A study of 40 law firms which suffered a cyber-attack over the past three years has found that more than £4m of client money was stolen from 23 of them.
While most of it was repaid by insurers, 18 firms still had to stump up £400,000 of their own money to cover the losses and had also to deal with the emotional toll on staff.
Meanwhile, a case of ransomware seen by the Solicitors Regulation Authority (SRA) saw a large volume conveyancing firm have to shut down for two weeks to recover from the attack.
The figures were revealed in a session on cyber-crime at yesterday’s compliance officer conference run by the SRA in Birmingham.
The regulator has carried out a thematic review of 40 law firms that suffered a cyber-attack over the past three years to understand the impact, with the full results set to be published early next year.
Paul Hastings, head of the SRA’s thematic team, said the work showed that firms did not adequately record and report cyber-attacks.
While the SRA receives reports of around 150 attacks a year, its investigations showed that two of the firms alone have been attacked over 600 times in the last three years.
Firms identified their people as their main vulnerability, so “policies and controls” were vital, he said. But the review found that 11 of the 40 firms had inadequate policies and 10 had inadequate controls.
Only five of the firms sought to mitigate the risk with Cyber-Essentials Plus Certification, he added: “All were judged to have good written processes and controls, and a good approach to cyber-security.”
Rachel Clements, regulatory manager in the thematic team, stressed that none were “bad” firms, and the SRA was satisfied that they had put in steps to avoid a repeat, meaning it did not need to refer any of them for possible regulatory action.
She talked through one case study of a small firm that was tricked by an email modification fraud – which accounts for around half of cyber-attacks on law firms, a figure that has fallen a little in recent years.
Here there was a “slight change” in the client’s email address; the email altered the instructions in relation to the account to which a conveyancing client’s money was to be sent.
Ms Clements said the firm had a policy to contact clients for verbal verification in such circumstances, but the client was busy with their house move and did not have their account details to hand. The client told the firm to “just get on with it”.
Not following its policy, the firm transferred £400,000 to the fraudsters as a result. Ms Clements said it repaid the client straight away from office account, which caused cash flow problems, and there was also a police investigation.
The firm eventually recouped the money from its insurer, less a £5,000 excess, and also had to pay £900 compensation after the client complained to the Legal Ombudsman.
She said the firm has strengthened its policy by asking for written, signed authorisation in such circumstances, even if that risked slowing down transaction.
Email modification fraud “relies on our complacency and trust”, Ms Clements added.
The second case study involved a large volume conveyancing firm with a turnover of more than £5m. An employee clicked on an email over a weekend, as a result of which ransomware encrypted all of its systems. The criminals only asked for $500 but the firm did not pay – “paying is a dangerous option,” Ms Clements said.
The firm had to close for two weeks to deal with the attack at a cost of £60,000 and it lost £150,000 in revenue. “What really struck me was the emotional toll on staff,” she said.
But she was also “really impressed” by its response, recognising that staff were both a key risk and a key asset. The firm has invested in training, much of its face to face “so everyone could realise they were all responsible for cyber-security”.
She added: “Their message was that you shouldn’t wait until a cyber-attack to education your staff.”
James van den Bergh, a security awareness specialist at global law firm DLA Piper, said it was “unhelpful” for firms to view their staff as the weak link because of the need to work together to create a “human firewall”.
He said: “Most firms are focused on compliance but they need to push through that to promoting awareness and behaviour change… The key message is that it’s a shared responsibility – it’s not down to the risk team, the IT team or the compliance team.”
Robert Loughlin, the SRA’s executive director of operations and performance, added that cyber-crime was becoming more sophisticated, with fraudsters using artificial intelligence tools to start mimicking voices.
He also revealed that, according to the reports the SRA receives, disgruntled ex-employees were the most likely source of cyber-attacks, while 43% of attacks were made on small firms.
More positively, he pointed to the ‘confirmation of payee’ scheme – under which anyone making a payment will be alerted by the bank if the name does not match the account – which is set to be implemented in March 2020 after some delay.
“It should make a significant difference – we’re relatively excited about this,” Mr Loughlin said.
The new accounts rules would also make it easier to use third-party managed accounts as another way to counter the risk of fraud, he added.