The cyber and data security risks facing law firms: How firms can protect themselves and how to manage a security/data breach
By Tom Pelham, Alexandra O'Hare and Arran Roberts
Tom Pelham, Global Head of Cyber and Data, Arran Roberts, Partner, and Alexandra O'Hare, Senior Associate, at Kennedys, provide valuable insight into the cyber and data security risks facing law firms, which includes details of the targeted campaigns that are being directed at conveyancing firms
There is no denying that cyber security incidents disproportionately affect firms of solicitors, especially those carrying out conveyancing and transactional work. These firms are seen as a rich target: the process is formulaic, so it is easy for criminals to seamlessly insert themselves and the high turnover of transactions means that there are regular opportunities to achieve quick financial gain. In our experience, the two most common types of incidents affecting law firms are business email compromises and ransomware.
Business email compromise
Business email compromises (BECs) arise when a mailbox is subject to unauthorised access, commonly through social engineering. The primary goal of the intrusion is to redirect funds by diverting payments either to or by the victim firm.
Phishing remains the most likely root cause of these incidents, which are becoming more sophisticated and harder to identify. This is despite the now common implementation of multi-factor authentication, which was widely seen as a ‘silver bullet’ for this type of attack. This method of attack also typically relies on an element of ‘human error’ (i.e. someone interacting with a malicious email), which even the most advanced security protocols, procedures and training cannot entirely guard against.
We are seeing an increasing number of sophisticated and seemingly targeted campaigns affecting conveyancing firms. This has allowed us to map out some of the common approaches employed by these threat actors. One of the current trends we are seeing typically plays out as follows:
- The threat actor contacts a fee earner(s) claiming to be purchasing a property, asking for a quotation;
- The fee earner typically responds to the email requesting further details of the property and the threat actor provides a link to a SharePoint download;
- The link directs the fee earner to a page which includes photos of a house and further details. Unfortunately, this page has a script running in the background which redirects the user and compromises the fee earner’s credentials if they are entered. The staggered nature of the communication adds credibility to the threat actor’s claims and makes this deception harder to detect, meaning that even after the fee earner has surrendered their credentials, they can remain none the wiser.
We have also seen an evolution in the overall tactics used by threat actors in recent months. One of those developments is with regards to mailbox synchronisation. In a number of instances, the threat actors will now seek to download an offline copy of the mailbox, known as mailbox synchronisation. Rather than attempt to contact clients and attempt to affect a payment diversion from within the legitimate mailbox, the threat actor will set up a spoofed domain. This is designed to look extremely similar to the business’s legitimate domain but may have a single character alteration (e.g. ABClavv rather than ABClaw). The threat actor can then take their time to sift through the contents of the synchronised mailbox before targeting clients using the spoofed domain. This can potentially lead to wider regulatory exposure, as the law firm has no visibility over what the threat actor may be doing with the data in the mailbox, nor any understanding as to who the threat actor may be contacting in order to mitigate the potential risk posed to those individuals.
Ransomware
Ransomware is a type of malware which blocks users from accessing their system or files. In very simple terms, imagine that a padlock has been put on the affected servers that only the threat actor has the keys to unlock. The ultimate goal is to put pressure on the victim to pay a ransom.
Most ransomware groups operate on a ‘double extortion’ basis. The groups try to leverage a ransom payment by blocking access to systems and exfiltrating key data, and then threatening to publish it online. While every ransomware group operates differently, a ransomware attack by and large begins with a period of reconnaissance, searching for the sensitive data and understanding priority systems that are essential to the business’s day-to-day operations.
The loss of access to client data due to encryption can seriously affect any firm. Immediate challenges can be as simple as a lack of ability to communicate with clients if email or telephone systems are down. In the slightly longer term, court deadlines or other time sensitive matters will come into the frame and workarounds need to be quickly implemented to ensure that a level of normal service can continue. This is particularly important when you consider that the complete response to a ransomware incident can take several weeks, if not months (even assuming that good backups exist).
Alongside these practical difficulties, law firms will have to consider their own legal and regulatory reporting obligations, as well as managing the potential reputational impact of a cyber incident. This illustrates the many competing priorities which arise when dealing with any cyber security incident. The key to managing the response is getting the right ‘crisis management team’ onboard to streamline the approach. This broadly comprises of the firm’s key internal team, alongside a range of external vendors, potentially including legal, technical and PR support.
The various workstreams involved in the response to a ransomware incident are interlinked. For example, an IT forensic investigation will be running in tandem, the findings of which will influence the legal and regulatory response and any communication requirements both internally and externally.
These days, there is a general awareness that these incidents happen and firms cannot prevent every attack. Therefore, the focus is thrown onto how effectively a firm responds when the inevitable happens.
The unique challenges that solicitors face
Law firms face a number of unique challenges in the face of any cyber incident. This is compounded by their concurrent regulatory obligations, which do not always sit together very neatly, particularly those arising from the UK General Data Protection Regulation (GDPR) and the Solicitors Regulation Authority’s (SRA) Code of Conduct.
Under the UK GDPR, a data controller must notify the Information Commissioner’s Office (ICO) in the event of a personal data breach, unless that breach is unlikely to give rise to a risk to the rights and freedoms of the impacted data subjects. The timeframe for notification is 72 hours from awareness of a personal data breach. What is often confused here is when that clock begins to run. The awareness of an incident occurring is not necessarily the same as awareness of a personal data breach. It may not be apparent immediately whether personal data has in fact been impacted. Particularly in the early stages of an incident, it is wise to be guided by the forensic investigation and to avoid any knee-jerk reactions based on speculation.
Running alongside this regulatory framework, a law firm must also consider their obligations to the SRA and notify promptly if there has been a serious breach of the standards and regulations. In all cases where an attack has had, or has the potential to impact clients, the SRA expects a prompt report to be made, for e.g. transactions can’t be completed, service to clients is delayed or there is a risk of client data/assets being lost. Law firms also have to consider the wider obligations to maintain client confidentiality, which extends not only to ‘personal data’, but to any confidential client information.
This can mean that there are instances where a notification is not strictly required to the data protection regulator, but will be required to be made to the SRA. This asymmetry of information being shared externally is generally a position that we would prefer to avoid. Furthermore, the SRA will often seek to understand the ICO’s position on the matter, making the process more drawn out.
There is also a disjoint in the secondary regulatory obligations to notify impacted individuals. The data protection landscape requires individual notification in circumstances where there is a high risk to their rights and freedoms arising from a personal data breach. However, the SRA code has a wider obligation to be ‘open and honest with clients if things go wrong’. In some cases, this may lead to the requirement to inform clients (both individuals and corporates) about an incident, even though the GDPR data subject notification threshold has not been met.
Importantly, where client money has been lost by the firm, there is an immediate obligation to restore the funds. Often there is insurance cover for that loss, however, the SRA will expect client funds to be restored promptly, irrespective of insurance arrangements.
To add a further layer of complexity, a firm that has suffered an incident could be suspended from critical third-party applications. Once a bank becomes aware of a diverted payment (when the affected individual contacts them to attempt to trace/recover the payment) they often set the wheels in motion for this suspension. This can affect completion deadlines and can have knock-on effects that cascade down the whole chain, so communication is key.
Pre-breach planning
Devising and stress testing an incident response plan is of vital importance for any organisation, but is especially valuable for law firms. Having a response playbook ready to mitigate the impact as swiftly and calmly as possible will alleviate the burden on the business. Simulation exercises can be used for this purpose, putting the crisis management team through a bespoke cyber incident scenario to expose any areas that may need attention.
A well-designed incident response plan can frontload many initial areas of breach response that would otherwise have to be undertaken from scratch. For example, template communications can be prepared for a range of scenarios, proactive data mapping can provide insight into what could be at risk, and cyber provisions in key contracts can be summarised in an easy reference format.
Whilst such planning helps victims of cyber incidents to respond in the best possible way, it can also provide an important layer of mitigation arguments if any regulatory investigations arise out of the incident. We are increasingly seeing both data and professional regulators using the notification of cyber incidents as a springboard to investigate the victim’s general security posture, data governance and levels of proactivity regarding risk management. In many cases, regulators may be willing to accept the narrative that cyber incidents cannot be entirely prevented, but they have significantly less sympathy for victims that cannot demonstrate any proactive actions or forethought about the potential risks. This means that all law firms, irrespective of their size and practice areas, need to think seriously about whether they could confidently demonstrate to the SRA or ICO that they have proactively mitigated the potential risks.
It is also important not to neglect the emotional impact that being thrust into a crisis situation can have on staff. Earlier this year, the Royal United Services Institute published a paper that explored the harm caused by ransomware to individuals and organisations, which provides insight into this often overlooked aspect of breach response.
Today, every industry is faced with cyber security related challenges and the legal industry is no exception. Having an awareness of these challenges, and proactively implementing the various preventative measures are critical in helping protect against potential future attacks.