Cyber attacks: Just nine reports this year
Law firms appear to be warding off cyber-attacks more successfully, with client losses falling to £700,000 in the first 10 months of this year, the Solicitors Regulation Authority (SRA) has revealed.
This compares to £10m in 2017, a figure that has dropped every year since, apart from a small increase last year to £2.3m, around half of which was due to a single conveyancing transaction.
Regulatory manager Rachel Clements told Tuesday’s SRA compliance officer conference in Birmingham that it has received just nine reports of cyber-attacks on law firms this year, all caused by email modification fraud, mainly involving conveyancing firms.
“Overall, we’re seeing a really improving picture,” she said, adding that it tended to be clients who were targeted by email fraudsters, rather than their solicitors.
She recounted one case from this year where a client paid £50,000 after receiving an email where the solicitor’s address had been changed “almost undetectably”, with an ‘m’ replaced by an ‘n’.
Timing was also an issue as the fee-earner was on holiday, which indicated that the criminals had been watching. It was the fee-earner clicking on a phishing email that had triggered the attack.
This firm included a very clear warning in its client-care letter about the risk of fraud, but Ms Clements noted how clients still often forgot. She highlighted the importance of regularly reminding them of the risks.
She said there were also examples of sophisticated attacks where large law firms were targeted for the information in partners’ email accounts, rather than money.
Ransomware was identified by the speakers on the panel – the Information Commissioner’s Office (ICO) and National Cyber Security Centre (NCSC) were also represented – as the main form of cyber-attack and their clear recommendation was that firms should not pay up.
Ms Clements said that “not only are you essentially paying a criminal… but it could expose you, your firm and your clients to additional risks”. Research showed that 80% of businesses that paid ransoms were targeted again, often by same attacker.
She added that the SRA had also this year investigated a small number of complaints that firms had not informed clients of attacks.
In one case, the firm’s reason was that the data had been encrypted, rather than extracted, but Ms Clements said this was wrong and the firm still had a duty to report.
James Moss, legal director at the ICO, stressed that firms suffering a cyber-attack had 72 hours to report it to his organisation; if they did not, they would have to explain why. The ICO was happy to receive information on a piecemeal basis, he said.
Mr Moss also made clear that losing control over personal data – such as by attackers exfiltrating it – triggered the reporting requirement just as much as losing it altogether.
The GDPR required firms to implement “appropriate measures” to restore data but he said the ICO did not consider paying a ransom to be one.
William Wright, a partner at Paragon International Insurance Brokers, told the session that cyber-insurers would expect to see a raft of controls in place before issuing a law firm a policy, ranging from encryption and email scanning to intrusion detection and patch management.
Firms that did not require multi-factor authorisation for remote access to their systems were “unlikely” to obtain insurance. He also emphasised the importance of segregated back-ups and staff training, given that “most cyber-attacks we see are human related”.
Back in 2018, the NCSC issued its first report on the cyber risks facing the legal profession. Delegates were told that an updated version of this would be published in February, citing additional risks such as supply chains being compromised and remote working.
Ms Clements said the SRA had issued around 50 scam alerts in just the last three months. Yesterday, the SRA sent one about a “malicious” email sent at 10.36 on 9 November purporting to come from the regulator itself.
It said: “Please delete the email. If you followed links and provided your username and password, you should reset your password immediately.”
Leave a Comment