As fears of cybercrime and data theft proliferate, how can law firms protect themselves against the scammers? Joanna Goodman reports from the latest Gazette roundtable.
For a long time, cybersecurity and cyber risk were considered as being within the remit of a firm’s IT function, but now at last they are recognised as an enterprise-wide issue – and responsibility. This sentiment was reflected in the composition of the Gazette’s cybersecurity roundtable and its wide-ranging discussion.
The Gazette roundtable, held at Hogan Lovells’ offices in London, included: law firm partners who advise on IT and data protection as well as real estate, as property transactions are commonly targeted by cybercriminals; law firm senior management with responsibility for operations and IT; representatives of professional bodies – the Solicitors Regulation Authority and the Law Society; and the event’s sponsor tmgroup, which provides secure conveyancing solutions.
Cybersecurity is a concern for all enterprises, but it raises specific considerations for law firms, in terms of complying with regulatory and professional obligations, as well as client confidentiality and client care. Law firms are a particular target for cybercriminals because they routinely handle sensitive client data – and client funds.
Last year saw client data theft hit the headlines, notably via the massive ‘Panama Papers’ data breach in which 11.5 million files from Panamanian law firm Mossack Fonseca were leaked to the media. At the other end of the scale, 2017 has already cast a media spotlight on ‘Friday afternoon fraud’, a conveyancing scam whereby cybercriminals hack into solicitors’ email accounts to intercept homebuyers’ payments to solicitors by sending lookalike emails asking transfers to be made to a different bank account – and then withdraw the money themselves. These and other high-profile breaches have forced law firms to focus on cybersecurity in order to protect their clients, their data and their reputations.
The discussion started with a look at the main cybersecurity threats. Mike Nolan, IT director at Berwin Leighton Paisner (BLP), explained that firms need a two-pronged cybersecurity strategy – to counter cyber-attacks and to prepare a response ‘when the inevitable happens’. Communication promoting awareness is an important element of any cyberstrategy: ‘It comes down to people at the end of the day because phishing emails can catch anyone.’ BLP has ISO 27001 certification and a dedicated cybersecurity team, but Nolan underlines the importance of communicating awareness across the business. One significant challenge for BLP, which handles large corporate deals, is that lawyers are often under pressure from clients to produce work quickly.
Christina Blacklaws, chief operating officer at Cripps and deputy vice-president of the Law Society, agrees that communication is a key part of any cybersecurity strategy, and cyber-risk awareness is ‘a firm-wide issue that involves culture and process’. She emphasises the role of leadership. ‘It is certainly a board-level issue. Once business leaders understand how broad and how scary this is, it grabs their attention,’ she says.
James Dipple-Johnstone, director of investigation and supervision at the SRA, is responsible for the SRA intelligence unit which works with law enforcement agencies on combating cybercrime. He explains that most cybercrime is carefully targeted and criminals’ research includes data mining from sources like social media, which, for example, can make passwords that contain personal information easy to guess – perhaps the name of a partner, child or pet. He emphasises the need for strong passwords, that are changed regularly and not stored or shared.
Tim Ryan, partner and head of commercial, media and tech at Memery Crystal, highlights two challenges that relate specifically to law firms: ‘Lawyers don’t like training. And they are time-poor. For example, a lawyer under time pressure, perhaps taking a short break from a high-value deal, may quickly check their email and click the wrong link, particularly if they are working long hours in a high-pressure environment.’ A third challenge is the need to identify and monitor multiple channels into the firm. For example, one firm experienced a data breach as a result of a USB stick being delivered to their offices and the IT director plugging it into the network.
Cybercrime and data theft
Law firm cybersecurity raises data protection issues – particularly in relation to client data. This led to a discussion about ransomware, which has become such big business that ransomware operations include call centres and customer service surveys. Although this is repeatedly in the news, law firms – and other enterprises – need to address the disconnect between awareness that this is happening and recognition that it is a direct threat to their business and requires vigilance, even in firms which have put in place strong safeguards in terms of technology and processes.
Anthony Rance, a partner at Watson Burton, is a commercial litigator who advises on data theft: ‘People see cyber-attacks in the news, but they don’t think they’re going to be next. It’s a board-level issue, and it’s important to educate all employees because it only takes one employee to click on a link or open an email and undo the systems.’
Dipple-Johnstone and his team have received some 700 reports of cybercrime over the past year. Most relate to ‘Friday afternoon fraud’ linked to conveyancing. ‘It’s about intercepting chains,’ he explains. ‘It may not be the law firm – the estate agent or the client’s email may be intercepted, particularly if they use a Gmail or Hotmail account.’ Dipple-Johnstone agrees with Ryan that people are more vulnerable when they are under pressure to complete a transaction, and homebuyers in particular. Friday afternoon fraud and other phishing campaigns are designed to pressure junior staff to take decisions without checking. He has even encountered instances of cybercriminals impersonating the SRA to demand client information.
Dipple-Johnstone emphasises continual vigilance. This includes deciding which information to publish online as criminals use firms’ websites to infiltrate their systems. ‘If it states on the firm’s website that a partner is speaking at a particular conference, a cybercriminal could use that information – for example, by sending a well-timed email impersonating that partner to a junior colleague asking for urgent payment into a different bank account while he or she is away at the conference.’
Ransomware and regulation
The SRA provides guidance around ransomware. Dipple-Johnstone’s team is keen to hear from firms which have suffered ransomware attacks and near- misses to keep the sector informed about the latest risks and advise on the best protective measures to take. When asked about the regulators’ attitude to law firms that have paid a ransom to retrieve their data, he explains that their approach is to work cooperatively. ‘We wa to get the information back out to the sector because other firms may be targeted by the same scam. There is also a shared portal, No More Ransom! (nomoreransom.org), which liaises with law enforcement bodies and publishes decryption keys to help combat organised crime groups who are behind ransomware.’
Nolan at BLP suggests that all firms should have a crisis management and communication plan, which includes engaging with the SRA. ‘There is a lot about communicating internally and externally and deciding who does what from the senior team. Who’s in charge? What are the processes? And so on. Ransomware tests a lot of different aspects of how IT systems are put together and, depending on what emerges, it can change the firm’s risk profile.’
Most firms that approach Dipple-Johnstone and his team are asking for help after experiencing a loss. He advises creating an advance plan of action, including a command structure and valid, up-to-date telephone numbers and contact details of relevant authorities and stakeholders. These should include insurers, who are often a good source of technical support and advice. ‘The sooner action is taken, the better chance we have of recovering the money,’ he explained. ‘It is “Friday afternoon fraud” because it gives the criminals the weekend to slice and dice the money and distribute it!’
Iain Miller, a partner at Kingsley Napley, specialises in legal services regulation. He adds that firms which are victims of cybercrime are almost certainly in breach of the SRA Code of Conduct and therefore in a position seeking mitigation in enforcement terms. ‘Firms should have a checklist to make sure that, if and when something goes wrong, they can demonstrate that they had acted responsibly and put in place the necessary systems and processes. It could include questions such as: What systems and processes were in place? How quickly did you go to the SRA? How big is the loss? Are clients directly affected? Was the incident covered by insurance?’
Dipple-Johnstone reiterated that the SRA’s approach is not to penalise firms that have been targeted, but to help them with risk assessment in terms of securing their systems, and addressing the impact on key staff following an interception or breach.
However, Rebecca Kibby, legal director and head of residential conveyancing services at Foot Anstey, whose team acts for clients buying from national housebuilders, considers the regulatory framework necessary but stifling: ‘Obviously, it is necessary, but it places an increasing burden on us to gather information from clients, who are not always receptive to these processes and find them intrusive.’
Kibby emphasises the importance of sharing experiences. ‘Many of the high-profile cases are shared within training forums and so on, but I don’t see anything about near-misses. For example, one of our clients received a phishing email before Christmas but was savvy enough to spot it. There should be continual reminders, and these should include information about attacks that have been deflected.’
Nolan agrees: ‘I have changed my approach, perhaps as a consequence of the types of risk that are out there. The appetite to discuss cybersecurity proves that the risk is real and ever-present. For BLP, it is part of a communications plan to keep it front and centre in everybody’s minds – and also affects them in their personal lives.’
What are the main cybersecurity worries for law firms?
Are current policies, procedures and safeguards enough to combat new and emerging threats?
Being 97% secure also means being 3% insecure.
Delivering a simple, coherent solution that meets the firm’s needs in a constantly changing risk environment.
Firms are only as strong as their weakest link. Human error, such as junior members of staff succumbing to pressure from fraudsters impersonating a client or partner. We need to make it ok for people to question what’s happening around them.
The stakes are huge. You only have to have your defences breached once to face potentially disastrous consequences, in terms of reputational or financial damage.
Policy is not enough. There’s a risk that people see policy as a security blanket, but firms need a multifaceted approach. This is about business risk, and the answer involves changing business culture.
The speed at which disaster can strike. Making sure that the firm’s senior management is prepared, and has practiced – and that everyone has rehearsed different scenarios, knows their role and can react quickly.
Cybersecurity is like car insurance – we are obliged to invest in it and we need to prepare for the worst to protect ourselves. And although none of us wants to be involved in an accident, we have to think practically about the consequences should the worst happen – how much can we afford to lose and have we done enough to mitigate the risk to our business and its stakeholders?
A no-blame culture
There was general agreement that an effective cybersecurity strategy needs to be top down, with senior leaders taking responsibility for policies and processes which are reinforced by firm-wide awareness and training initiatives, delivered in a compelling way.
But ultimately cybersecurity relies on people and culture. ‘Transparency is key and that is about having a no-blame culture,’ says Blacklaws, who had heard about a secretary in a company clicking the wrong link and getting a small ransomware demand of a few hundred pounds. ‘She was so mortified that she paid it herself, without telling anyone, but by doing so she allowed the virus into the firm’s systems, creating a much bigger breach.’
‘The impact on individuals is huge,’ comments Dipple-Johnstone. ‘Some people feel they cannot return to work because a momentary lapse has destroyed their standing and reputation in the firm. Openness and transparency are vital so that incidents are reported quickly and prompt action can be taken.’
This means engaging people in training and awareness campaigns, which can be a challenge, particularly for partners with high billable rates.
Adrian Bourne, partner and chief operating officer at Stevens & Bolton, highlights the value of involving third-parties. ‘As well as implementing firewalls and deploying penetration testing, which includes phishing, there is also a physical element, for example sending people into the building to interact with employees. Ensuring staff realise that they can be caught out in this way helps to raise awareness and makes everyone more vigilant.’
Blacklaws agrees, adding that Cripps has invested in penetration testing, and has had people coming into the office and interacting with staff and later doing a presentation showing where they have been and what they have discovered. ‘We do this to bring the threat home to people and make it real.’ But are clients the weakest link?
Jeremy Holt, a partner at Clark Holt who specialises in IT law, focuses on fostering a no-blame culture and supporting anyone who inadvertently causes a data breach. However, he emphasises that the weakest link can often be the client who, for example, opens a phishing email that may have been preceded by a spurious LinkedIn request.
Paul Albone, managing director of tmgroup, agrees that in many property deals the client is the easiest target.
Rance offers a potential solution: ‘One of the most effective ways to counter Friday afternoon fraud is to confirm banking details when agreeing terms of engagement and advising the client that if they receive anything stating otherwise, to call the solicitor directly. It is a simple, but powerful safeguard.’ Kibby at Foot Anstey follows best practices that involve two-factor authentication: ‘This does not stop clients making mistakes, so after our initial letter and information pack we send clients a separate cybersecurity letter that includes a notice that our bank details will not change during the transaction.’ Kibby is looking at products to support secure transactions, including the Save Move Scheme, which allows clients to protect themselves by verifying solicitors’ bank details. There is a wide and fragmented choice of products, so Kibby is guided by the firm’s supply chain, which includes tmgroup.
Blacklaws highlights the National Cyber Security Centre which is part of GCHQ and provides a certification process. ‘The Law Society has approached some of its certified providers in an effort to identify best practice – and the qualities and skillsets we need,’ she says.
Albone of tmgroup agrees that the market is fragmented and could benefit from a platform for trusted suppliers, in the same way as tmgroup provides a platform for property search. This, together with ISO 27001 would provide a useful framework for smaller firms and allow clients to be better informed and better protected.
New and emerging risks also raise issues over what is covered by a firm’s insurance policies and some firms present are considering cyber insurance, although the market has yet to mature. One difficulty, highlighted by Ryan and Rance, whose respective firms act for insurers, is that cyber insurance does not necessarily cover direct losses, although it does offer forensic and technical support in respect of incident response and third-party claims for data loss. Kibby is interested in whether clients purchasing fraud insurance policies (Safe Buyer Insurance) and bank account checkers (Safe Buyer) which promise to detect and prevent fraud, and similar products, would help to reduce the firm’s insurance premium.
Dipple-Johnstone agrees that in the event of an incident, client care measures would help to preserve both firm and client integrity. ‘As transactions move online and the scams are quite sophisticated, technical support is likely to be an important feature going forward.’ Miller adds that cyber insurance would have to cover third-party losses in the case of a cyber-attack diverting funds from a firm’s client account, as otherwise the firm and its partners would have to make good the shortfall.
Holt flags up another barrier to comprehensive cyber insurance – that a provider would first need to check a firm’s security procedures. ‘This would require firms developing an iterative relationship with their insurers who would also need to identify and recommend best practices.’
Albone highlights the challenge presented by continually evolving technology and increasing IT spend: ‘The industry needs to consider how quickly it can react to threats and what additional services are needed in order to counter current and emerging threats.’
As Nolan observes, technical safeguards such as secure passwords and two-factor authentication will not cover the threats to data security that come from within the firm. ‘A firm’s data is potentially vulnerable to departing employees and consultants. The solution is straightforward – to require devices to be returned, switch off remote access, change passwords and lock down USB sticks and other removable devices. This protects the system against viruses and hackers getting in, but it also prevents people taking data out.’
Jonathan Thornton, managing partner of Russell-Cooke, believes that ISO 27001 is a good starting point as it presents a framework that includes procedures around mobile device management, internet browsing and other instances where flexible working presents increased risk. ‘Probably the most important element is education – going out to the firm and getting them to buy into the fact that security is everyone’s responsibility, and that includes personal responsibility, particularly given the introduction of new regulations like the GDPR.’
The discussion turns to monitoring internet browsing and social media and the trade-off between managing risks and limiting what people can do, particularly given the role of social media in business development and client engagement. ‘It is about determining the level of risk that we are willing to accept and providing top-down guidance,’ Nolan explains.
Regulators including the SRA are constantly challenged to stay one step ahead of cybercriminals and anticipate emerging threats. ‘As well as working with law enforcement and other agencies to understand what’s happening out there and the type of people involved, we are updating our capability,’ Dipple-Johnstone explains. This includes ensuring there are sufficiently trained staff to carry out complex investigations and making sure that the code of conduct covers all the bases.
Miller highlights the need for benchmarking, to establish ‘what a competent, well-run law firm needs to have in place in order to comply with its regulatory obligations. Obviously, that will evolve, but do we know what we are supposed to have in place if there is a breach and the SRA comes knocking on the door?’ Bourne adds that there is unlikely to be a one-size-fits-all requirement as ISO 27001 may not be a realistic standard for smaller firms.
Blacklaws observes that the General Data Protection Regulation would probably clarify acceptable levels of security by introducing more stringent requirements. Nolan agrees, adding that it is easier for larger firms such as BLP which have risk and compliance teams to work with regulators and external providers. However, ISO 27001 remains useful as firms can decide on the scope of its application: ‘It boils down to introducing appropriate procedures and making sure they are fit for purpose and that they are followed. Communication is key to bringing people to the right place.’
In terms of technological change, Holt brings the focus back to the client, envisaging a move from vulnerable email communication to secure portals for transactions and fund transfers. Albone agrees that legal services may well follow payment processors and online banking, which use encryption and two-factor authentication to secure financial transactions. The roundtable ends on a positive note with Ryan’s observation that firms also need to consider the changing nature of currency, adding that technologies like blockchain may ultimately help to increase cybersecurity.
Joanna Goodman is the Gazette’s legal technology columnist
tmgroup, which sponsored this roundtable, is holding a conference, Risky Business: Cyber Crime in the Property Transaction, on 23 February (9.30am-4pm) at the Institution of Engineering and Technology, Savoy Place, London WC2R 0BL.