How law firms can strengthen cybersecurity: Travelers' definitive whitepaper
Power of Attorney: How law firms can strengthen cybersecurity
Whitepaper by Travelers
Imagine for a moment how you would conduct business if you were unable to communicate with your clients. What if you could not access your internal case management systems or client data? What if thousands — or millions — of pieces of that data were suddenly stolen and held for ransom?
Cybercrime is making hypothetical situations like these into increasingly common, costly realities for law firms. Sixty-two percent of all law firms in the UK experienced a cybersecurity incident in 2017, according to the PwC Law Firms Survey. That figure is up from 45 percent just a couple of years before. Unfortunately, as cyberattacks have transitioned from being front-page news to simply another risk of conducting business, law firms have been slow to prepare adequately. The Logicforce Q4 2017 Law Firm Cyber Security Scorecard found that 62 percent of law firms do not have a dedicated information security professional, only 31 percent have formal cybersecurity training programs, and just 41 percent have formally documented cyber security policies.
Even firms in the business of offering cybersecurity expertise have not been immune to attacks. In the wake of the cyberattack against DLA Piper in June 2017, Peter Wright, chair of the Law Society’s Technology and Law Reference Group and Managing Director of DigitalLawUK, said if one of the largest law firms in the world lacks adequate safeguards to protect against a ransomware attack, it begs the question, “Who does?”
The price of a breach
A report from cybersecurity firm McAfee and the Center for Strategic and International Studies estimates that cybercrime costs the global economy $600 billion a year. Cybersecurity Ventures predicts cybercrime will cost the world $6 trillion annually by 2021, representing the greatest transfer of economic wealth in history. Those estimates don’t seem all that farfetched in light of the “Panama Papers” leak of 11.5 million documents in 2016, which exposed a complex global network of offshore holdings that heads of state, celebrities and criminals allegedly used to hide billions of dollars.
Yet even in far less extreme cases, where a breach is suspected and quickly managed before it causes extreme financial damage, significant disruption can still result. When criminals hacked into several email accounts of Anthony Gold Solicitors last year, they were able to send emails to 16,000 clients and partners. The messages contained malicious attachments but had the appearance of being legitimate and urgent (they used the subject line “Action Required – Matter for Attention” and carried a “secured” attachment). The firm received a large number of inquiries from recipients asking about the validity of the emails and promptly alerted everyone who received them. While the attack was a time-consuming disruption and caused the firm to generate news headlines for the wrong reasons, the consequences could have been far more severe if the recipients of the messages and the firm itself had not been vigilant.
Cyber threats come in many forms, ranging from ransomware and malware to stolen login credentials, credit card information, medical information and other personally identifiable information that can be used to obtain credit. “There’s a massive black market driving a lot of the activity we see,” said Davis Kessler, Head of CyberRisk at Travelers Europe. “Cybercrime is overtaking all other forms of crime for the first time, so the need for protection is definitely there. If a firm holding information for individual or corporate clients is breached — via malware, phishing schemes, or numerous other ways — the firm will be liable.”
The appeal of law firms
Cybercriminals target law firms because of the wealth of client information they manage, along with the trade secrets and intellectual property they possess. A merger or acquisition negotiation could present an opportunity for a cybercriminal to intercept and redirect funds when payments are issued, or to buy stocks and profit from the deal. In 2016, for example, three traders were able to make $4 million in illegal profits after hacking into the computer systems of some of the most prominent law firms in the United States, including Cravath Swaine & Moore LLP, and stealing sensitive information about mergers and acquisitions, presumably for the purposes of insider trading.
It only takes one weak link in an organisation for significant losses to occur. At a Toronto area law firm in 2012, hackers accessed a bookkeeper’s computer through a virus believed to have been launched by an email attachment or free screensaver. The hackers were able to access the firm’s trust account, which was used to wire funds to foreign countries once deposits were made. The attack generated six figures’ worth of financial damage for the firm.
Even seemingly benign details such as the images and professional backgrounds of lawyers in a firm can be manipulated for profit. Last year at Bates Wells Braithwaite, photographs and details pertaining to several of the firm’s lawyers were taken and reposted (with first names or full names changed) on a scam website to “lend legitimacy to a money-laundering scam5 .” “It’s important to look at what you have as an organisation that might be of interest to an attacker — a lot of information handled by firms is monetary or monetisable but it might not always be obvious,” said Andrew Beckett, Managing Director in the Cyber Security and Investigations practice in Europe, the Middle East, and Africa for Kroll. “Criminals can use the information they collect from a law firm to take out a mortgage or a loan. Having multiple pieces of data will help them access a lot more. Law firms need to understand how their electronic records can be targeted for those purposes.”
Though both small and large firms face significant cyber risks, their challenges often differ. “In larger firms, the prize is bigger,” said Kessler. “They hold more private information due to their customer base, they have more computers and employees. But on the flip side, larger firms have more resources to devote to information security so they have better systems in place. Many already have a breach response plan with vendors set up, and they may have gone through exercises where they devote a day to an example breach, so the people involved have some experience when the real event occurs. That’s much less likely for a small firm, regardless of the industry. They are less likely to have an established incident response plan and their employees haven’t received as much training.”
Download the full whitepaper: Power of Attorney: How law firms can strengthen cybersecurity