Law firms have even more reason to be on their guard against cyber attacks following some news from global speciality (re)insurance group Chaucer this month.
The insurer drew attention to some worrying statistics from the Information Commissioners Office which reported a huge increase in hackers targeting the legal profession.
According to the ICO, in the year to 30 September 2023 the number of reported cyber breaches at UK law firms grew by a hundred, with 226 attacks in 2022/23 compared to 166 in 2021/22.
Chaucer put the surge in attacks down to a belief among hackers that law firms are especially vulnerable to ransomware attacks and threats to publish stolen information online.
Ben Marsh, deputy class underwriter at Chaucer, explained: ‘The extremely sensitive data that law firms hold on behalf of their clients makes them a very attractive target to hackers.
‘Hackers expect that law firms will pay them to either unlock data they encrypt in ransomware attacks or pay “blackmail” in exchange for the hackers not publishing the law firm’s stolen data online.’
He added: ‘Attacks against law firms are part of that smaller group of cyber-attacks where the business is being actively targeted. That means that law firms need stronger cyber defences than the average business. Most cyber-attacks start almost randomly when a hacker’s software identifies an organisation with a flaw in their security.’
The insurer noted that the sensitive data held by law firms will vary from firm to firm, from information on divorces at high street law firms through to details on big ticket litigation and M&A activity at City law firms.
Marsh remarked: ‘Law firms are investing in cyber defences and basic data protection hygiene such as segregating data across different departments, teams and individual clients. However, it is still quite common for a law firm to suffer a data breach through a phishing attack.
‘Law firms, like all businesses, will need to improve their defences as hackers deploy more tools based on machine learning or other forms of AI.’
Chaucer highlighted that this problem is not limited to small and medium sized law firms, with some very large firms also having suffered major cyber breaches in the past year. The National Cyber Security Centre has reported that nearly-three quarters of UK’s Top 100 law firms have been impacted by cyber-attacks.
As well as the reputational and operational damage that can come with a cyber-attack, law firms could be subject to significant fines for poor custody of client information. Where client data has been treated negligently, the ICO has powers to fine up to 4% of a company’s total annual worldwide turnover in the last financial year, or £17.5 million, or whichever is higher.
These are worrying times for law firms, and no matter how much firms might invest in cyber defences, the human will always be the weakest link in the chain. With cyber attacks now being powered by AI, phishing attacks are likely to become ever more convincing, and the need to stay vigilant is more important than ever.
February 22, 2024
Insights
