In ICAEW’s recent webinar, Andrew Baker, Stuart Leach and Emily Lake of RSM UK considered the challenges faced by law firms and how exposure to risk could be mitigated.

The legal sector is an attractive target for cyber-attacks. The disproportionate amount of confidential sensitive data held, large cash balances and high value transactions within the client accounts, together with frequent use of third-party service providers and high-pressure interactions with the public, create a perfect storm for cyber threats.

Industry statistics show that, on average, cyber-attacks take place every 39 seconds and over 65% of law firms have been impacted by a cyber incident. Regardless of the size of firm, prevalent cyber-attacks continue to emerge:

• Over 90% of cyber-attacks involve a human element, with methods such as phishing, business email compromise and impersonation being common. Through AI, these techniques have become more sophisticated, with AI-enabled phishing and deep fakes used to entice employees, resulting in unauthorised access to a firm’s systems and sensitive information.
• Ransomware attacks are widespread in the legal sector given the high sensitivity to operational disruptions. Ransomware was initially focused on system disruption followed by extortion demands. This has evolved to encrypting systems and exfiltrating valuable data, providing cybercriminals with multiple ways to monetise their attacks and cause significant disruption.
• Direct attacks involve obtaining client information and threatening to publish it on the dark web. These attacks exploit the high value of client data and the potential reputational damage to the firm.
• Payment diversion fraud is increasing. Cybercriminals can gain access to a law firm’s systems and intercept real-time emails to manipulate payment instructions leading to significant financial loss.
• Third-party attacks are particularly significant, given the legal sector’s reliance on third-party service providers. Targeting third parties provides cybercriminals with access to multiple clients, amplifying the impact of their attacks.

Cyber-attacks can have significant impacts on firms, including the freezing of client accounts, loss of data and the disruption of business operations.

From the poll conducted during the webinar, most of the audience considered reputational damage and client loss to be the biggest concern. Reputational damage alone can impact a firm’s operations, finances and client base, potentially leading to a loss of clients and, in severe cases, pushing firms into administration. The financial losses can be significant, including costs associated with recovery, legal fees, potential fines and the need to immediately make good any client account shortfalls.

Additionally, the significant amount of management time required to recover from a cyber-attack diverts attention from other critical business activities and creates additional workload to resolve the immediate issue, resulting in productivity loss.

By understanding these impacts, firms can implement strategies to mitigate these risks.

Building resilience to cyber-attacks requires an understanding of the firm’s cyber footprint, i.e. knowing where your data is, has been and will be. This will help to understand holistic threats and risks, enabling the creation of relevant, practical and tailored response plans.

A tailored response plan is essential, particularly since many on the webinar considered a lack of cyber awareness to be their biggest risk. Regularly testing the plan and conducting regular training for employees will improve effectiveness and strengthen a firm’s cyber resilience. Since over 90% of cyber-attacks involve human elements, well-informed employees can become the first and last line of defence rather than the weakest link.

Do bear in mind that the cybercrime ecosystem is developing at an incredible pace. A well-designed plan from last year is unlikely to be fit for purpose this year and so the plan must be kept under constant review.

Taking a holistic approach that involves understanding the threat landscape, managing third-party risks and fostering a strong cyber culture is crucial. By addressing these considerations and implementing strategies, law firms can significantly enhance their cyber resilience and protect against this continually evolving threat to their business.

For practical tips on how to protect your firm from cyber-attacks, please visit the webinar recording here. Alternatively, please reach out to Andrew Baker, Stuart Leach or Emily Lake at RSM UK who will be happy to discuss your firm’s individual needs.