By Brian Rogers, regulatory director at Legal Futures Associate Access Legal
Cyber-risk will continue to be a major risk for all law firms in 2024 due to the sensitive nature of the information they hold, and the substantial amounts of client money held by over 7,000 of them.
The Solicitors Regulation Authority has told firms that they should ask themselves “when will we be targeted by online criminals, not if?”. This clearly puts firms on notice of the threat, so if they don’t take sensible/reasonable steps to protect themselves and their clients from harm, they could face regulatory action and professional indemnity insurers reserving their positions on cyber-related claims.
The current situation
The recent tensions between Iran and the US have increased the risk of cyber-attacks, with cyber experts warning about cyber-attacks by Iran against American financial institutions; this could widen to other American businesses and their advisors, including law firms.
Any law firm handling American clients/transactions should review their cybersecurity plans and ensure their business continuity plans are updated accordingly.
The Ukraine conflict has seen cyber attacks by Russia-backed groups increase enormously, with Google’s threat action group reporting that attacks targeting users in Ukraine rose 250% and those targeting users in NATO countries increased by 300%. According to the report, the primary focus of the hackers is the Ministry of Defence and other government bodies, including the Ministry of Justice.
You should assess your client profile to see if there are any links to Russia, Ukraine or any government bodies, and the risk that this relationship poses to your firm and take appropriate action.
One law firm suffered from a cyber-attack a number of years ago which was so sophisticated that it not only managed to stop the firm from accessing its live data but also its backup data; had it not been able to reconstitute client data from hardcopy files, it would probably have had to close down.
It was found that the attack was initiated by a foreign government; it was not interested in the client data but just wanted to disrupt parts of the UK economy.
Along a similar train of thought, with a general election likely to be coming in May 2024, attackers are likely to be on the prowl for any damaging information on politicians that they might gain from. So if you represent any politicians or their affiliates, they might represent a particularly high risk to your firm throughout 2024.
Microsoft has now stopped supporting Windows Server 2012 and 2012 R2. If you’re still using either server, this leaves you vulnerable to cyber attack as you won’t receive security updates and patches, leaving your firm open to attack.
Another factor causing cyber risk is the cost of living crisis. PwC’s 2022 law firm report found that, while 77% of firms experienced a cyber attack as a result of staff error, 8% of firms experienced an incident caused by a malicious insider. With the cost of living crisis not letting up, the risk of more malicious insiders being paid to leak information or grant access to systems could increase.
There is also a rise in supply chain attacks, with hackers targeting your suppliers in order to gain access to your data and prevent access to your systems.
Attacks will undoubtedly happen, so you need to ensure your suppliers have the appropriate protections in place and can react appropriately, providing you with the appropriate level of support when needed.
Key cybersecurity risks in 2024
Cyber risks that will be a major threat to law firms in 2024 include:
- Multi-factor faking – Attackers spoof your multi-factor authentication web pages, tricking you into entering your code and granting them access.
- QR code phishing – Rather than emailing a link, an attacker will send you a QR code to scan, so you can’t check the link before scanning.
- More sophisticated ransomware attacks – More businesses are now paying the ransoms demanded so they can continue operating as normal.
- Increased supply chain attacks – Cyber attackers inject code into a website allowing them to steal data, such as clients’ personal details and credit card details.
- Attacks on AI systems – Attackers are studying how networks are using machine learning for system defence so they can work out how to breach them
- DNS spoofing – Criminals can spoof details related to web IP addresses, misdirecting users to compromised websites where they risk having data stolen.
- Fakes and deepfakes (faked videos and audio recordings that resemble the real thing) – We have seen CEO fraud involving emails in the past but now criminals are using faked recordings of senior managers asking the accounts department to make payments into a criminal’s bank account.
- Surveillance attacks using smartphones – Tracking software is installed onto phones to monitor a user’s behaviour from their smartphone usage
Cybercrime is a clear and present danger and it could have a catastrophic impact on firms and their clients if appropriate plans are not put into place to stop it.
Download The Ultimate Guide to Cyber Security for Law Firms to get a fuller understanding of the cyber threats your practice faces.
Mitigating cyber risks to law firms in 2024
PWC’s 2023 Cyber Security Outlook found that “90% UK senior executives ranked increased cyber-risk due to digital transformation as their biggest cyber security challenge since 2020”, yet 64% of businesses had not fully mitigated the risks of cloud adoption or the risks of increased digitisation of the supply chain.
Also, 68% hadn’t fully mitigated the risks of increased digitisation of delivery mechanisms to customers.
This represents a serious risk to law firms. You should be assessing not just your own cyber-security practices but also that of the businesses you work with as they could pose a threat to your security.
Although this data reflects the views of the top 100 law firms, it could also be seen as a reflection of how smaller firms in the sector do or should view cyber risk. They may not have the same funding or resources as larger firms but the risks remain the same and if they materialise they could impact them in a far more catastrophic way, possibly leading to the closure of the firm.
It was only a few years ago that we saw a cyber-attack on one of the largest law firms in the UK, which led to it being unable to function properly for weeks afterwards, leading to reputational damage, regulatory focus, potential claims for negligence, etc.
Investment in technology has been lacking over previous years, with PwC finding that some firms are heading towards a pinch-point where they need to play catch-up; this could leave them exposed to cyber threats in the interim.
The SRA released a Risk Outlook dedicated to cyber security and information security in July 2022, which highlighted some of the ways cyber risks are changing including:
- Cyber-criminals are likely to seek easier targets as more firms invest in cyber security;
- Criminals may make more use of false physical documents or voice phishing (vishing);
- Large threat of impersonating jurors or witnesses in remotely heard cases using deepfake technology;
- There will be increased use of AI both from attackers and in defending against attacks; and
- Increasingly sophisticated and automated ransomware attacks that detect vulnerabilities in your systems.
The SRA Standards & Regulations lay down a number of obligations that you should consider in relation to cyber-risk, namely:
- Principles 2 and 5
- Requirements 3.2, 4.2, 6.3, 7.2 (Solicitors)
- Requirement 2.1, 2.5, 4.2, 5.2, 6.3, 8.1, 9.1 (Firms)
You also need to consider whether your cyber-crime prevention measures are sufficient to meet the expectations of your professional indemnity insurer; they could reserve their position on claims if they can see that losses occurred as a result of your firm not taking reasonable steps to prevent client information from being accessed or money being stolen.
Action you can take to mitigate the risk of cyber attacks
- Make cyber-risk a board-level issue;
- Ensure you have an effective and tested business continuity plan in place that covers recovery from a cyber-attack;
- Train all your staff on cyber-risk and how attacks can be minimised/avoided;
- Review your IT requirements at least annually and ensure systems are appropriate to the risks that are known to exist;
- Ensure you have an appropriate system back-up procedure, and that it is effective;
- Utilise appropriate encryption systems; and
- Ensure only those who need access to your systems have it.
Cyber-crime is a clear and present danger for law firms and could have a catastrophic impact on them and their clients if appropriate plans are not put into place to stop it, so now is the time to review plans if you already have them, or to put them in place if you don’t.
Cyber-criminals are acting now, so you need to as well.
If you want to get a better understanding of how prepared your firm is to face cyber-threats, sign up for our free legal IT tech review and cyber security audit and discover where your firm may be vulnerable.