Information and cyber security
29 October 2019
Why this risk matters
Your clients trust you with their most confidential and sensitive information, and their money. If yours is one of the 7,400 firms that hold client money, then this may be targeted by criminals. Cyberattacks remain amongst the most persistent and imminent threats to law firms. You need to take careful steps to protect your client's assets and data.
Who is at risk?
Everyone is at risk. As people have moved their business and social lives online, criminals have followed. The reports we receive about these attacks do not come from just one type of firm. We have seen attacks and successful breaches from every area of the market.
The large sums of money passing through client accounts are attractive to criminals. Although high-value fields such as conveyancing are obviously exposed, any client's transaction could be attacked.
While not all solicitors' firms hold client money, all hold confidential information. Any loss of this will harm the interests of clients.
We see a wide variety of incidents, the most common of which are:
- email modification fraud – where a criminal intercepts and falsifies emails between a client and their firm, leading to bank details being changed and money being lost
- phishing and vishing – where a criminal uses email or telephone to obtain confidential information. This often involves building a personal relationship with a solicitor or law firm employee
- malware – harmful software that spies on or damages your system
- A particularly dangerous form, ransomware, encrypts files and demands a ransom in return for a decryption key.
- CEO fraud – where a criminal impersonates a senior figure at a law firm
- They can do this through hacking, purchasing a very similar email address or by impersonating their voice.
- The aim is usually to deceive a staff member into making money transfers.
- identity theft – where bogus firms copy the identity and brand of a law firm.
It may be better to ask when, not if, you will be targeted by online criminals. Ransomware and malware attacks can be hard to prevent. Criminals are using more sophisticated techniques to steal money or business information. It is not always easy to recognise phishing or a modified email.
Deliberate theft is not the only risk to your clients' information. Accidental losses of information can be just as damaging.
What is the impact?
Cyber criminals can steal large sums. In the first six months of 2019, law firms reported a loss of £731,250 of client money to this type of crime.
Losing money is likely to have a serious impact on your clients' lives and wellbeing. The costs to them are more than just numbers. They are people's house deposits, inheritance funds and life savings. Losing this money can seriously impact them at least in the short term, even if you replace it. Any loss of personal information could be damaging.
Cybercrimes are also expensive for businesses, including law firms. One study found that breaches cost the average business £4,180, rising to £22,700 for larger firms. This covers a wide range of potential losses. While a minor breach might only cause inconvenience, a major one can be very expensive. Some businesses have faced costs in the £m range to recover.
As well as the cost of remedying any losses, there are regulatory costs. Under the General Data Protection Regulation (GDPR), the Information Commissioner (ICO) can fine firms if they do not protect personal data. These fines can be up to €20m (£17.7m) or 4% of a firm's global turnover, whichever is higher.
Simply focusing on the financial cost of data breaches does not give a full picture of their effects. It can understate the actual cost to firms who fall victim to cybercrime.
27% of businesses who identified a breach in 2019 lost staff time dealing with breaches or attacks. 19% had staff stopped from carrying out daily work.
A ransomware strike could leave you unable to access any of your data for a long period. Even multinational corporations have been left without IT systems for days after this sort of attack.
This can mean transactions taking longer, increased costs and potentially more complaints.
Employee well-being and company culture
The most common cybercrimes work by tricking staff members. These people are also victims of the attack. In the short term they are likely to be stressed and worried about their job. If this leads to further issues it could harm the culture within teams, departments or the business as a whole.
A successful cyberattack can have a serious impact on a firm's reputation. The legal market still largely depends on personal reviews and recommendations. News of a successful cyberattack either in the news or from a trusted source will inevitably concern potential clients.
To help you and your firm comply:
Know your obligations
The Code of Conduct and Accounts Rules set out your obligations with regards to client money and confidential information.
You need to report any loss of client money or confidential information to us promptly. This is the case even if you have already replaced it. Under the GDPR, you must report any breach of personal data to the ICO within 72 hours.
Have the right controls. No guide can guarantee to protect you from all threats, but sensible practices can reduce the chance of a successful attack.
- Cyber security is central to an organisation's health and resilience, and this places responsibility firmly with the board of that organisation.
- Security that interferes with the ability to work of you and your staff is bad security. This is because staff will be tempted to work around obstacles.
- No security measure is completely reliable, and attackers will sometimes succeed.
- Have a plan to recover from cyber attacks and to be able to detect them when they happen.
- Try to minimise the harm that a single breach could cause.
Maintain your system
Keeping your IT equipment up to date is one of the most important and effective things you can do to improve your security.
- Once a system is no longer supported by its manufacturer and is no longer kept updated, you should replace it. If you are not able to replace it straight away, then you should take steps to protect yourself in the short term.
- Software developers will update programs regularly – your systems are vulnerable until you install these updates.
- Use antivirus software.
- Make sure that your system has appropriate firewalls, and that they are switched on and working.
Back up your data
Consider where your backups are stored. Make sure you know how to restore your system from a backup.
- Consider using secure cloud storage.
- Back up your important data to protect it from loss due to an accident or a ransomware attack.
- Make sure that you make backups frequently enough for them to be useful.
- Ideally, you should have three copies of all your important data, on at least two separate devices and with one copy offsite.
Working on the move
- Encrypt laptops and have a system to track and delete data from tablets and phones remotely if they are lost or stolen. Some devices may come with this system built in.
- Be careful about who can see or overhear what you are doing when working with sensitive information.
- Public Wi-Fi hotspots can be insecure, and it is hard to prove that a hotspot belongs to who it claims. In most cases, modern websites (using HTTPS) will protect you from this risk.
Your clients' confidential information and your own business data should be accessible to you but not to anyone you have not authorised.
- Use two-factor authentication for email and log-ins where possible.
- Make sure that you and all staff avoid predictable passwords, and consider using password managers.
- Control access to removable media such as flash drives.
- Do not use an administrator account on your system for work that does not involve maintaining the IT system.
- Screen-lock devices.
Training and testing
- Log security incidents and weaknesses to make sure you know how you are exposed to cyberattacks.
- Use training to help build a culture of reporting, where staff feel comfortable coming forward with issues that they have encountered.
- Nobody can spot every phishing email. A no blame culture will help you to learn about attacks early enough to stop them causing more serious damage.
- Test security systems to make sure that you are confident that they are working and that you know what to do in the event of an incident.
- Use exercises to test your preparedness, resilience and responses.
Understand your clients
Different clients may be vulnerable in different ways. Knowing which transactions may be particularly interesting to criminals may help you protect against loss.
- High-value transactions, such as conveyancing, are more likely to be targeted by means such as email modification fraud.
- Information on politically sensitive transactions may be of interest to activist groups and possibly to state-sponsored crime.
- Information about new high-tech projects may be targeted for industrial espionage.
Find more information
The National Cyber Security Centre (NCSC)'s Small Business Guide gives cyber security advice covering issues from backups to avoiding phishing.
Cyber Essentials is a certification scheme for businesses of all sizes that want to demonstrate how they are protecting data.
The ICO produce guidance on your requirements under the GDPR. This includes advice on technical measures to protect yourself and your clients.
The Law Society's advice on cyber security for solicitors discusses how to protect your systems and comply with the GDPR.
What we are doing
Regulating based on evidence
We are reforming the Accounts Rules. As part of this, we are making it easier for firms to use third-party-managed accounts for client money. This gives firms the option to avoid the exposure that a client account brings.
We work with experts and study incidents in order to understand the threat to firms we regulate. We use this to inform our work. We also use it to produce guidance, for example our report on technology and legal services.
Taking appropriate action
When we receive reports about cybercrimes, we take a proportionate view. We know that human and system errors are unavoidable. This means that the cybercriminals will sometimes get through.
In deciding how to handle a report of a breach, we will look at whether the firm's systems were robust enough and whether they had reasonable protective measures in place. We will take into account whether the solicitor reported the matter to us promptly, and whether they took reasonable steps to remedy the situation.
Helping the public
We have worked with the NCSC to come up with this best practice advice for firms to protect their clients.
On the horizon
In 2020, Pay UK, the retail payments authority, will introduce the new Confirmation of Payee system.
- This is an additional security measure for the UK's Faster Payments scheme.
- It will work by verifying account details against the name of the account holder and intended recipient.
- The banks will be responsible for making sure that accounts are set up with the correct legal name and will be liable for any losses if they do not apply the system.
- This aims to control bank transfer frauds. It will make email modification fraud much harder to commit.