One in ten data breaches over 2023 occurred in the UK legal sector, showing that UK law firms are attractive targets for cybercriminals. Experts told City A.M. that the sector needs better cybersecurity.
A recent analysis of the Information Commissioner’s Office (ICO) data by a data breach law firm, Hayes Connor, revealed the legal sector is one of the worst-performing sectors for data breaches.
Its analysis of the data showed that nearly 86 per cent of the incidents within the legal sector involved breaches of basic personal identifiable information, with instances also prominently affecting sensitive economic and financial data.
Meanwhile, 80 cases of breaches in the legal sector last year involved breaches of children’s data, which Hayes Conner stated raises serious concerns given the vulnerability of such information.
The findings also showed the different incident types behind the data breaches, with the number one reason being emails sent to the wrong recipient.
Last November, a prolific cybercriminal LockBit targeted legacy magic circle firm Allen & Overy (now known as A&O Shearman).
Despite this influx, Jon Bartley, partner at RPC, did point out that the ICO data also shows an increase in reported cyber incidents across the legal sector. In 2023, 70 per cent more phishing incidents and 268 per cent more ransomware incidents were notified to the ICO compared to the previous year.
In addition to notifying the ICO, if law firms or their clients are directly affected by a cyberattack, they must report the incident promptly to the legal regulator, the Solicitors Regulation Authority (SRA).
But why are law firms such a target?
The legal regulator stated that in the first half of 2020, law firms reported that nearly £2.5m of money held by firms had been stolen by cybercriminals, over three times the amount reported in the first half of 2019.
Richard Forest, legal director at Hayes Connor, outlined that law firms are particularly susceptible due to the sensitive nature of the information they handle, such as personal details, business intel, and legal documents.
Bartley explained that a key vulnerability is the information on law firms’ systems regarding ongoing transactions in which payments might be due.
“Access to those systems provides an opportunity to attempt to divert payment by impersonating the lawyer and instructing payment to a changed bank account. This can be a quick method for a threat actor of obtaining funds,” he added.
Forest also added the issues with law firms often prioritising legal expertise over cybersecurity, which may lead to gaps in their digital defences.
What do firms have to do in order to protect themselves?
On Wednesday, the Law Society and the Bar Council said they had updated their cybersecurity questionnaire in response to feedback from the legal sector. This questionnaire is designed to help law firms better assess the cybersecurity arrangements of the chambers and barristers they instruct.
Commenting on that, Nick Emmerson, president of the Law Society said: “We know that no one tool can offer complete protection against cyber threats but this updated questionnaire will help reassure clients that data is kept as secure as possible.”
“Firms will need to continue to take other precautions, but the development of the questionnaire is an important step in the right direction,” he added.
Forest pointed out that “robust cybersecurity measures and continuous staff training are essential for law firms to protect themselves and their clients’ confidential information.”
Bartley also highlighted that law firms need to take a proactive approach to cybersecurity.
“This includes investing in robust security measures such as encryption, multi-factor authentication and regular security audits. Also, implementing comprehensive data protection policies and providing regular training for staff on cybersecurity best practices are essential steps in mitigating the risk of data breaches,” he explained.