The threats facing UK legal services firms continues to grow. Whether it is from sole perpetrators to serious organised crime groups or political threat actors, cyber criminals modus operandi continues to evolve and their tactics and techniques are becoming ever more sophisticated. The Serious Organised Crime Threat Assessment (SOCTA 2023) report published in June 2023[1] identified cyber crime as a key threat not only to the UK but also globally.
We have witnessed the levels of cyber crime significantly increase over the last few years from criminals exploiting the pandemic, with new opportunities now presented via the current geopolitical and economic pressures. Malicious cyber threat actors are indiscriminate; they are not fussy about who they attack, and the legal profession is most certainly no exception. Given the increased threat facing law firms from cyber crime, Jonathan Burt and Joanne Cracknell in the Legal Services Professional Indemnity team explore the current threats from this priority risk.
Law firms handle sensitive transactions for their clients who rely on them to seek justice, resolve disputes, and conduct business. Law firms collect, process and store highly sensitive and valuable client information and handle financial transactions, with an estimated revenue in the sum of £43.9billion[2] which are objects that criminals crave – information and money.
The National Cyber Security Centre (NCSC) latest report assessing the cyber threat to the UK legal profession published in June 2023[3] identified the main threats facing law firms: -
The threat facing law firms is not always external but is often as a result of human error. Issues arising from human error are unlikely to be intentional nor malicious, they may very well be the consequence of poor training or honest mistakes such as clicking on links or opening attachments in an email which compromises a law firm’s systems. The latest statistics from the ICO suggests that the most common cause of cyber breach reported by the legal sector is as a result of emails being sent to the incorrect recipient, equating to almost 50% of breaches reported to the ICO during the six-month period of 1 October 2022 to 31 March 2023[9].
There is also the malicious ‘insider threat’ to consider; the risk of a disgruntled former employee with access to sensitive information leaking that information highlights the importance of good cyber hygiene when a person leaves a law firm. Here, whistleblowing and effective communication are critical.
The Cyber Security Breaches Survey 2023[10] reported that less than four in ten businesses (37%) have cyber insurance. It is fair to say that these figures are a cause of concern for solicitors’ professional indemnity (PI) insurers given the heightened risk and general awareness of the impact of cybercrime. The concern is that:
The need to purchase a cyber insurance policy is not a mandatory requirement. However, doing so may assist a law firm’s ability to demonstrate to PI insurers that they understand the risks to their business and are taking steps to mitigate these risks. Increasingly, PI insurers are asking firms for confirmation that a cyber policy is being purchased and if not, why the firm believes the purchase of such a policy is not deemed necessary.
Investment in a cyber policy is not an area law firms should be looking to reduce costs given the increased threat of a cyber attack, the level of fines being imposed for breaches and the potential reputational damage.
The purchase of a standalone cyber policy, however, is not in itself a demonstration that a firm has robust cyber risk management procedures in place. Awareness of the threat at all levels of seniority within the law firm is key and insurers want to know that the threat from a cyber security incident is being taken seriously. As identified previously, many cyber security incidents occur as a result of human error, so insurers need to be confident that their insureds are aware that their staff and culture are the first line of defence in combating this threat.
Whilst the risk mitigation policies, controls and procedures may feel burdensome, it is important to remember what sits behind cyber crime. Organised crime groups rely on supply chains, networks, and specialists including professional services such as accountancy services and legal services to further their criminal activity, which includes drugs and human trafficking and child exploitation.
In addition to complying with the SRA Codes of Conduct and SRA Accounts Rules, law firms also need to remember their reporting obligations to the SRA, the ICO, the NCSC, and insurers should a significant cyber incident occur.
Cyber security incidents can create havoc for a law firm by causing significant disruption to the running of the business and the service provided to clients. Consequently, law firms may suffer a loss whether it be financial or reputational which may be disastrous for the business. Cyber security risk should form part of a business’ operational resilience strategy; in turn this will help firms identify, understand, and manage any cyber related vulnerabilities to their businesses.
Education and awareness of cyber security risk is of paramount importance as staff are often viewed by threat actors as a path of least resistance and an easy route in. Training must be tailored accordingly so that it is relevant to individual teams or staff members, depending on their role or level of seniority within the business, and also on the access privileges and types or sensitivity of data they are processing.
The Cyber Security Breaches Survey 2023[14] recorded that around a third of businesses (32%) reported having experienced any kind of cyber security breach or attack during the last 12 months. The threat of a cyber security incident on law firms is substantial and it is no longer the case of ‘if’ but ‘when’. Taking the following actions can help you prepare your organisation from potential attacks: -
Operating a cyber secure culture throughout the law firm and ensuring everyone receives the necessary education and training, and following the guidance issued by law enforcement and regulators, will help protect against vulnerabilities and minimise the risk of cyber security incidents from arising.