Report reveals extent of cybercrime risk to law firms

A new report from the Solicitors Regulation Authority (SRA) shows that email remains a significant vulnerability for law firms, involved in more than four out of five of all reported cybercrime incidents.

The Risk Outlook report outlines new threats as criminals look to exploit new technology. It shows that 83% of cybercrimes reported in 2021 involved email – for instance, through email phishing attacks. Conveyancing has been the most common target for such attacks, but the SRA said they “are now seeing cybercriminals targeting a wider range of practice areas”.

The report warns about the changing risks of ransomware. The SRA said that, in 2021, they received “relatively few – 18 – reports of ransomware attacks”. Traditionally, ransomware simply encrypted data meaning attacks would not have involved a breach to report. Newer ransomware steals data as well as encrypting it, with criminals likely to pressure targets by threatening to release sensitive information. The SRA are now receiving reports from law firms of this.

Most ransomware attacks will likely be random, but they can be targeted. At a time of international tensions, firms acting for clients operating nationally significant infrastructure could be at higher risk, as could firms acting for Ukrainian, Russian or Belarussian clients.

The report predicts that cybercriminals, aware that firms are focusing on the security of their IT systems, might make greater use of false physical documents or newly emerging scams where criminals carry out focused attacks using voice-modification software in calls to impersonate a solicitor.

Increasing use of the cloud and third-party IT systems also has risks. Although such providers are likely to have strong defences, the report highlights examples where attacks on them have led to malware being spread through firms’ customers and multiple law firms.

Paul Philip, SRA Chief Executive, said:

“Law firms are targeted by cybercriminals as they often hold large amounts of client money and/or sensitive information. It is in everyone’s interest that firms take all reasonable steps to protect themselves and their clients, all the more so as innovation and increased use of IT make information security a priority.

Protection isn’t just about software. Having the right systems in place, such as anti-virus software or multi-factor identification, really matters. But good training and a culture in relation to managing risks is just as important.”

The report provides advice on steps firms can take to protect themselves, including training staff of information security issues in the office and at home, having multiple back-ups, and having a no-blame culture which encourages early reporting if something goes wrong. Firms that fail to assess their risks on a regular basis are vulnerable, as set out in the SRA’s thematic review of cybercrime.

Alongside the cybercrime update, the regulator has also published a Risk Outlook report looking at technology and innovation, with IT security as the common theme.

With 44% of legal services delivered online in the pandemic, the report highlights some of the opportunities technology can bring, including responding to changing consumer behaviours and deliver services more efficiently. The potential risks that firms need to consider include data protection, some clients being unable to use technology, and considerations around liability if things go wrong.

The report also looks at potential future changes in the market including the implications of the use of artificial intelligence, cryptocurrency, and changes in the labour market where 70% of young people say they expect employers to invest in their digital skills.

The SRA are encouraging firms to share their experience on information security cybercrime and innovation in a survey to continue to build their understanding of these issues.