As has been well-documented by Lawyers Weekly throughout 2023, law firms and legal practitioners are not as match-fit as they can or should be when it comes to addressing cyber threats that are not just looming but already here.

For example, a study conducted by the Australasian Legal Practice Management Association in conjunction with AUCloud found that one in two law firms are not ready to handle a cyber incident, and one in five are not doing enough to keep themselves safe in the current threat environment.

Elsewhere, a survey from Australian cyber security organisation DotSec showed that the majority of legal professionals have no confidence in their firm’s ability to detect and respond to security breaches, and DotSec’s 2023 State of Cyber Maturity for Australian Law Firms report found that a significant proportion of Australian law firms lack clarity on who within their organisation is responsible for cyber security and protecting client data.

Such findings denote a significant problem for businesses that are proving to be attractive targets for extortion and ransom demands.

The state of play

Based on cyber threat intelligence sources, Clyde & Co partners Stefanie Luhrs and Reece Corbett-Wilkins outlined in conversation with Lawyers Weekly, the global number of ransom demands from cyber criminals seeking to extort law firms “has doubled in 12 months”.

“An analysis of all major dark web leak sites shows a 104 per cent increase in posts from threat actors claiming to have stolen data from the servers of law firms,” the pair detailed, jumping from 48 in 2022 to 98 this year (as of September).

VIEW ALL

“This justifies growing industry concerns that the legal sector is a ripe target for ransomware gangs,” they warned.

Moreover, Ms Luhrs and Mr Corbett-Wilkins continued, such numbers only scratch the surface, with analysis not revealing incidents where ransoms were paid to suppress data publication, the threat actor stole data but did not name the victim or publish data, or where third-party vendors are the named victims, but the leaked data is the law firm’s data.

Domestically, Australian professional services firms continue to face ransomware attacks at a higher rate than other industries, McGrathNicol partner Blare Sutton noted, with the Australian Signals Directorate Cyber Threat Report 2022–2023 showing that the professional services sector was the most impacted by ransomware attacks this year. Further, the Office of the Australian Information Commissioner reported that, from January to June of this year, law was in the top five sectors to notify of data breaches.

Globally, multiple BigLaw firms have suffered attacks in recent years – last month, Allen & Overy reported a data incident “impacting a small number of storage servers” – and in October, the International Criminal Court faced a “targeted and sophisticated attack with the objective of espionage”.

The most notable such attacks on Australia-based legal practices have been the breaches faced by ASX-listed legal services group IPH Limited and BigLaw player HWL Ebsworth. As reported at the time, there were pertinent lessons arising from the attack on IPH, including how costly such an attack can be. Of course, such attacks will cost firms more than money.

Why law firms are targets

Dr Ilia Kolochenko, who is the chief architect at ImmuniWeb and an adjunct professor of cyber security and cyber law at Capitol Technology University in Washington, DC, reflected on the increasing victimisation of law firms.

“Smart cyber criminals are chasing sensitive dossiers of wealthy or politically exposed customers, looking for attorney-client privileged information or other sensitive litigation-related data. Modern cyber gangs are aware of it; moreover, in the dark web, there are dedicated channels to buy and sell data from compromised law firms,” Dr Kolochenko said.

“Worse, in some jurisdictions, stolen data, especially related to serious tax fraud, can be admitted in court proceedings both in civil and criminal cases,” he explained.

“If such data was compromised, the criminals will almost certainly try to extort the law firm and its clients in parallel.”

Mills Oakley partner Jason Symons, who leads the firm’s cyber risk and insurance practice, said cyber criminal organisations are “very clever and see law firms as a perfect target for an extortion attack”.

“These cyber criminals understand the professional duties lawyers owe to clients regarding their data. So, if they can get their hands on this data, a law firm will be under enormous pressure to pay a ransom to prevent the leak of that data for a multitude of reasons. This gives the cyber criminals a lot of leverage,” he reflected.

As aggregators of data from multiple clients, Ms Luhrs and Mr Corbett-Wilkins commented, “threat actors can achieve maximum leverage at scale – through one central service provider”.

Further on this point, Lander & Rogers partner Melissa Tan noted that law firms “sit in a unique position within the supply chain, which means access to a law firm’s data can be a gateway to the sensitive information of multiple clients at once, including high-value targets such as critical infrastructure industries and government clients”.

“For threat actors, this presents an efficient way to extort multiple high-value victims with one attack,” she said.

Hall & Wilcox partner Eden Winokur – who won the cyber category at the 2023 Partner of the Year Awards – added that cyber criminals know that law firms regularly hold client monies in trust, “so they target those with responsibilities for making payments to try and fraudulently misdirect funds”.

Moreover, Ms Tan said, law firms frequently deal with payments and account details through their main mode of communication (i.e. email), “which provides another avenue for business email compromise or social engineering attacks”.

Of course, a law firm’s problems would not necessarily end with the elimination of the risk of subsequent data disclosure, Dr Kolochenko went on.

“Victims of the disclosed data breach may have a wide spectrum of legal claims against the breached law firm with damages ranging from a couple of thousands to tens of millions per victim,” he noted.

Either way, Ms Luhrs and Mr Corbett-Wilkins mused, law firms have competing moral, ethical, and legal duties to consider, “making the decision to pay a ransom demand incredibly complex”.

Law firms of all sizes have been and continue to be targeted, Mr Winokur observed – “that is a trend happening here in Australia as well as in other jurisdictions throughout the world”, he said – and Dr Kolochenko expects that we will see “a steady growth of sophisticated attacks” against law firms in the near future, given the current climate.

Earlier this year, Secure Konnect Cyber Security director Dr Edward Phelps wrote about the different attacks law firms may face and why such businesses can be easy prey.

Necessary practical approaches

In a recent episode of The Lawyers Weekly Show, CyberGC founder and principal Annie Haggar unpacked the key lessons for lawyers from the recently released 2023–2030 Australian Cyber Security Strategy, which includes: reform of how cyber incidents will be reported (through a single portal), when ransomware attacks must be reported (on a mandatory basis), and provides for a no-fault no-liability (safe harbour) regime when reporting.

The strategy, Mr Winokur pointed out, also sees Australia set the “ambitious” target of being a world leader on cyber matters by the turn of the decade, and its release, Mr Symons suggested, will change how law firms respond to cyber incidents and data breaches.

“The legal industry has the opportunity to engage with the consultation process and development of the strategy to address important legal issues that arise from the strategy, and help to shape it,” he said.

On the ground, the specific required measures will be dependent on the size and complexity of the IT environment (i.e. large law firms will have different needs to smaller practices), Ms Luhrs and Mr Corbett-Wilkins said, while adding there are “basic steps that can significantly reduce the chance of attack”.

“For example, we often see attacks arising from the same root cause – unpatched vulnerabilities, clicking on phishing links, and insecure remote connections (which we all now use to work from home). Closing these doors will go a long way to help,” the pair advised.

Understanding idiosyncratic client needs in the face of proposed changes and governmental guidance is also essential, Ms Tan said.

“For example, those with critical infrastructure clients, including telecommunications providers, should understand the cyber security implications of critical infrastructure legislation and how the regulatory changes coming with the government’s 2023–30 strategy will impact those clients.”

“Law firms with government clients, or in-house teams within government, need to understand the proposed changes to uplift the cyber security of the Commonwealth government in the 2023–30 strategy and how it will impact them and their clients,” she said.

Mapping out their supply chain and taking measures to address and mitigate supply chain risks that may leave them exposed, Ms Tan went on, as well as ensuring they have an incident response plan in place that includes a process for reporting ransomware incidents and payments, and importantly, identifies the person with the responsibility to do so, will also be fundamental.

In March, Corrs Chambers Westgarth partner and head of TMT James North stressed, in an episode of The Lawyers Weekly Show, the importance of investment in cyber resilience for law firms. Australia-based e-conveyancers, for their part, are “investing heavily” following UK-based attacks.

Additionally – and according to DotSec – there is such a thing as overspending on cyber security by way of overinvesting in unnecessary solutions.

Law firms also cannot forget, Mr Symons offered, the significant privacy reform that is coming.

“For small law firms, the proposed removal of the small-business exemption (following further consultation with industry next year) will impact a large number of practitioners in relation to reporting data breaches (whether caused by a malicious actor or internal human error) to clients and the Office of the Australian Information Commissioner,” he noted.

“For law firms of all sizes, the proposed direct right of action is very significant. It will provide clients that have suffered harm as a result of a cyber attack on a law firm the right to bring potential legal action in court for breach of privacy.”

Elsewhere, Mr Sutton suggested, governments may well work in tandem with professional services firms like legal practices moving forward.

“Due to the prevalence of ransomware attacks targeting professional services firms and the valuable information they hold, it is likely the government will work alongside the legal sector to uplift cyber maturity by providing assistance and strengthening regulatory obligations,” he said.

“Law firms (and other professional services firms) can get ahead of these changes by conducting a business-oriented cyber risk assessment to understand their cyber risks and develop a practical, pragmatic risk management plan in response.”

Earlier this year, Lawyers Weekly reported on how HWL Ebsworth intended to manage its data breach.

The imperative for urgent action

Looking ahead, Ms Luhrs and Mr Corbett-Wilkins mused, the legal profession has an opportunity to “band together” to address the myriad risks head-on.

This must occur, they stressed, “for the protection of our businesses, our livelihoods, our clients’ trust in us, and the integrity of the profession more generally”.

“As we embark on becoming the most cyber secure country by 2030, it’s up to all of us to play our part,” they argued.