Austria
Belgium
Estonia
Finland
France
Germany
Greece
Iceland
Ireland
Italy
Netherland
Norway
Poland
Portugal
Spain
Sweden
Switzerland
Turkey
United Kingdom
Australia
Hong Kong
New Zealand
India
Indonesia
Japan
Malaysia
Philippines
Singapore
Thailand
Brazil
Chile
Colombia
Mexico
Peru
Bahrain
Israel
Morocco
UAE
Oman
Tanzania
Turkey
Cyber Security: Increase in notifications related to cyber incidents - Don’t get caught out!
Published
Read time
In recent weeks our Howden claims team report seeing more notifications from law firms relating to cyber incidents. This is consistent with reports of increased incidences of cyber attack as a fallout of the pandemic. We are concerned that the increase in solicitors and other fee earners working from home has raised the level of risk for many firms.
This issue falls against the backdrop of the thematic review of cyber security published by the SRA in September this year. The findings in that report suggest that a number of firms still have more work to do when it comes to training, policies, procedures and systems. The review also revealed that only 30% of those surveyed had bespoke cyber insurance.
We want our clients to ensure that they are on top of this issue. It is important to have adequate policies and procedures to reduce the risk and appropriate cyber insurance cover for those occasions when things go wrong.
The SRA Thematic Review
Q: Do you understand the term “ransomware”?
Q: Do you know what “malware” is?
Q: When did your firm last provide specific cyber training?
Q: Do you have a removable media policy?
Q: Do you have a home and mobile working policy?
Q: Have you and your team read the NCSC’s guidance on passwords?
Q: Do you encrypt your laptops?
Q: Does your firm use multi-factor authentication?
How would the above questions be answered by you and your firm? These were some of the questions that were asked in the SRA’s thematic review, where the answers indicated that many law firms still have work to do when it comes to cyber security.
The SRA visited 40 law firms and undertook interviews with both management and employees. In the last three years, 30 of the firms had been the target of cyber criminals and in the remaining 10 cases it was the firm’s clients that had been targeted during an attack. Across all 40 firms a total of £4 million had been stolen, albeit there had been some subsequent recoveries. The breakdown of the group by way of firm size was as follows:
- 22 firms - 1 to 4 partners
- 13 firms - 5 to 25 partners
- 5 firms – 25+ partners
The fact that all firms had experienced an attack on the firm or its clients demonstrates that cyber attack is an issue that can potentially impact firms of all sizes and with all levels of cyber security sophistication. No firm can afford to be complacent on this issue. Even sole practitioners are a target. Some of the findings, suggesting that the legal profession has more work to do, were as follows:
Knowledge
- 88% of fee earners interviewed did not understand the term "ransomware".
- 55% of fee earners did not understand the term "malware".
Training
- 20% of firms had never provided cyber training and a further 15% had not provided training since 2018.
- 60% of firms felt that their biggest risks were linked to staff behaviour. Appropriate and regular training of staff is therefore a key issue for firms to address.
Policies
- 50% of firms did not have a removable media policy and 58% did not monitor the use or provenance of data sticks.
- 55% of firms did not have a home and mobile working policy.
- 35% of firms had taken no steps to audit their processes and/or procedures.
Passwords
- 90% of staff and 45% of managers had not read the NCSC’s guidance on passwords. It is a quick and easy read available here.
- 33% of firms either did not know if the password on their default firewall had been changed or knew it had not been.
Multi-factor authentication
- 63% of firms employed this, but given that this is a basic security mechanism it is clearly an issue that more firms need to address. Firms should also be aware that many underwriters now require this as basic risk-mitigating tool.
Encryption of laptops
- 25% of firms did not encrypt their laptops
Reporting
- 60% of firms did not keep a specific incident log in relation to cyber incident and of those that said they did, 44% were unable to provide basic information about cyber issues.
We encourage all firms to read the report. A review of the question and answer set that was used will be useful to assist firms identify and assess issues that they should address. Read the report here.
We also recommend the SRA’s webinar that provides an overview of the report and some useful hints and tips. Watch the webinar.
Business Email Compromise ("BEC") adding to the increase in notifications
As indicated in the opening to this article, the Howden claims team has seen an increase in the number of notifications that are related to cyber incidents. BEC is proving to be a common backdrop to the matters notified by law firms.
The majority of users are familiar with the concept of phishing emails, but there is still a recurring theme of victims following a link directing them to a bogus login screen. As soon as the victim enters their credentials, they are captured by the cyber criminal who then has the necessary information to login to the victim’s email account. The cyber criminal is then able to send and receive emails from the victim’s email address and access all the information in the victim’s email inbox. In many cases the BEC is exacerbated by malware that spreads the scam to contacts in the victim’s inbox.
BEC is a relatively simple type of scam and is a threat to organisations of all sizes. Attackers often target individuals responsible for sending payments. They use spoof accounts to impersonate those involved in the management of the company or a supplier and request money transfers, tax records and/or other sensitive data. Other attacks focus on the content of the recipient’s inbox, harvesting client and employee information, including personal data. They may also target confidential corporate information, including trade secrets, but most are motivated by monetary gain.
BEC can be very damaging to a firm’s reputation. It is often the case that firms only find out about the compromise because their clients highlight it after receiving spoof and phishing emails that appear to be coming from the insured.
Poor password hygiene is also a recurring issue for firms targeted by BEC and cyber criminals are and will continue exploiting companies that have not activated their Microsoft Office 365 security functions, and enabled security features such as multi-factor authentication.
Multi-factor authentication is a security mechanism that requires an individual to provide two or more credentials in order to authenticate their identity. It is widely regarded as a strong measure for protecting against BEC attacks. As noted above, 63% of firms that participated in the SRA thematic review used this, but in our view, the fact that 37% are not is a concern. If this percentage is replicated across the entire profession then there is a significant number of firms that are very vulnerable.
When a breach occurs, firms are obligated to comply with privacy notification laws and professional conduct rules, undertake time-consuming internal forensics, and face outside regulatory investigations and potential liability claims. Cyber breaches can impact the trust between a client and a law firm, breach client confidentiality and irreparably damage a firm’s reputation.
Don’t become a victim of BEC. Three basic protections we encourage you to review (and implement if you have not already done so) are:
- Multi-factor authentication
- Strong passwords following the National Cyber Security Centre (NCSC) guidance;
- Regular employee education to improve awareness of phishing emails and risk
Should law firms have separate cyber cover?
It is interesting to note that only 30% of firms participating in the SRA’s thematic review on cyber security had specific cybercrime insurance. This is surprising given:
- the vulnerability of law firms to attacks by cyber criminals, further compounded by pandemic-related changes in working practices, including remote working
- the increasing incidence of attacks by and sophistication of cyber criminals
- the potential costs associated with a cyber security incident in terms of money, time and reputation
- the importance of accessing specialist support quickly in the event of an attack.
We are concerned that in some instances firms might be under the mistaken impression that any cyber loss would be picked up under the PII cover. To the extent that a cyber attack results in loss of money from the client account, the current terms of the primary PII policy for firms authorised by the SRA will respond, but that is a result of the particular wording in the Minimum Terms and Conditions (MTCs). Furthermore, while the MTCs will provide protection for client money, they do not cover other significant costs, such as:
- specialist assistance and support to mitigate an incident
- reporting to the ICO under GDPR
- communicating with affected clients
- the financial impact of the interruption to your business.
The above costs can be considerable as indicated by the case study highlighted in this article. In contrast, cyber policies are currently relatively inexpensive. However, solicitors do need to understand the extent of the cyber cover they are purchasing. Unlike solicitors’ PII, where the cover provided by different insurers must conform to the MTCs prescribed by the SRA, the scope and conditions of cover provided by cyber policies will differ from insurer to insurer.
Firms should take time to review their cyber cover and ensure they are buying the protection they need.
For information on our Cyber Insurance please click here or contact a member of the team.
 | Jenny Screech T: +44 7808 318524
|
 | Kathryn Brown T: +44 7711 595581 |