The cyber attack was on two of the intellectual property law group’s member firms: Spruson & Ferguson (Australia) and Griffith Hack. 

Later that month, the firm provided an update to the market, confirming that it was continuing to investigate the cyber incident.

“IPH advises that it has now established new network infrastructure following a strict restoration process, and key system functionality has now been restored. Under the advice of cyber security experts, security has also been further enhanced, including additional preventative and detective controls to protect the IPH network,” the firm said in a statement at the time.

Following this, IPH noted in an announcement to the market last week that the forensic investigation is now “substantially” complete, and it has identified that a “limited set of data” was compromised by an unauthorised third party during the cyber incident.

IPH also incurred costs in the course of responding to and investigating the cyber incident, it reported, including the engagement of specialist third parties and remediation of its network and IT systems.

“IPH currently estimates $2 [million] to $2.5 million (pre-tax) will be incurred as non-underlying costs in its FY23 accounts related to this incident,” the firm said.

Those costs don’t take into account, it added, any additional costs that may arise out of complaints by affected customers and other individuals, not to mention any regulatory or litigious costs.

VIEW ALL

Speaking to Lawyers Weekly following this update, Lander & Rogers partner Melissa Tan said there are two key takeaways for those in the legal profession to take note of.

“The legal industry is, and will continue to be, a target of and susceptible to cyber attacks because lawyers hold valuable, confidential and sensitive data from multiple parties, which threat actors can use to their advantage, including financial benefit.

“This includes client data, internal corporate information and data from third parties like suppliers or other parties to a transaction or litigation. If the targeted attacks against law firms continue to be effective and profitable due to poor digital and cyber security, law firms will continue to be a target,” she explained.

“Lawyers have professional, ethical and commercial obligations to keep the data of their clients and other sensitive or privileged information confidential and secure. A failure to do so may result in a breach of the lawyer’s professional responsibility. If the client’s data is the subject of unauthorised access, the law firm will be deemed at fault. Digital security should therefore be a top priority for law firms to ensure that lawyers comply with their professional and general legal obligations.” 

Cyber risk has already been revealed to be a key issue for organisations across a range of sectors, including legal, in 2023, with companies urged to implement protective measures such as cyber insurance and take a closer look at their positive security obligations.

The IPH breach, Gilbert + Tobin partner Melissa Fai opined, should also serve as a reminder to law firms in particular.

“The breach is another reminder to all law firms to seriously consider the threat (and perhaps imminence) of a cyber attack and, if not already, to start to implement a cyber risk management plan for both preventative measures and reactive measures, such as a comprehensive incident response plan, should a breach occur,” she told Lawyers Weekly.

“It also shows that the ability to act quickly and contain infected or compromised systems goes a long way to managing any fallout and mitigating the consequences of a breach. Part of that may involve firms looking deeply at their network infrastructure and the architecture of their systems to ensure that systems are not easily contaminated, and compromised systems can be effectively isolated from the rest of a firm’s network, applications and data.” 

Ms Fai added that “law firms could be doing a lot more in this space” and that clients are also now looking into protecting themselves from cyber attacks, too.

“At the end of the day, from a privacy perspective, firms can mitigate risk to some extent by ensuring that the principle of data minimisation is key to their operations and having a robust data retention policy, which ensures that personal information and commercially sensitive information which is no longer required is securely removed or at least, securely archived,” she added.

“We are seeing an increasing investment having to be made in enhancing security in all systems — both to ward off the next big attack from occurring, but also to meet the increasing demands placed by clients on their advisors, particularly the larger and regulated ones, as clients rise to the challenge of protecting their own systems and information from all angles and supply chains.

“Clients are simply trying to keep up with the continuing threat environment and, in some sectors, the emerging regulations and compliance requirements to which they are subject.”

As a result, law firms “stand to be significantly impacted”, according to Ms Tan, who added that this goes beyond the financial loss from recovery and remediation, including forensic IT costs, legal costs, or the business interruption loss suffered and that for firms to be safe, “proper cyber and data security is key”.

Practical steps, Ms Tan said, include cultivating and enhancing employee awareness of cyber security risks and ensuring effective data recovery.

“It’s common to assume the greatest threats to cyber and data security result from digital systems. However, it’s often the users of these systems that represent the most common vulnerability to an organisation’s cyber security. Whilst people can be the weakest link in the fight against cyber threats, they can also be the strongest defence if they possess awareness. Every time an employee ignores, deletes or reports a phishing email, they keep the network secure and prevent an intrusion,” she added.  

“Even if not all cyber attacks can be prevented, having an effective data recovery protocol will ensure that the firm’s data is not lost or destroyed as a result of an attack, minimise the need to engage with a threat actor or consider payment of a ransom to recover the data, and the data can be recovered swiftly and effectively to minimise business interruption loss.”

ASX-listed firms, in particular, can also prepare and combat cyber risks and attacks in a number of ways.

“Firstly, take steps to ensure that the company has controls, policies and procedures in place, particularly regarding the flow of information, to ensure that cyber security disclosures meet the ASX Listing Rule 3.1’s requirements,” Ms Tan concluded.

“Secondly, these controls, policies and procedures should be set up when the company is not in crisis mode. The board and executive should be discussing and formulating the approach of ASX announcements in relation to a cyber attack before the cyber attack occurs, where there is time and breathing space to consider the right tone and approach to communicating to the public about the cyber attack.

“Thirdly, ensure there is a mechanism in place where management personnel responsible for reporting and disclosures are fully informed on the cyber security incident, particularly as the incident investigation progresses and unfolds so that disclosures about incidents are accurate and timely.”

Lawyers Weekly reached out to IPH for further commentary on the breach, but it declined to comment.