Information and cyber security

29 October 2019

Why this risk matters

Your clients trust you with their most confidential and sensitive information, and their money. If yours is one of the 7,400 firms that hold client money, then this may be targeted by criminals. Cyberattacks remain amongst the most persistent and imminent threats to law firms. You need to take careful steps to protect your client's assets and data.

Who is at risk?

Everyone is at risk. As people have moved their business and social lives online, criminals have followed. The reports we receive about these attacks do not come from just one type of firm. We have seen attacks and successful breaches from every area of the market.

The large sums of money passing through client accounts are attractive to criminals. Although high-value fields such as conveyancing are obviously exposed, any client's transaction could be attacked.

While not all solicitors' firms hold client money, all hold confidential information. Any loss of this will harm the interests of clients.

We see a wide variety of incidents, the most common of which are:

  • email modification fraud – where a criminal intercepts and falsifies emails between a client and their firm, leading to bank details being changed and money being lost
  • phishing and vishing – where a criminal uses email or telephone to obtain confidential information. This often involves building a personal relationship with a solicitor or law firm employee
  • malware – harmful software that spies on or damages your system
    • A particularly dangerous form, ransomware, encrypts files and demands a ransom in return for a decryption key.
  • CEO fraud – where a criminal impersonates a senior figure at a law firm
    • They can do this through hacking, purchasing a very similar email address or by impersonating their voice.
    • The aim is usually to deceive a staff member into making money transfers.
  • identity theft – where bogus firms copy the identity and brand of a law firm.

It may be better to ask when, not if, you will be targeted by online criminals. Ransomware and malware attacks can be hard to prevent. Criminals are using more sophisticated techniques to steal money or business information. It is not always easy to recognise phishing or a modified email.

Deliberate theft is not the only risk to your clients' information. Accidental losses of information can be just as damaging.

What is the impact?

Cyber criminals can steal large sums. In the first six months of 2019, law firms reported a loss of £731,250 of client money to this type of crime.

Losing money is likely to have a serious impact on your clients' lives and wellbeing. The costs to them are more than just numbers. They are people's house deposits, inheritance funds and life savings. Losing this money can seriously impact them at least in the short term, even if you replace it. Any loss of personal information could be damaging.

Cybercrimes are also expensive for businesses, including law firms. One study found that breaches cost the average business £4,180, rising to £22,700 for larger firms. This covers a wide range of potential losses. While a minor breach might only cause inconvenience, a major one can be very expensive. Some businesses have faced costs in the £m range to recover.

As well as the cost of remedying any losses, there are regulatory costs. Under the General Data Protection Regulation (GDPR), the Information Commissioner (ICO) can fine firms if they do not protect personal data. These fines can be up to €20m (£17.7m) or 4% of a firm's global turnover, whichever is higher.

Simply focusing on the financial cost of data breaches does not give a full picture of their effects. It can understate the actual cost to firms who fall victim to cybercrime.

Business delays

27% of businesses who identified a breach in 2019 lost staff time dealing with breaches or attacks. 19% had staff stopped from carrying out daily work.

A ransomware strike could leave you unable to access any of your data for a long period. Even multinational corporations have been left without IT systems for days after this sort of attack.

This can mean transactions taking longer, increased costs and potentially more complaints.

Employee well-being and company culture

The most common cybercrimes work by tricking staff members. These people are also victims of the attack. In the short term they are likely to be stressed and worried about their job. If this leads to further issues it could harm the culture within teams, departments or the business as a whole.

Reputation

A successful cyberattack can have a serious impact on a firm's reputation. The legal market still largely depends on personal reviews and recommendations. News of a successful cyberattack either in the news or from a trusted source will inevitably concern potential clients.

We recommend

To help you and your firm comply:

Know your obligations

The Code of Conduct and Accounts Rules set out your obligations with regards to client money and confidential information.

You need to report any loss of client money or confidential information to us promptly. This is the case even if you have already replaced it. Under the GDPR, you must report any breach of personal data to the ICO within 72 hours.

Have the right controls. No guide can guarantee to protect you from all threats, but sensible practices can reduce the chance of a successful attack.

General principles

Maintain your system

Keeping your IT equipment up to date is one of the most important and effective things you can do to improve your security.

Back up your data

Consider where your backups are stored. Make sure you know how to restore your system from a backup.

  • Consider using secure cloud storage.
  • Back up your important data to protect it from loss due to an accident or a ransomware attack.
  • Make sure that you make backups frequently enough for them to be useful.
  • Ideally, you should have three copies of all your important data, on at least two separate devices and with one copy offsite.

Working on the move

  • Encrypt laptops and have a system to track and delete data from tablets and phones remotely if they are lost or stolen. Some devices may come with this system built in.
  • Be careful about who can see or overhear what you are doing when working with sensitive information.
  • Public Wi-Fi hotspots can be insecure, and it is hard to prove that a hotspot belongs to who it claims. In most cases, modern websites (using HTTPS) will protect you from this risk.

Access controls

Your clients' confidential information and your own business data should be accessible to you but not to anyone you have not authorised.

Training and testing

Understand your clients

Different clients may be vulnerable in different ways. Knowing which transactions may be particularly interesting to criminals may help you protect against loss.

  • High-value transactions, such as conveyancing, are more likely to be targeted by means such as email modification fraud.
  • Information on politically sensitive transactions may be of interest to activist groups and possibly to state-sponsored crime.
  • Information about new high-tech projects may be targeted for industrial espionage.

Find more information

The National Cyber Security Centre (NCSC)'s Small Business Guide gives cyber security advice covering issues from backups to avoiding phishing.

Cyber Essentials is a certification scheme for businesses of all sizes that want to demonstrate how they are protecting data.

The ICO produce guidance on your requirements under the GDPR. This includes advice on technical measures to protect yourself and your clients.

The Law Society's advice on cyber security for solicitors discusses how to protect your systems and comply with the GDPR.

What we are doing

Regulating based on evidence

We are reforming the Accounts Rules. As part of this, we are making it easier for firms to use third-party-managed accounts for client money. This gives firms the option to avoid the exposure that a client account brings.

We work with experts and study incidents in order to understand the threat to firms we regulate. We use this to inform our work. We also use it to produce guidance, for example our report on technology and legal services.

Taking appropriate action

When we receive reports about cybercrimes, we take a proportionate view. We know that human and system errors are unavoidable. This means that the cybercriminals will sometimes get through.

In deciding how to handle a report of a breach, we will look at whether the firm's systems were robust enough and whether they had reasonable protective measures in place. We will take into account whether the solicitor reported the matter to us promptly, and whether they took reasonable steps to remedy the situation.

Helping the public

We have worked with the NCSC to come up with this best practice advice for firms to protect their clients.

On the horizon

In 2020, Pay UK, the retail payments authority, will introduce the new Confirmation of Payee system.

  • This is an additional security measure for the UK's Faster Payments scheme.
  • It will work by verifying account details against the name of the account holder and intended recipient.
  • The banks will be responsible for making sure that accounts are set up with the correct legal name and will be liable for any losses if they do not apply the system.
  • This aims to control bank transfer frauds. It will make email modification fraud much harder to commit.