How cyber-savvy is your firm?

The SRA recently carried out a thematic review focusing on 40 law firms which suffered a cyber-attack in the past three years to better understand the impact that such incidents have on firms. Whilst the full results of the review are due to be published in early 2020, preliminary findings revealed at the SRA’s recent Compliance Officers Conference include:

• More than £4m of client money was stolen from 23 of the firms and, whilst most of this money was repaid by insurers, 18 firms still had to contribute £400,000 of their own money to cover the losses, in addition to having to deal with the emotional toll that such incidents and repercussions had on their staff. The financial burden may also extend to firms having to pay out further to settle clients’ complaints and Legal Ombudsman case fees.
• Firms did not adequately record and report cyber-attacks. 2 of the 40 firms had been attacked over 600 times in the last 3 years.
• Employees are both a key risk and a key asset, therefore it is important to invest in good quality training.
• Policies and controls were vital yet 11 of the 40 firms had inadequate information security policies and 10 had inadequate controls.
• Only 5 of the 40 firms had sought to mitigate the risk of cyber-attacks by gaining the Cyber-Essential Plus Certification, an initiative by the National Cyber Security Centre designed to educate and help guard against the most common cyber threats and demonstrate commitment to cyber security. Of these 5 firms, all were judged to have good written processes and controls and a good approach to cyber-security.
• Email modification fraud, such as a slight change in the firm or client’s email address, accounts for approximately half of cyber-attacks on law firms.
• Ransomware is a major threat which law firms need to be vigilant of – one large volume conveyancing firm was forced to close for 2 weeks (which cost them £60,000 and £150,000 in lost revenue) to recover from a ransomware attack after an employee clicked on an email on a weekend, as a result of which ransomware encrypted all of its systems.
• According to reports the SRA receives, disgruntled ex-employees were the most likely source of cyber-attacks and 43% of attacks were made on small firms.
• The SRA are confident that the ‘confirmation of payee’ scheme will make a big difference. Under this scheme, which is due to be implemented in March 2020, anyone making a payment will be alerted by the bank if the name does not match the account.
• The SRA are also hopeful that their new accounts rules will make it easier for firms to use third-party managed accounts as another way to counter the risk of fraud.

Whilst the SRA were satisfied that all 40 firms, which formed the focus of their review, had put in steps to avoid repeat cyber-security incidents and none were referred for potential regulatory action, the findings should come as a word of warning to other firms that complacency is not an option and safeguards must be put in place to prevent them falling victim in the future. Below are some suggestions on practical steps that firms can take to protect themselves against cyber-attacks.

Recommendations:

1. Review your firm’s resilience against cyber-crime - cyber-criminals need only a sliver of vulnerability to fraudulently gain access to valuable and sensitive data. Consider whether your firm is leaving the door open and what can be done to prevent this.  
2. Adopt a proactive, risk-based framework to increase resilience against attacks which focuses on mitigation options, continuous monitoring, diagnosis and remediation to improve security practices. Think beyond security simply in terms of password protection and antivirus software and look to implement better cybersecurity planning using software to automate, predict and inform strategic decisions.
3. Do not wait until a cyber-attack occurs to educate your staff. The importance of training staff to spot potential risks and how to respond should not be underestimated. Our eLearning Course, Practical Cyber Security is suitable for all staff and covers an awareness of cyber security risks and practical ways to protect against attacks.
4. Promote awareness and a culture change where cyber-security is viewed as a shared responsibility for all employees, rather than only the risk, IT or compliance teams.
5. Ensure your information management security policy is regularly reviewed. Our new template policy includes an evaluation of current practices questionnaire to assist in assessing the key risks for your firm. Once the policy is updated, ensure it is circulated to all employees with instructions to read and apply it.
6. Liaise with your IT support teams to ensure that software is up-to-date and security certificates are valid. Consider identifying out-of-date software and certificate through a register of all software used by the firm and expiry dates of certificates.  
7. Reduce the risk of email spoofing by creating a sender policy framework and a domain record to closely monitor emails being sent on behalf of the firm. These reports could alert recipients to illegitimate emails.
8. Consider instructing an external cyber security expert to undertake independent verification of the firm’s security posture to gain an impartial view on the current position and suggestions for improvement.