We all know that cyber security matters, a lot, with its place on the agenda of law firms only rising year on year. A recent survey found that law firms in the UK rank cyber security as the second greatest threat to their business in 2019, up from third in 2018 and second only to the never-ending concerns on the impact of Brexit. Despite this recognition, there remains a substantial lack of tangible progress throughout the UK legal sector at improving their own cyber security.
The reasons for this are simple: a lack of authoritative guidance, and an inability to learn lessons from the known cases of cyber crime committed against law firms. This article aims to redress this situation somewhat, providing guidance based on some known cases of harm already suffered throughout the legal sector.
The best way of learning how to secure your own legal practice is to learn from peers who have already been the subject of cyber criminals attention. Four primary impacts will be explained: Profitability; Operational Integrity/Paralysis; Client Compromise; and Brand Reputation.
The lack of guidance
The lack of guidance available to the legal sector may well be disputed, as many would point to both the 2017 and 2018 releases of The Cyber Threat to the Legal Sector report, prepared by the National Cyber Security Centre (NCSC) and The Law Society respectively. There are however, two main reasons why law firms will find themselves unsatisfied with these reports. First, there has not been a 2019 version. Official guidance is obviously already out of date, and the failure of the NCSC to maintain a regular annual release can only be concerning to the legal sector.
Secondly, the substance of the reports point only to the specific threats the legal sector faces, it fails to articulate why these threats matter to the legal profession. Simply put, there is a failure to explain what the impacts of cyber crime are on the legal profession. Any intelligent decision making needs to know exactly what outcomes it is trying to prevent, and not begin with arcane, technical details that will serve only to confuse senior executives who are not technology specialists.
Impact 1: Profitability
All businesses need to make money, therefore any threat to that must take precedence in consideration. The most major impact a cyber crime can have against a business is to impact its profitability, and there are several cases where law firms have found themselves victim to monetary losses.
The most notable case was DLA Piper, who in June 2017 were one of the many hundreds of victims of the Not-Petya ransomware attack (more details below as this case also impact DLA Piper’s operational integrity). Although DLA Piper successfully brought its global services back online, it was forced to concede that this singular incident had impacted the firm’s profits. In the FY 2017–2018, the firm reported a 5% increase in global profits, but the firm’s chief financial officer commented on the Not-Petya incident that “Had that not happened we’d be talking about, I believe, an even stronger year.”
A different type of cyber incident was suffered by an unnamed Irish law firm in 2019, where their email accounts were compromised, leading to the fraudulent amendment of payment instructions being issued during correspondence. Following the distribution of these fraudulent instructions, the firm was then duped into making a €97,000 payment that the criminals successfully took possession of.
No business can continue to suffer continued financial losses to criminal activity, lest all profits are eventually wiped out entirely and businesses finding themselves making real losses. The impact of cyber crime on law firm profitability is a real and continuing concern to address, the cases noted above contain nothing that can be labelled as a sophisticated cyber attack in any form. Law firms should be prepared to train their staff and institute adequate policies and procedures to prevent basic forms of cyber incidents from occuring.
Impact 2: Operational Integrity/Paralysis
Businesses will also lose money if they are unable to operate. When a law firm suffers a cyber incident that compromises the integrity of its IT systems and infrastructure, it will be unable to operate to full capacity, and perhaps even find itself paralysed entirely.
To revisit DLA Piper, long before profits were impacted, the firm found itself with significant impact across its entire global infrastructure. It suffered from the global ransomware attack on June 27, 2017, and only announced on July 3 that their emails had been brought back online, although noting that not all servers were yet available. It was further reported that the firm was suffering numerous problems across its networks as much as ten days from the July 3 statement. The firm was reported to have incurred charges for 15,000 hours of IT overtime during this three week period.
This type of paralysis, much like that suffered by the NHS during the WannaCry incident, affected others too. Harrow-based legal firm Duncan Lewis suffered a ransomware incident in March 2018, leading to a notice being placed on their website that the firm could not send or receive email. The firm lost access to its entire infrastructure, and needed to work with both forensic specialists and law enforcement to get the business up and running again.
It should be clear to executives that if the business cannot operate, it cannot make money and is likely to be out of business before long. Further to this, as evidenced by DLA Piper, is the extra cost in hiring technical specialists to try and solve the issue and return the business to operations. No responsible law firm should find itself vulnerable to attacks that paralyse entire infrastructures. Ensuring regular testing of systems, such as Penetration and Phishing Tests, are the basic measures to ensure that risk to this type of attack is minimised.
Impact 3: Client Compromise
The third impact to consider is an eminently logical one, compromise of a law firms client base in some way. The legal profession carries confidentiality at its core, with the relationship and details of clients and their cases its most sensitive data. The risk that client data could be compromised, as well as clients finding themselves subject to cyber attack should concern the executives of law firms significantly.
Returning to the Duncan Lewis case, client compromise was an additional factor of their ransomware incident. During the time their systems were down the hackers also took control of the firm’s Twitter account, leaking some client data and leading to concerns that the attackers were trying to spread their attack via malicious links to those visiting the Twitter page. It was hoped that clients unable to email the firm would try to engage its Twitter page instead, providing an opportunity to attack any visitors.
Duncan Lewis was not the only firm to suffer this type of client compromise. The firm Thirty Nine Essex Street suffered what is believed to have been a state-sponsored cyber attack in February 2014, with the express objective of obtaining client confidential data. In this particular case, the firm’s website was compromised, with various clients from the energy and utilities sector data being stolen.
For law firm executives, it should be clear that client data is a primary target, arguably the primary target for cyber attacks against law firms second only to financial gain. Intelligent and mature approaches to the security of client information is necessary, with firms ensuring not only the creation of robust policies and procedures, but also ensuring the required technical safeguards are in place to protect the different levels of sensitivity that client data may hold. Whenever a law firm is compromised, no intruder should find itself able to access all data the business holds; there should be overlapping safeguards to prevent an all-or-nothing approach to information security.
Impact 4: Brand Reputation
Finally, every firm is concerned with its brand reputation, particularly if it becomes known for a single incident with which it is forever associated with. Cyber crime makes this a particularly pernicious matter for law firms. Consider the following words, Mossack Fonseca.
Mossack Fonseca will forever be known for the Panama Papers leak in 2016, enabled via a cyber intrusion leading to the exposure of 2.6 terabytes (more than 11.5 million documents) of data on its operations. So severe was the damage that the firm closed operations entirely in 2018, with its public announcement listing “reputational deterioration” first and foremost among its reasons for ceasing business.
Closely related is the case of Bermuda-based firm Appleby, now known for the Paradise Papers leak in 2017, when a hack resulted in the disclosure of its private clients wealth management details, totalling some 6.8 million documents.
While Mossack Fonseca and Appleby are particularly special cases, due to the political controversy associated with the leaked data itself, they remain seminal cases throughout the legal as to the level of reputational harm that awaits those who suffer a significant cyber attack and are found wanting in their defenses.
This article takes no position on the nature of the leaked material in these cases and the continuing controversies of wealth management globally, instead the focus here is to highlight how damaging any cyber event can be to the long term survival of a legal practice. Mossack Fonseca was forced to close its doors for good within two years of the incident, senior executives of other law firms need to strongly consider how they would handle the fallout of a cyber incident.
Preparation in this regard lies much less in the realm of technical safeguards, and far more in incident management. Law firms should carry out senior management exercises to test responses in how areas as diverse of communications management and incident response would be handled. Even if a firm survives the immediate impacts of a cyber attack, the long-term reputational damage needs to also be addressed.
To conclude, in common with many other industries, the legal sector is very aware of how important cyber security is among its chief business risks. Like other industries, however, achieving tangible progress in safeguarding legal practices from cyber crime has proven very difficult to achieve, with numerous law firms falling victim in recent years. By considering the impacts of cyber crime identified here, senior executives in the legal sector can begin to consider how to build an adequate level of resilience in their practice and ensure their firm’s name does not become tomorrow’s cyber security headline.