Countering the new cyber threat
Tom Draper advises firms on the growing danger of cyber crime and what they can do to build resilience
Hackers are becoming ever more resourceful and creative in their efforts to exploit technology to perpetrate theft and extortion, and UK solicitors are one of the cyber criminals’ favourite targets. Firms do not have to be large to be at risk, nor does the use of the most up-to-date technology remove all vulnerability (although it helps). To minimise the threat of loss and disruption arising from cyber risks, a solid programme of risk mitigation supported by good insurance protection is now essential for all firms.
Cyber risks fall into two main categories. The first arises from the collection and storage of customer information, the second from firms’ reliance on IT systems for day-to-day operations. Hackers can steal and abuse data, or temporarily shut down companies that rely on IT systems to get even the most everyday tasks done. Whether hackers are after data or money, incidents begin with a systems breach.
Many solicitors collect personal details, payments data, and corporate information in the course of their work. The public release, sale, and abuse of this kind of data was once perceived to be the greatest cyber risk. In the US, for example, many lawyers involved in M&A transactions have been hacked by cyber criminals seeking information about the deals they were engaged in. However, the goal posts have shifted. Today the biggest volume of cyber claims relates not to the release of data, but to its entrapment, which ties together the two threat categories.
Hacks have sometimes rendered solicitors unable to access their systems, perhaps after a staff member inadvertently clicked a link which unleashed malware that encrypted the firm’s server. This type of ‘ransomware’ attack typically leads to a demand for cash, to be paid in bitcoins. Legal practices hit in this way are left incapacitated and unable to work until the situation is resolved. The recent ‘WannaCry’ ransomware attack, which disabled parts of the NHS, provided a high-profile example. However, targeted ransomware attacks have been common for the past several years.
The cost can be high for law firms. Most engage in time-sensitive work, sometimes in a commoditised field where clients feel little loyalty to the firms they use. If one partnership fails to deliver on deadlines due to a systems failure, clients may shift to a different provider. Preventing such problems is a question of resilience.
WannaCry was indiscriminate. It attacked businesses based on a security vulnerability, rather than the nature of its targets’ business activities. However, solicitors face specific threats when cyber criminals attack them directly. The number of such targeted attacks against solicitors has risen sharply. In the most common, employees are tricked, either electronically or over the telephone, into releasing funds to the wrong people. For example, a firm may hold in escrow money for a bank transfer related to an acquisition on behalf of client. The hackers’ goal is to divert that money through deception into their own bank accounts.
Some hacks are frighteningly sophisticated. In one example, hackers gained access to a firm’s poorly protected operational systems by uploading malware. Whenever a legitimate user typed the word ‘exchange’, the programme red-flagged the communication, allowing the criminals to see the details of the funds transfer. They then sent bogus emails requesting the relevant bank account details be updated. Sometimes cyber crooks amended invoices while in mid-flight through the ether.
We advocate a four-pillar approach to managing cyber risk and building resilience: anticipate, prevent, respond, recover. Firms should anticipate the threat they face by engaging experts to conduct a comprehensive risk assessment. They should attempt to prevent attacks by implementing security protocols, which include technological security tools, but also staff awareness and training. They should respond to threats quickly, according to a detailed plan. Finally, they should have in place measures which allow them to recover quickly, including a tested disaster recovery plan and insurance to cover the costs incurred.
Many solicitors retain significant and potentially very costly exposures, but may believe they are fully protected by their standard insurance cover. Conventional solicitors’ professional indemnity insurance should cover client monies stolen by cyber criminals, particularly if the client litigates. However, PII will not respond to losses related to operational resilience. It does not cover the costs of restoring systems, or breach response costs such as forensic investigations to identify what happened and why. Nor does it cover cyber extortion. A good cyber policy will insure against these costs.
Several UK firms of security consultants and insurance brokers offer broad services specifically designed to support legal practices. Cyber attacks targeting solicitors are increasing in frequency and sophistication, but with the support of such experts, the threat need not lead to a cyber disaster.
Tom Draper is technology and cyber practice leader at Arthur J. Gallagher International