Earlier this year a straightforward warning was issued over in the UK: that every single organisation there faces the threat of a cyberattack… now a new report by the National Cyber Security Centre (NCSC) has shone a spotlight on a particular sector, explaining why perpetrators are drawn to it and providing guidance on how to mitigate the most significant risks that carries relevance well beyond UK shores.
“There are several factors that make law firms an attractive target for cyberattack – they hold sensitive client information, handle significant funds, and are a key enabler in commercial and business transactions,” said NCSC in The cyber threat to UK legal sector 2018 report. “The risk may be greater for law firms that advise particularly sensitive clients or work in locations that are hostile to the UK.
“For example, firms acting for organisations that engage in work of a controversial nature such as life sciences or the energy sector may also be targeted by groups with a political or ideological agenda. The move to offer legal services digitally will not only provide new opportunities but also further avenues for malicious cyber exploitation.”
The report – which was compiled with the help of the NCSC’s in-house cybersecurity experts, the NCSC-sponsored Industry 100 scheme, the Law Society, the Solicitors Regulation Authority, the UK’s national fraud and cybercrime reporting centre Action Fraud, and the National Crime Agency – cited phishing, data breaches, ransomware, and supply chain compromise as the biggest cyber threats to the legal sector.
Available on the NCSC website, the report aims to encourage industry-wide adoption of cybersecurity best practice and offers links to several guide documents.
“From a cybersecurity perspective, law firms have long been considered the soft underbelly of professional services firms, though we have seen many larger firms investing more in cyber security following incidents like the Panama Papers leak,” noted JLT Specialty partner Colin Taylor in a statement published by Legal Futures.
“The interplay of cyber, professional indemnity, and crime insurance policies has never been more important than in the current environment of ‘fake CEO’ style attacks, which often rely on a combination of social engineering and hacking to create a sense of realistic urgency around a fraudulent payment request.”
Commenting on the new resource, Taylor said law firms must see to it not only that potential losses are sufficiently covered but that all staff are suitably trained to spot ‘red flags’.
“The NCSC report also highlights the importance of preventing email hacking fraud, in which cybercriminals change the bank details so that payments are diverted,” he stated. “Law firms should carefully examine their insurance portfolio to ensure that they understand if this is a loss that will be paid or not.”
Taylor stressed that controlling partners could be held accountable if it is found that appropriate checks and measures were not implemented to manage the risk. “This would fall outside of a firm’s professional liability cover and be an unpaid loss unless directors & officers cover is in place,” added the insurance executive.