How cyber resilient is your law practice?
Types of scams impacting legal practices, and how they actually work
Possible dangers in outsourcing responsibility for cyber resilience to external IT consultants
Legal liability for cyber events
How do different insurance policies respond?
This article was first published in the December 2018 edition of The Law Society of NSW Journal.
Lawyers are increasingly aware of the risk of receiving fake emails and are acting on advice to use another method to verify instructions received by email, particularly where funds transfers are involved. While this measure is vital for reducing email-enabled fraud, the risks of cybercrime impacting lawyers extend well beyond this type of email scam.
Lloyds Australia has described cyber risk as the second greatest risk to Australia’s annual economic output (Insurance Business Australia, June 2018). Law societies and legal professional indemnity insurers throughout Australia have reported increases in cyber security breaches, with potential implications for lawyers ranging from professional negligence and breach of trust claims, to business losses, reputation damage, official investigation and disciplinary action.
SMEs often have less awareness of and ability to respond to cyber attacks than large organisations. Small law practices, which hold sensitive personal information and act on high value matters such as property purchases, can be targeted.
Email-enabled impersonation fraud, malware, phishing and hacking
Cyber incidents and email fraud can occur in a variety of ways.
Email fraud often involves impersonation fraud facilitated by email rather than actual interference with a lawyer’s computer network. In many cases, fake emails appear to come from a client or another business contact, while in reality they have been sent from a different email account which has been set up to mirror the victim’s name and email address (otherwise known as ‘spoofing’).
A current scam impacting lawyers is known as ‘CEO fraud’, and involves the sending of an urgent request for funds, apparently from a director or principal of the practice to an employee, typically an accounts manager. Not surprisingly, employees frequently act quickly on such emails and transfer funds to a bank account connected with the scammer. The speed of electronic transactions often means the money has disappeared before the principal becomes aware of the fake direction to pay.
In other cases, email accounts have been hacked, with the hacker then sending emails from the lawyer’s account containing bogus directions for funds transfers. The fraud is often not detected until a loss is reported, because the hacker will usually delete sent messages from the account and will also set up email rules redirecting replies so that the lawyer is unaware of the existence of messages sent to and from their account. This scam is known as business email compromise.
The technology behind email-based fraud
Phishing involves the sending of an email from what appears to be a trusted source. The email’s contents are designed to manipulate the recipient into revealing computer passwords, opening malware or clicking on a link that infects with a virus the lawyer’s computer or network. This enables the hacker to steal login credentials, collect confidential client information and access address books, enabling further phishing attacks on clients with high success rates. Using the stolen log-in credentials, the victim’s mailbox is scanned for correspondence to identify upcoming high-value transactions, and correspondence tampered with to facilitate funds transfer frauds (known as ‘payment redirection fraud’). Immediately enabling two-factor authentication on your email service is critical to reducing this risk.
Malware is a piece of malicious software designed to cause damage to a computer. A variant of this, ransomware, operates to lock files and computers unless a ransom is paid. Other types of malware are designed purely to cause as much damage as possible - for example, the highly destructive NotPetya virus, which in 2017 impacted global law firm DLA Piper amongst many other organisations worldwide, purported to require payment of a ransom, but the virus could not be unlocked even if a payment was made. As cyber attacks become increasingly sophisticated and as law practices move backups into the cloud, access to backups can also be locked by ransomware unless these are quarantined from the lawyer’s network.
Another cyber risk for lawyers is targeted computer hacking, designed to access confidential information or trust accounts, or another online account operated by the practitioner. The most well-known case involved law firm Mossack Fonseca and famously led to the publication of the Panama Papers in 2016, leading to the demise of the once prominent offshore tax advisory firm.
The human aspect to cyber risk: deception of individuals
Cyber resilience requires awareness of the open nature of the internet and the vulnerability of email, and the signs of ‘social engineering’ or manipulation fraud. Although technical measures can be effective in combating cyber fraud, ultimately staff members are your last line of defence. Protecting your law practice cannot simply be delegated to IT experts as its cyber resilience may only be as strong as each staff member’s awareness and behaviour.
‘Human sensors’ have been described as the most under-utilised resource in protecting cyber-security. Malware or phishing emails usually enter a network via an unsuspecting member of staff clicking on a link or opening an attachment, and funds transfer frauds are usually authorised by a human! Many past incidents could have been avoided via a combination of greater security awareness, end-user education, behavioural change and anti-phishing technologies. No one solution, unless combined with the others, will prevent all cyber attacks.
Technology risk management: an essential part of legal practice
With email now the dominant channel for professional correspondence, and the increased use of technology platforms for legal services, the mitigation of risks associated with mainstream technology should be front of mind, as highlighted in the widely reported PEXA “Masterchef” incident earlier this year.
While that case involved a conveyancer rather than a lawyer, there is no reason to suppose a similar incident could not occur in a law practice. To recap, the conveyancer’s email account was allegedly accessed by an intruder, who then reset the conveyancer’s password to PEXA’s platform using that email account. After the password was reset, the hacker accessed the practitioner’s PEXA account and changed details on a pending transaction. The conveyancer did not notice that the settlement details had been changed before authorising the misdirection of $250,000 (fortunately, most of the funds were reported to have been recovered later, with PEXA covering the balance).
As a result of that incident, PEXA introduced multifactor authentication for logging into the platform, a transaction summary prior to signing, and other changes. While publicity at the time focused on PEXA’s platform, the hacker’s access to the conveyancer’s email account was a necessary precursor to the subsequent security breaches. This incident sends a message about the implications of failing to adequately secure email accounts as the profession moves towards mandatory e-conveyancing for all NSW property transactions from July 2019.
Can responsibility for tech-related issues be outsourced to external IT consultants?
While smaller law practices may outsource IT issues, responsibility for maintaining professional obligations such as client confidentiality remains with the law practice. Firms cannot abdicate all responsibility to managed service providers and should maintain a supervisory role. For software suppliers and managed service providers, usability and convenience for customers can be a key focus, and many lawyers may be unaware that popular software may have low security in its default settings, leading to increased risk of a cyber incident unless more secure settings are selected.
Law practices are subject to professional requirements to keep information confidential. These requirements should be borne in mind when considering cloud storage providers that back up to servers held outside Australia and which might be subject to different legal regimes. Finally, consider also the terms of contractual arrangements with IT providers and how they might impact your own legal position in the event of a cyber incident.
Professional conduct rules and mandatory reporting of notifiable data breaches
While civil claims resulting from cyber breaches are presently dominated by funds transfer frauds, it is important also to consider the potential regulatory and disciplinary consequences of non-compliance with professional obligations to maintain confidentiality (see e.g. Legal Profession Uniform Law Australian Solicitors’ Conduct Rules 2015, rule 9).
Under the Privacy Act 1988 (Cth), it is now mandatory for organisations with a turnover in excess of $3 million to report notifiable data breaches. Be aware that this requirement extends to organisations with a turnover of less than $3 million where the data breach relates to individuals’ tax file numbers. Failure to report a notifiable breach can lead to serious penalties.
Risk transfer via insurance
Effective cyber risk mitigation requires a combination of risk management and risk transfer, via appropriate insurance. Every insurance policy should be considered by reference to individual policy wording and it is prudent to review your insurance policies rather than make assumptions about what events will be covered.
For example, in the case of CEO fraud, where a claim relates to client funds held in a law practice’s trust account, a professional indemnity policy covering third party losses might respond, subject to its terms and conditions and the facts of the case. On the other hand, if the money lost belonged to the practice and was held in an office account, a policy designed to cover only third party claims would not respond. In that case the law practice could be uninsured for the loss unless it had taken out a suitably worded crime policy or endorsement (e.g. under a management liability policy).
Cyber risk policies can offer different, additional types of cover including technical assistance in the case of a cyber event (as defined in the policy), defence costs and penalties for regulatory investigations, business interruption costs and cyber extortion payments. The group cyber risk policy purchased by Lawcover, in effect from 1 January 2018 to 30 June 2019, provides Lawcover insureds with an aggregate of $50,000 cover for these types of cyber risk losses. Each law practice should consider whether this level of cover is sufficient for its individual needs.