In the opening six months of 2019, law firms reported that £731,250 worth of client money was lost to cyber crime, prompting the Solicitors Regulation Authority (SRA) to deem cyber crime to be one of the greatest threats a law firm will face in 2019/20.
Cyber security and information security is now deemed a more severe threat than last year, moving from the tenth to ninth biggest threat to the sector.
Over the past five years, more than £4million of client money has been lost by 23 firms with an average loss of £173,913.
Eighteen firms have each lost more than £400,000 during a security incident, highlighting the financial and reputational damage that will follow a significant data breach and cyber attack.
Furthermore, £3.67million was paid out by insurers on behalf of 16 firms during this time.
The most common forms of cyber attacks law firms encountered in 2019 included:
- Email modification fraud – here criminals intercepted and falsified documents between client and law firm in the hope of changing bank details and stealing the money.
- Phishing and vishing – cyber criminals have long been using social engineering methods to encourage clients and law firm employees to part with sensitive information or finances by sending convincing email communications. In the past year, telephony fraud (vishing) has grown in stature with deep fake technology being used.
- Malware and ransomware – harmful software used to spy on or infect files by encrypting files and demanding a ransom.
- CEO Fraud – this remains a significant threat to the legal sector as criminals impersonate senior figures within a law firm by spoofing email domains and using social engineering tactics to look and sound like a prominent figure in the firm, making it easier to steal important information.
- Identity theft – criminals stealing the identity of a firm to convince clients to part with their finances or information. In the past month, eleven websites and correspondence, pertaining to be SRA regulated law firms, have been copied by fraudsters with the SRA anxious it is likely to increase further.
Through the SRA’s Risk Outlook 2019/20, the regulator has urged law firms to know their obligations; understand the general principles of cyber security; maintain their systems; back up their data; ensure Internet of Things devices are secure; implement robust access controls; ensure in depth training and testing is in place; and understand their clients.
In terms of understanding a law firm’s obligations, the SRA suggest that all firms and their employees understand the Code of Conduct, Accounts Rules and GDPR reporting obligations.
When maintaining a system, law firms are urged to use antivirus software, update programs regularly, implement appropriate firewalls and replace systems no longer supported by a manufacturer.
To remain compliant, data should be backed up frequently using secure cloud storage with at least three copies of all important data stored on at least two separate devices with one copy offsite.
The SRA has insisted that firms should ensure access to its systems are a lot more protected. Two factor authentication, controlling access to removable media, avoiding predictable passwords by using password management tools and screen-locking devices were all suggested solutions.
A transparent and prominent cyber security culture should permeate throughout the entire law firm. Consistent and regular training to help build a culture of reporting and regularly testing security systems were also encouraged by the regulator.
The risk report also suggested that data breaches can occur for numerous reasons and law firms should therefore understand their clients and the potential risks they could pose to the business. Politically sensitive transactions could be of interest to activist groups whilst conveyancing transactions may be more susceptible to email modification fraud.