SCAM-pi and chits
A look at scams and other cyber-security threats which have recently targeted the 'soft underbelly' of law firm data security.
Firstly, allow us to apologise for the title. This is what happens when the sun comes out in Manchester – nobody can quite believe their eyes and everybody gets carried away in the delirium.
Anyway, this article concerns scams and other cyber-security threats which – to borrow a phrase used by our American friends – have recently targeted the “soft underbelly” of law firm data security. Last June we reported on a sharp rise in the number of scam alerts posted on the SRA website, reminding our readers to be vigilant. Since then, there has been a series of cyber-security issues, culminating in the recent contaminated, scam e-mails purporting to have been sent from the SRA and the Law Society which were circulated to thousands of law firms. Unsurprisingly, this sent a jolt through the profession, especially when the SRA admitted it was powerless to prevent such e-mails (which is true).
But should this really have come as a surprise? The risk of law firms being targeted by fraudsters who are interested in either laundering money through the client account or stealing personal data, are very real and have been for many years. Lawyers engaged in transactional work have long been a target for money laundering and, more recently in the digital age, law firms along with other businesses have been subject to cyber attacks. And whilst these two issues may appear separate, they are often intertwined. For example, a client seeking to use your client account as a banking facility may attempt to obtain your details via a scam ‘phishing’ e-mail. Outsourcing arrangements , which are becoming increasingly commonplace as firms strive to improve operational efficiency, also have the potential to heighten the risk of data being compromised because it is not just held internally, it could be anywhere!
Regardless of the sophistication of some cyber threats, inadequate systems and controls or a lack of due diligence on outsourced providers are very often the root cause of law firms falling victim to attacks. Reference has also been made to cyber security and other forms of financial crime in the SRA’s Risk Outlook, most recently in the Spring 2014 update where the regulator revealed that it had received 68 reports of money laundering from law firms in 2013, up from 24 the year before. A separate research paper on Cybercrime, containing useful case studies and practical tips, was also published (ironically at a time to coincide with the SRA scam e-mail) and added to the ‘Risk Resources’ section of the SRA website.
Without even going in to the detail, it is clear that cybercrime and money laundering is big business. Law firms now appear to be a target for criminals and this is significant from an insurance perspective because underwriters – no longer content to indemnify those with primitive systems in place - are gradually narrowing the scope of cover that will be afforded to those who suffer cyber attacks.
It is imperative that COLPs, COFAs and MLROs are aware of the threat of cybercrime and manage their risks accordingly. Daunted? Don’t worry, there is help at hand. We can audit your practice’s systems to assess the risk of a cybercrime attack, liaising with the IT consultants and other advisers as appropriate. In addition, a new collaborative initiative between industry and government, the Cyber-Security Information Sharing Partnership (CISP), has been established to share data and intelligence on cyber threats with a view to raising awareness and minimising the economic impact on UK commerce. Together we can stop the Trojan horse.