News focus: Cyber-attack hits conveyancing firms – what lessons need to be learned?

Law firms have been warned many times about the dangers of a cyber-attack. But while most conscientious owners will have prepared for the worst and built what defences they could, many would not have foreseen that a new front could open in the war against hackers.

CTS, an IT provider to dozens of law firms, was subject to an attack last week that triggered a crisis for conveyancing practices in particular. They were left unable to guarantee that completions would take place.

CTS said there had been a service outage caused by what it called a ‘cyber incident’. Yesterday, after almost a week of no further public comment, the IT provider said it had been ‘working around the clock’ with the help of third-party experts to resolve the matter.

The company said that client services are up and running again – but so-called ‘client environments’ (shorthand for various network connections) are taking longer to restore.

Members of the public who are affected, CTS added, should contact their legal firm.

Worried clients appear to have done so in their droves, as completion dates loomed with no word on whether transactions would be completed. Many took to social media to ‘name and shame’ their lawyer. One conveyancing client told the Gazette she was in limbo, with movers needing to be booked and time taken off work, but no date for picking up the keys.

O’Neill Patient Solicitors, one of the country’s biggest conveyancers, was affected by the CTS outage and even turned to manual methods to get deals over the line. Chief executive Nick Hale said: ‘This is an awful situation that is affecting much of our industry. This is already a stressful time for people, particularly those due to complete on a new home. We really feel for everyone affected and we are doing all we can to help. Our clients’ wellbeing is very much a top priority for me and my whole team.’

So much is out of lawyers’ control in such a predicament. But just because an attack is made on a third party, that does not mean that firms cannot do anything to protect themselves.

'Law firms need to be carrying out the same level of due diligence with regard to their IT suppliers as they would advise their own clients to do before undertaking a serious transaction'

Peter Wright, Digital Law

Chester Wisniewski, director at cybersecurity firm Sophos, said managed service providers have proven to be lucrative targets for cybercrime gangs for many years now. ‘In this case we can see how widespread and damaging it is to an entire industry sector (legal),’ he said. ‘Criminals targeting MSPs are gaining a force multiplier in their attempts at extortion and ransom payments compared to attacking a single organisation.’

Peter Wright, solicitor and managing director of Digital Law and an expert in cyber protection, said it is not surprising that hackers went after an IT provider that specialises in supporting law firms. ‘Many suppliers of IT products to law firms have very poor security measures in place, but they know that law firms frequently don’t carry out much in the way of due diligence before signing a contract with an IT supplier or, for example, a case management system provider,’ said Wright. ‘Law firms rarely ask about the security measures in place or where any servers may be located.’ (There is no suggestion that CTS was necessarily at fault in these respects.)

Red flags for risky third parties, he suggested, might be where they have no cookies feature, registered office address or company registration number on the home page of their website. ‘Another good indicator might be whether the provider has a high feedback rating on review sites, showing whether others are willing to endorse the service.’

Wright added: ‘Law firms need to be carrying out the same level of due diligence with regard to their IT suppliers as they would advise their own clients to do before undertaking a serious transaction.’

The Council for Licensed Conveyancers advises that firms must do what they can to protect themselves from being affected by a cyber-attack. ‘There also have to be robust plans in place to deal with the aftermath of successful attacks,’ said a spokesperson. ‘Cyber insurance will help firms access the specialist support they will most likely need on those occasions to ensure the security of systems and data as recovery takes place.’

Experts stress that firms of all sizes can be victim to hackers. Last month, even the magic circle giant Allen & Overy had its system breached by ransomware criminals. Protecting the business from attacks on third-party providers adds another layer of difficulty. But the last week has shown that all avenues should be explored that could mitigate the risk of clients phoning you in despair as their sale stands on a precipice.