226 UK Law firms hit by cyber breaches

In a concerning trend, the number of reported cyber breaches at UK law firms has seen a significant increase, reaching 226 in the year to September 30th, 2022/23, up from 166 in the previous year (2021/22). The data, provided by global specialty (re)insurance group Chaucer, underscores a growing threat landscape where hackers are increasingly targeting law firms.

Ben Marsh, Deputy Class Underwriter at Chaucer, sheds light on the motivations behind the surge in cyberattacks, explaining that hackers perceive law firms as particularly vulnerable to ransomware attacks and threats of data exposure. "The extremely sensitive data that law firms hold on behalf of their clients makes them a very attractive target to hackers," says Marsh.

Law firms are often entrusted with a wide range of sensitive information, from details about divorces at high street law firms to critical data related to major litigation and M&A activities at City law firms. This diversity in data makes law firms an appealing target for cybercriminals, who expect that these firms will be willing to pay ransoms to unlock encrypted data or engage in "blackmail" to prevent the publication of stolen information.

Ben Marsh emphasises that attacks against law firms constitute a subset of cyber-attacks where businesses are actively targeted. This necessitates stronger cyber defence than the average business. While law firms are investing in cyber defence and basic data protection measures such as segregating data across different departments, phishing attacks remain a common entry point for hackers.

The problem extends beyond small and medium-sized law firms, with some of the world's largest, including a Magic Circle firm, experiencing major cyber breaches in the past year. The National Cyber Security Centre further highlights the widespread impact, noting that nearly three-quarters of the UK's Top 100 law firms have been affected by cyberattacks.

Beyond the immediate operational and reputational damage caused by cyber breaches, law firms face potential fines for the negligent treatment of client data. The Information Commissioner's Office (ICO) can impose penalties of up to 4% of a company's total annual worldwide turnover or £17.5 million, whichever is higher.

As cyber threats continue to evolve, law firms are urged to enhance their defence against increasingly sophisticated tools, including those based on machine learning and other forms of artificial intelligence. The imperative for robust cybersecurity measures has never been more critical as the legal profession finds itself in the crosshairs of cybercriminals seeking to exploit vulnerabilities and extract valuable information for financial gain.