Posted by Brian Rogers, regulatory director for digital learning and compliance at Legal Futures Associate The Access Group [1]
Rogers: Make cyber-risk a board-level issue
Cyber-risk will continue to be a major risk for all law firms in 2020 due to the sensitive nature of the information they hold, and the substantial amounts of client money held by over 7,000 of them.
The Solicitors Regulation Authority has told firms that they should ask themselves, ‘When will we be targeted by online criminals, not if?’
This clearly puts firms on notice of the threat, so if they don’t take sensible/reasonable steps to protect themselves and their clients from harm, they could face regulatory action and professional indemnity insurers reserving their positions on cyber-related claims.
The threat
The recent tensions between Iran and the US have increased the risk of cyber-attacks, with cyber experts warning about cyber-attacks by Iran against American financial institutions; this could widen to other American businesses and their advisors, including law firms. Any law firm handling American clients/transactions should review their cyber-security plans and ensure their business continuity plans are updated accordingly.
The UK defence secretary recently suggested that, rather than recruiting 1,000 new people for the infantry, the Army should recruit 1,000 new hackers instead; other countries have already done this!
One law firm we have worked with suffered from a cyber-attack which was so sophisticated that it not only managed to stop the firm accessing its live data but also its backup data; had it not been able to reconstitute its client data from hardcopy files, it would probably have had to close down.
It was found that the attack was initiated by a foreign government; it was not interested in the client data but just wanted to disrupt parts of the UK economy.
An additional issue to consider is Microsoft withdrawing support for all those on Windows 7, which will leave PCs vulnerable to attack if they are not updated to a newer version.
Key cybersecurity risks in 2020
Cyber-risks seen as major threats to law firms in 2020 include:
- More sophisticated ransomware attacks – more businesses are now paying the ransoms demanded so they can continue operating as normal;
- Increased supply chain attacks – cyber-attackers inject code into a website allowing them to steal data such as clients’ personal details and credit card data;
- Attacks on AI systems – attackers are studying how networks are using machine learning for system defence so they can work out how to breach them;
- Hardware and firmware attacks – hardware vulnerabilities such as Spectre and Meltdown are causing real concerns, especially as they affect most computer chips made over the past two decades;
- DNS spoofing – criminals can spoof details related to web IP addresses, misdirecting users to compromised websites where they risk having data stolen;
- Fakes and deep fakes (faked videos and audio recordings that resemble the real thing) – we have seen CEO fraud involving emails in the past but now criminals are using faked recordings of senior managers asking the accounts department to make payments into a criminal’s bank account; and
- Surveillance attacks using smartphones – tracking software is installed onto phones to monitor a user’s behaviour from their smartphone usage
Cybercrime is a clear and present danger and it could have a catastrophic impact on firms and their clients if appropriate plans are not put into place to stop it.
Law firm attitudes to cyber-risk
In its report Adapting to a new world, published in 2019, PwC found that 76% of the top 100 law firms were “somewhat concerned” or “extremely concerned” about cyber-security.
It found that firms had identified “improving use of technology” and “standardising and centralising business processes” as priorities, with many seeing technological change as a significant challenge for them in the following years.
These views also reflect how smaller firms do or should view cyber-risk; they may not have the same funding or resources as larger firms but the risks remain the same and, if they materialise, could impact them in a far more catastrophic way.
It was only a few years ago that we saw a cyber-attack on one of the largest law firms in the UK which led to it being unable to function properly for weeks afterwards, leading to reputational damage, regulatory focus, potential claims for negligence, etc.
Investment in technology has been lacking over previous years, with PwC finding that some firms are heading towards a pinch-point where they need to play catch-up; this could leave them exposed to cyber-threats in the interim.
As in previous years, the SRA has included cyber security in its 2019/20 Risk Outlook, but this year it has tied information security to the same risk; this is a reminder that, when you have a cyber-attack, you also need to think about your data protection obligations and whether a report will need to be made to the Information Commissioner’s Office.
The SRA’s new Standards & Regulations lay down a number of obligations that you should consider in relation to cyber-risk: Principles 2 and 5, requirements 3.2, 4.2, 6.3 and 7.2 for solicitors, and 2.1, 2.5, 4.2, 5.2, 6.3, 8.1 and 9.1 for firms.
You also need to consider whether your cyber-crime prevention measures are sufficient to meet the expectations of your professional indemnity insurer; they could reserve their position on claims if they can see that losses occurred as a result of your firm not taking reasonable steps to prevent client information from being accessed or money being stolen.
Action you can take to mitigate the risk of cyber attacks
- Make cyber-risk a board-level issue;
- Ensure you have an effective and tested business continuity plan in place that covers recovery from a cyber-attack;
- Train all your staff on cyber-risk and how attacks can be minimised/avoided;
- Review your IT requirements at least annually and ensure systems are appropriate to the risks that are known to exist;
- Ensure you have an appropriate system back-up procedure, and that it is effective;
- Utilise appropriate encryption systems; and
- Ensure only those who need access to your systems have it.
Cyber-crime is a clear and present danger for law firms and it could have a catastrophic impact on them and their clients if appropriate plans are not put into place to stop it. Now is the time to review plans if you already have them, or to put in place plans if you don’t.
Criminals are acting now so you need to do so as well.
The Access Group offers e-learning on practical cyber security awareness [2].