Legal sector vulnerability gets expensive
3rd July 2024 • Park Plaza Victoria, London, UK
It should now be crystal clear to law firms that paying for better security makes good business sense
The costs of insecurity are rising fast – is it time to invest more in people and tech?
The number of reported cyber attacks on UK law firms has increased 36 per cent over the past year.
According to data by speciality reinsurance group Chaucer, there were 166 reported cyber breaches in 2021/22, this number jumped to 226 for 2022/23 (as of 30 September).
The National Cyber Security Centre (NCSC) cyber threat report 2023 also noted that nearly-three quarters of UK’s Top 100 law firms have been impacted by cyber-attacks.
Chaucer says that the large number of attacks against law firms has been driven by a belief amongst hackers that law firms are particularly vulnerable to ransomware attacks and threats from the hackers to publish information stolen online.
This is not just down to the extremely sensitive data that law firms hold on behalf of their clients, it’s the hackers’ near certainty that law firms will pay them to either unlock data they encrypt in ransomware attacks or pay “blackmail” in exchange for the hackers not publishing the law firm’s stolen data online.
In one recent Magic Circle attack, the firm involved will not say whether it paid the ransom – but its data was not leaked by Lockbit.
The financial costs (and reputational and legal issues) associated with paying ransoms are just the tip of the iceberg when it comes to the costs of serious incidents.
As well as all the internal remediation costs, depending on the types of information lost, organisations will now probably have to endure regulatory inspections and fines, as well as class action lawsuits from damaged clients and other third-parties.
U.S. law firm Orrick, Herrington & Sutcliffe has just had to update the number of affected parties to its data breach last year. The pool of victims quadrupled between its July and December disclosures to more than 630,000. These victims lost data including personally identifiable information such as names, addresses, email addresses, dates of birth, Social Security numbers, driver’s license numbers, passport numbers, financial account information, credit or debit card numbers and tax ID numbers. Health information was also stolen, including medical treatment or diagnosis information, claims information, health insurance ID numbers, healthcare providers, medical record numbers and account credentials.
The breach led to four consolidated lawsuits brought on behalf of hundreds of thousands of alleged victims of the breach and the firm has just announced that it has come to an undisclosed agreement to settle these suits. Clearly the cost will be extremely significant.
Orrick did not say how the threat actor gained access to its system or if it was extorted for a ransom. Lack of transparency is still a hallmark of the industry as few firms are listed.
So, what are the key challenges that Law Firms still struggle with? Are they more difficult to defend than other organisations? And does the scale and sensitivity of the data they hold mean they need to consider security measures unnecessary in other sectors?