header-logo header-logo

Cracking Cybercrime

05 December 2019 / Veronica Cowan
Issue: 7867 / Categories: Profession , Criminal
printer mail-detail
Veronica Cowan explains why the failure to engage with cyber attack prevention is an unnecessary gamble
  • Critical cyber-care and catching cyber culprits.

The Cyber Security Breaches Survey 2019, released by the Department for Digital, Culture, Media & Sport, found more businesses and charities are taking positive steps to improve their cyber security, partly because under the General Data Protection Regulation 2018 (GDPR) the Information Commissioner can fine firms which do not protect personal data. Nonetheless, cyber attacks pose a persistent threat, and recent attacks on law firms highlight their potential to cyber criminals, with smaller law firms often easy targets. According to the Solicitors Regulation Authority’s (SRA’s) ‘Risk Outlook 2019–20’, law firms lost £731,250 of client money to cybercrime in the first six months of 2019.

The SRA plans to conduct a thematic review next year into the impact of cybercrime on the legal sector, after data revealed at the Compliance Officers Conference in the autumn showed 23 law firms lost over £4m in the last year with insurers paying out over £3.6m to 16 law firms. The data showed some firms did not adequately record and report cyber-attacks, and a number had inadequate policies and controls. One firm failed to follow its own policy, and transferred £400,000 to fraudsters, and repaid the client from the office account. It recovered the money from its insurer, minus a £5,000 policy excess, but had to pay £900 compensation to the client who complained to the Legal Services Ombudsman.

Cracking cyber

The National Cyber Security Centre’s (NCSC’s) first report into the cyber threat to the UK legal sector published last year, reveals that 60% of law firms reported an information security incident in 2018—an increase of almost 20% from the previous 12 months (‘The cyber threat to UK legal sector’, see bit.ly/2PbTZzJ).

Ciaran Martin, its chief executive, notes that law firms are an attractive target for cyber attacks as they hold sensitive client information, handle significant funds, and are a key enabler in commercial and business transactions. The conveyancing sector is a well-known risk, but other areas are affected, too. Matt Webb, Hiscox’s London markets cyber underwriter, notes law firms hold personal information—from tax, probate or personal injury claims, to M&A, patents or other corporate information—adding: ‘Recent trends show increasing attacks on supply chains, and law firms are part of that chain for many companies.’ The NCSC has launched the ‘Legal Sector’ group on the free Cyber Information Sharing Platform, a joint industry and government initiative set up to exchange cyber threat information in real time, in a secure, confidential and dynamic environment.

Cyber cover

As to cyber insurance cover, the Association of British Insurers (ABI) recently reported that take-up of this by businesses in the UK remains low, so how alert are lawyers to the risks? ‘Law firms are exceptionally alive to the risks associated with cyber attacks and data breaches,’ comments Jane Hunter, executive director and senior vice president of Aon. ‘Brokers have also been raising cyber insurance policies with their law firm clients on a regular basis, identifying compelling reasons why it can be an important part of a firm’s complete risk management strategy,’ Hunter says, adding that finance departments, whose staff have to be alive to impersonation of senior partners in emailed requests for the likes of payments, bank transfers and false invoices, are particularly vulnerable.

Critical cyber care

But are law firms really switched on when it comes to diagnosing and curing cyber risk at their firm, given that research of 100 law firms revealed that 82% didn’t even have the government recommended Cyber Essentials Accreditation. Chris Harris, CEO of the Practical Vision Network, highlights a mis-perception that only conveyancers are affected is one of the problems: ‘Where organisations are targeted with malware and ransomware attacks …the whole firm is affected. One of the biggest growth areas is funds transfer fraud; where criminal organisations infiltrate matters to redirect remittance funds [including] probate funds, personal injury awards, divorce awards, as well as conveyancing funds. The failure to engage with cyber attack prevention is a massive gamble. Cyber criminals know the legal sector is underprepared.’

Legal practices have mandatory levels of professional indemnity insurance, but how about some of the business consequences of cyber attacks? Jennifer Millar, managing director, Aon, comments: ‘We would expect all law firms to be insured for cyber risks to the extent that they cause losses to clients, and for this cover to be included in their professional indemnity policy. Other associated losses, such as regulatory investigations, breach mitigation, such as forensic and public relations advice and breach response, as well as the costs associated with business interruption would more typically be covered through a separate cyber policy.’

The ABI has cited the inability to access raw breach data risks as limiting the potential of the cyber market to price risk more accurately and manage exposure more effectively. According to Harris, professional indemnity insurers have identified cybercrime as a key area of risk for law firms and demand that they scope out their policies and procedures with regard to cyber mitigation, accounting for preparedness in their premiums. He adds: ‘Law firms who fall victim to cybercrime are paying for it. Not only does it have a serious impact on clients’ lives and well-being, but one study found breaches cost the average business £4,180, rising to £22,700 for larger firms.’

Millar says large law firms are insuring against cyber risks, adding: ‘For the smaller firms, the percentage is much lower and this may be because they view coverage for their own first party losses to be a discretionary purchase.’ Yet, small firms are common targets, partly because they don’t have the necessary protections and systems in place.

Security of all data is important to a firm and its clients, given the consequences of its exposure to the wrong party, including the damaging effect on a law firm’s reputation, Hunter observes, adding that certain data might be regarded as being particularly sensitive, including unregistered intellectual property rights, pre-listings information, merger and acquisition data, client contact lists and personal information about staff, or clients. 

Cyber criminal culprits

The monitoring eyes and ears shouldn’t perceive all the threats as emanating from outside the firm, because risks related to individuals represent the largest source of data breach claims. ‘Cyber attacks often emanate from a disgruntled or resentful employee or ex-employee, so monitoring unusual behaviour can be vitally important,’ warns Hunter.

Veronica Cowan is a barrister.

MOVERS & SHAKERS

Birketts—trainee cohort

Birketts—trainee cohort

Firm welcomes new cohort of 29 trainee solicitors for 2025

Keoghs—four appointments

Keoghs—four appointments

Four partner hires expand legal expertise in Scotland and Northern Ireland

Brabners—Ben Lamb

Brabners—Ben Lamb

Real estate team in Yorkshire welcomes new partner

NEWS
Robert Taylor of 360 Law Services warns in this week's NLJ that adoption of artificial intelligence (AI) risks entrenching disadvantage for SME law firms, unless tools are tailored to their needs
From oligarchs to cosmetic clinics, strategic lawsuits against public participation (SLAPPs) target journalists, activists and ordinary citizens with intimidating legal tactics. Writing in NLJ this week, Sadie Whittam of Lancaster University explores the weaponisation of litigation to silence critics
Delays and dysfunction continue to mount in the county court, as revealed in a scathing Justice Committee report and under discussion this week by NLJ columnist Professor Dominic Regan of City Law School. Bulk claims—especially from private parking firms—are overwhelming the system, with 8,000 cases filed weekly
Writing in NLJ this week, Thomas Rothwell and Kavish Shah of Falcon Chambers unpack the surprise inclusion of a ban on upwards-only rent reviews in the English Devolution and Community Empowerment Bill
Charles Pigott of Mills & Reeve charts the turbulent progress of the Employment Rights Bill through the House of Lords, in this week's NLJ
back-to-top-scroll