Skip to main content
main content, press tab to continue
Article

Cyber security threats facing the Legal Profession

By Jonathan Burt and Dr. Joanne Cracknell | December 8, 2023

Cyber attacks continue to threaten the Legal Profession causing financial and reputational losses. The Professional Indemnity Legal Services team provide a breakdown of the main cyber threats facing the industry today.
Financial, Executive and Professional Risks (FINEX)
N/A

The threats facing UK legal services firms continues to grow. Whether it is from sole perpetrators to serious organised crime groups or political threat actors, cyber criminals modus operandi continues to evolve and their tactics and techniques are becoming ever more sophisticated. The Serious Organised Crime Threat Assessment (SOCTA 2023) report published in June 2023[1] identified cyber crime as a key threat not only to the UK but also globally.

We have witnessed the levels of cyber crime significantly increase over the last few years from criminals exploiting the pandemic, with new opportunities now presented via the current geopolitical and economic pressures. Malicious cyber threat actors are indiscriminate; they are not fussy about who they attack, and the legal profession is most certainly no exception. Given the increased threat facing law firms from cyber crime, Jonathan Burt and Joanne Cracknell in the Legal Services Professional Indemnity team explore the current threats from this priority risk.

The threat to the legal profession

Law firms handle sensitive transactions for their clients who rely on them to seek justice, resolve disputes, and conduct business. Law firms collect, process and store highly sensitive and valuable client information and handle financial transactions, with an estimated revenue in the sum of £43.9billion[2] which are objects that criminals crave – information and money. 

The National Cyber Security Centre (NCSC) latest report assessing the cyber threat to the UK legal profession published in June 2023[3] identified the main threats facing law firms: -

  • phishing
  • business email compromise
  • ransomware
  • password attacks

Phishing

Phishing is a form of social engineering and can include scam emails, text messages or phone calls trick people into clicking links or open documents that direct them to a website, which may download a virus, steal bank details or other personal information. The Information Commissioner’s Office (ICO) data breach statistics suggest that almost a third of breaches reported by the legal sector were caused by phishing emails[4]. Furthermore, the government led Cyber Security Breaches Survey, a research study for UK cyber resilience published in April, identified that 89% of businesses surveyed experienced a phishing attack within the last 12 months[5].

NCSC has produced specific guidance on defending against phishing attacks but the key message is to: -

  • Deploy anti spoofing controls
  • Implement measures to identify and report suspected phishing emails
  • Establish well configured devices and good end point defences
  • Respond quickly to incidents
  • Frequent employee social engineering training, to include phishing simulation

Business email compromise

Business email compromise attacks are similar to phishing attacks, but they specifically target senior executives or budget holders of organisations. The aim here, however, is slightly different - the objective is almost exclusively financially driven and aims to trick personnel into transferring monies or revealing sensitive information, using legitimate email accounts or ‘lookalike’ email addresses. The NCSC has a helpful infographic setting out guidance on how to prevent these types of attacks.

Ransomware

Ransomware, a form of malicious software (malware), as in the name, aims to hold your business, your networks, systems and data to ransom until you pay an extortion demand. Of all the types and strains of malware, ransomware is particularly popular amongst cyber criminals as it offers them an excellent return on investment. Law firms can take steps to better prevent their exposure to this particular attack. Performing security updates when they are released, implementing strong passwords (or passphrases) and utilising multi-factor authentication are some of the basic, yet effective, controls that should be considered. Further guidance to support your ransomware preparedness is available via the National Cyber Security Centre.

Ransomware: To pay or not to pay …

It was estimated during 2021 that ransomware attacks will occur every 11 seconds globally at a cost of USD 20 billion for that year.[6] It is anticipated that the cost is now much higher. The rise in ransomware attacks on the legal profession last year prompted the ICO and the NCSC to write a joint letter warning law firms against paying ransom demands and advising their clients against doing so[7] If law firms do experience a ransomware attack, the guidance from the NCSC, law enforcement, the ICO and the Law Society is that they do not “encourage, endorse, nor condone the payment of ransom demands[8].

USD 20 billion The cost of global ransomware attacks in 2021

If law firms do choose to pay the ransom demand, there is no guarantee that they will be able to access the data once the ransom has been paid as the IT systems may still be infected. Furthermore, they will be putting themselves at risk of being targeted again in the future as criminal groups will know that they are willing to pay the ransom with the effect of funding further criminal activity. The NCSC has issued helpful guidance in the form of an infographic on how to minimise exposure to ransomware attacks.

Password attacks

The use of passwords is a risk factor on its own as passwords are needed for so many applications, systems and devices. The key is to prevent criminals from accessing law firms’ systems and the information stored on them. Passwords need to be strong and unique and changed regularly. The recommended advice from the NCSC is to use three random but memorable words that are ‘long enough and strong enough’ but not too complicated you cannot remember them and have to write them down.

Other threats

The NCSC sees the primary threat from cyber criminals to the legal profession as financial. However, there is an increased threat from ‘hackers for hire’ who earn commissions from conducting malicious attacks to steal sensitive information for others. In the current and challenging geopolitical landscape, the legal sector may also find themselves being targeted by state actors. Law firms who specialise in intellectual property, act for sensitive clients, or act on transactions involving political topics, such as human rights, may be specifically targeted by attacks from such actors.

The threat facing law firms is not always external but is often as a result of human error. Issues arising from human error are unlikely to be intentional nor malicious, they may very well be the consequence of poor training or honest mistakes such as clicking on links or opening attachments in an email which compromises a law firm’s systems. The latest statistics from the ICO suggests that the most common cause of cyber breach reported by the legal sector is as a result of emails being sent to the incorrect recipient, equating to almost 50% of breaches reported to the ICO during the six-month period of 1 October 2022 to 31 March 2023[9]

There is also the malicious ‘insider threat’ to consider; the risk of a disgruntled former employee with access to sensitive information leaking that information highlights the importance of good cyber hygiene when a person leaves a law firm. Here, whistleblowing and effective communication are critical. 

Cyber Insurance

The Cyber Security Breaches Survey 2023[10] reported that less than four in ten businesses (37%) have cyber insurance. It is fair to say that these figures are a cause of concern for solicitors’ professional indemnity (PI) insurers given the heightened risk and general awareness of the impact of cybercrime. The concern is that:

  • firms may either be assuming there is greater cover provided under the PI policy than is actually the case
  • there is a misplaced over-reliance on third parties to whom they outsource their IT requirements; or
  • some firms are unwilling to invest in cyber risk management procedures sufficiently to include a standalone cyber policy.

The need to purchase a cyber insurance policy is not a mandatory requirement. However, doing so may assist a law firm’s ability to demonstrate to PI insurers that they understand the risks to their business and are taking steps to mitigate these risks. Increasingly, PI insurers are asking firms for confirmation that a cyber policy is being purchased and if not, why the firm believes the purchase of such a policy is not deemed necessary.

Investment in a cyber policy is not an area law firms should be looking to reduce costs given the increased threat of a cyber attack, the level of fines being imposed for breaches and the potential reputational damage.

The purchase of a standalone cyber policy, however, is not in itself a demonstration that a firm has robust cyber risk management procedures in place. Awareness of the threat at all levels of seniority within the law firm is key and insurers want to know that the threat from a cyber security incident is being taken seriously. As identified previously, many cyber security incidents occur as a result of human error, so insurers need to be confident that their insureds are aware that their staff and culture are the first line of defence in combating this threat.

Regulatory Obligations

Whilst the risk mitigation policies, controls and procedures may feel burdensome, it is important to remember what sits behind cyber crime. Organised crime groups rely on supply chains, networks, and specialists including professional services such as accountancy services and legal services to further their criminal activity, which includes drugs and human trafficking and child exploitation.

In addition to complying with the SRA Codes of Conduct and SRA Accounts Rules, law firms also need to remember their reporting obligations to the SRA, the ICO, the NCSC, and insurers should a significant cyber incident occur.

Proactive steps to manage cyber security risks

Cyber security incidents can create havoc for a law firm by causing significant disruption to the running of the business and the service provided to clients. Consequently, law firms may suffer a loss whether it be financial or reputational which may be disastrous for the business. Cyber security risk should form part of a business’ operational resilience strategy; in turn this will help firms identify, understand, and manage any cyber related vulnerabilities to their businesses.

Education and awareness of cyber security risk is of paramount importance as staff are often viewed by threat actors as a path of least resistance and an easy route in. Training must be tailored accordingly so that it is relevant to individual teams or staff members, depending on their role or level of seniority within the business, and also on the access privileges and types or sensitivity of data they are processing.

The Cyber Security Breaches Survey 2023[14] recorded that around a third of businesses (32%) reported having experienced any kind of cyber security breach or attack during the last 12 months. The threat of a cyber security incident on law firms is substantial and it is no longer the case of ‘if’ but ‘when’. Taking the following actions can help you prepare your organisation from potential attacks: -

  • carry out regular backups, focusing on business-critical systems and data
  • preventing malware from being delivered and spreading to devices
  • implement strong passwords
  • utilise multi-factor authentication as widely as possible
  • employee cyber awareness training and phishing simulation
  • prepare for an incident, building confidence in your response and recovery processes

Operating a cyber secure culture throughout the law firm and ensuring everyone receives the necessary education and training, and following the guidance issued by law enforcement and regulators, will help protect against vulnerabilities and minimise the risk of cyber security incidents from arising.

Footnotes

  1. National Crime Agency. (n.d) National Strategic Assessment 2023 for Serious and Organised Crime.Retrieved from Return to article
  2. National Cyber Security Centre. (n.d) Cyber Threat Report: UK Legal Sector.,Retrieved from Return to article
  3. National Cyber Security Centre. (n.d) Cyber Threat Report: UK Legal Sector.,Retrieved from Return to article
  4. Information Commissioners Office. (n.d). Data security incident trends.,Retrieved from Return to article
  5. Department for Science, Innovation and Technology. (2023, April 19). Cyber security breaches survey 2023.,Retrieved from Return to article
  6. UNDOC. (2021). Return to article
  7. Law Society. (2021). Return to article
  8. (September 9, 2021). Mitigating malware and ransomware attacks. How to defend organisations against malware or ransomware attacks.,Retrieved from Return to article
  9. Information Commissioners Office. (n.d). Data security incident trends. ,Retrieved from Return to article
  10. Department for Science, Innovation and Technology (2023, April 19). Cyber Security Breaches Survey 2023.,Retrieved from Return to article
  11. Solicitors Regulation Authority. (n.d). SRA Code of Conduct for Solicitors, RELs and RFLs.,Retrieved from and Solicitors Regulation Authority. Retrieved from Return to article
  12. Solicitors Regulation Authority. (n.d). SRA Code of Conduct for Solicitors, RELs and RFLs.,Retrieved from and Solicitors Regulation Authority. (n.d) SRA Code of Conduct for Firms. Retrieved from Return to article
  13. Solicitors Regulation Authority. (n.d). SRA Accounts Rules.,Retrieved from Return to article
  14. Department for Science, Innovation and Technology (2023, April 19). Cyber Security Breaches Survey 2023.,Retrieved from Return to article

Authors


Associate Director - PI FINEX Legal Services

Director - PI FINEX Legal Services

Contact us