Skip to main content

Podcast

Solicitors professional indemnity: Update on cyber crime

Law firms continue to be the target of cyber criminals. We list a number of actions law firms can take to reduce the chances of any of an attack.

Since our Risk Dimensions Newsletter in August, law firms have continued to be the target of cyber criminals, with a growing number of recent attacks specifically focussing on email communications between law firms and their clients.

Recent examples include: 

  • A law firm client’s email was hacked and the firm was induced to pay monies to a fraudulent bank account.
  • A firm’s emails were hacked and messages were intercepted. Fraudulent bank details were sent to the client, inducing them to make a fund transfer of over £100,000.
  • A fee earner’s email was hacked, and over 1,000 emails were sent from their email address, either requesting payment to a fraudster’s account, or attempting to initiate conversations with clients.
  • Domain names were set up, closely matching a fee earner’s email addresses. Emails were sent to clients requesting funds to be transferred to a fraudster’s account. In one incident, over £500,000 was transferred. 

However, there are a number of actions law firms can take to reduce the chances of any of the above events occurring.

  1. They can raise awareness, by sharing the Risk Dimensions Newsletter and the resources below with employees, so that everyone is aware of the ongoing risks.
  2. Whenever an email relating to the transfer of significant funds is sent to/received from a client, it is advisable for the firm to contact the client by telephone or video call, using the original client details on file, to ensure that the requesting email has not been intercepted or modified. As a matter of practicality, firms can consider the threshold amount of a transfer that they consider significant.
  3. When communicating with clients, it is prudent to highlight that any requests for payment should always be verified by the client using the telephone details contained in the original retainer letter before any payment is made. 
  4. It is also worthwhile to consider and record the firms’ readiness to deal with these risks, and what plans and procedures are in place to minimise or recover from a cyberattack. Managers can ask the question: when were these plans and procedures last reviewed and updated?
  5. Checking insurance policies are in place is highly recommended. Cover can be reviewed with a broker, particularly in relation to cover for theft and cyber incidents.
  6. They can consider signing up to the National Cyber Security Service (NCSS). The NCSS is urging as many law firms as possible to sign up for its free early warning scheme, which warns of potential cyberattacks on any given network. 

In the event of an attack, a firm is advised to gain full knowledge of any obligations. Certain cybercrime incidents involving personal data need to be reported to the Information Commissioner’s Office within 72 hours. Any cybercrime that has resulted in people’s emails being accessed or the loss of client money — even if any financial losses have been repaid — must be reported to the Solicitors Regulation Authority. 

Firms are also advised to report the incident to its cyber and professional indemnity insurers as soon as possible. Some cyber insurers have strict notification requirements and cover can be prejudiced if these are not followed. Helplines are often available 24 hours a day.

The event can also be reported to Action Fraud: 24/7 live cyber reporting for business 0300 123 2040.

 

Available resources on these issues include:

Meet the authors

John Kunzler

John Kunzler

Managing Director

Victoria Prescott

Victoria Prescott

Senior Vice President