SRA plans 2020 cyber crime review after law firms lose over £4 million to hackers

According to this article in LegalFutures, 40 law firms which suffered recent cyber attacks have been part of a study which revealed the losses of over £4 million in client funds between 23 of the firms.

In an attempt to combat these losses, the Solicitors Regulation Authority (SRA) will conduct a thematic review on cyber crime’s impact within the legal sector in 2020.

The insurers of the affected firms provided compensation but unfortunately not enough to cover the entirety of the losses, 18 firms still had to stump up a combined £400,000 to cover the gap left by their insurers.

Not only did the firms have to deal with the financial impact of cyber attacks, but the psychological trauma suffered by the staff was noticed by each organisation.

Two firms, two mistakes

Rachel Clements, regulatory manager of the thematic team described the methodology and impact of two notable cyber attacks:

With only a “slight change” in a client’s email address, a short message asked the firm to redirect client funds to an unknown account. Following security policy (to verbally verify the account details when changing accounts with a client), they contacted the client who was, at the time, very busy moving house, the client told the small firm to “just get on with it”.

Going against company policy, the firm made the change and transferred £400,000 straight into the social engineer’s bank account.

The small firm repaid the client immediately from its own account but this caused significant cash flow issues, which alongside the police investigation, caused high levels of undue stress across the firm.

Eventually the firm’s insurers paid back the lost money, with the exception of a £5,000 excess, and a further £900 in compensation after the client made an official complaint to the Legal Ombudsman.

Another much larger firm was hit with by a ransomware attack after an employee opened a malicious email over the weekend. While the firm saved themselves the $500 ransom by refusing to pay, they had to close for two weeks to deal with the attack, a decision which cost them over £150,000 in revenue.

What really struck me was the emotional toll on staff

One reason that many firms refuse to pay the monetary figure demanded by malicious actors in a ransomware attack is that there is no guarantee the effects of the attack can be reversed.

The firm has since invested in Security Awareness Training for their staff and it has become an essential part of their employees’ responsibilities.

Their message was that you shouldn’t wait until a cyber-attack to educate your staff

Education beats compensation

Security Awareness Training is something that firms should be integrating into their employees working life as a matter of urgency. Cyber attacks are increasing across the globe and without proper training, staff can inadvertently cause almost unlimited damage to an organisation.

Most firms are focused on compliance but they need to push through that to promoting awareness and behaviour change… The key message is that it’s a shared responsibility – it’s not down to the risk team, the IT team or the compliance team.

James van den Bergh – Security Awareness Specialist, DLA Piper

As we near the close of 2019, consider the financial and psychological impact a successful cyber attack could cause your organisation, then consider the price of security awareness training. The return on investment makes it by far the most effective way to reduce your cyber attack surface and safeguard your business into 2020.

Recent posts