uk/…/risk-outlook-spring-2014-update.pdf

[2] Solicitors Regulation Authority.  (2018).  Risk Outlook 2018/2019.  Retrieved from the Solicitors Regulation Authority website http://www.sra.org.uk/risk/outlook/risk-outlook-2018-2019.page

[3] Solicitors Regulation Authority.  (2017).  Public and law firm money at risk as regulator reports cyber theft at peak levels.  Retrieved from the Solicitors Regulation Authority website https://www.sra.org.uk/sra/news/press/risk-outlook-2017.page