Law firms form the nexus of the global economy: establishing legislation, interpreting law for business, traversing mergers and acquisitions, driving patent and intellectual property filings, and chaperoning both institutional and private investor monies into all facets of industry. It’s from this unique vantage point that law firms are privy to a myriad of confidential information that can be used to front run trades, evade prosecution, or perhaps topple governments (at least select politicians).
Last year’s attack on Wall Street law firms Cravath, Swaine & Moore LLP and Weil, Gotshal & Manges LLP, demonstrated how stolen information, such as FDA filings and press releases, could be used to front run trades. Three Chinese hackers were ordered by a federal judge in Manhattan to pay a combined total of approximately $9 million in fines after hacking law firm email servers to steal corporate merger plans. The U.S. Securities Exchange Commission (SEC) alleged the trio used the stolen confidential information contained in emails to make at least $3 million in profit by purchasing shares in at least three public companies ahead of public announcements of the companies entering into merger agreements.1
In 2017, the Paradise Papers represented the next evolution of the Panama Papers, and demonstrated that even innocuous tax law files could be monetized or weaponized by (self-proclaimed) ethical hackers. No one would have wagered that some under-the-radar law firm in a tropical paradise could house the type of information that can destabilize a government or ruin the career of elitist politicians and socialites.2
Even on a smaller scale, client confidentiality and privacy law elect fines and actions from the Information Commissioner’s Office (ICO). Take for example, the barrister who was fined £1,000 for the accidental exposure of client information. While the fine might not raise eyebrows, the way in which the client data was exposed should. In this case, the barrister stored files pertaining to his family law practice on his personal computer which could be accessed by family members through a shared password. The 725 files were not encrypted and moved to temporary cloud storage so the barrister’s enterprising spouse could update their home computer. The files were exposed to Internet search engines and 15 files were indexed. Six of the documents contained confidential information relating to clients involved in proceedings in the Court of Protection and the Family Court. Up to 250 adults and children were affected in the incident.3
And while practice focus does not correlate to cyber attacks, nor does firm size. Even the largest firms fall prey to massive outages as a result of ubiquitous ransomware attacks. Last year, MeDocs accounting software firm in the Ukraine was systemically exploited, owned, and used to spread the NotPetya malware, taking down the likes of one of the most prestigious law firms DLA Piper.4 The outages became public and caused a significant embarrassment (and assumed lost Billings) due to the magnitude and ferocity of the assault.5 This form of systemic attack has yet to fully evolve. Tomorrow will bring the next generation, which specializes in infecting its homogenous host through very targeted assaults on the core industry-centric tools upon which the industry depends and cannot operate without. Think eDiscovery, document management, time and billing systems, etc. With one successful data breach, cyber criminals can simultaneously attack hundreds of law firms and cause industry havoc, which would no doubt spell the end of the service vendor and attract the eye of the privacy commissioner.
The issue of data privacy will only become more critical as the European Union’s General Data Protection Rule (GDPR) comes into effect in May 2018.
We have moved from a world of opportunistic and transactional attacks to one of selected targets with higher expected payouts in ransoms and extortion fees. Cyber criminals are no longer stumbling across law firms as they cast a broad net. They are on the hunt for big game and stalking their prey. The depth, complexity, and magnitude of breaches are far reaching and show no sign of slowing down.
Many of these events, whether the result is insider vulnerabilities conducted by external hackers, could likely have been detected and mitigated. What ends in a business disrupting event often begins with the click on a harmless looking link. Sometimes it involves complex social engineering, credential harvesting, and clandestine operations inside the network to locate and slowly exfiltrate valuable data. The Paradise Papers should serve as a warning for law firms who have built a cyber practice based on a strategy of loss and recovery. All too many firms take out cyber insurance while retaining disaster recovery services to restore their data and infrastructure after an attack. No amount of insurance, back-up systems, or business continuity plans can put the genie back in its bottle.
It’s for this reason that more and more law firms are considering improving their security posture. In some cases, larger firms are adopting ISO/IEC 27001 certification. According to the International Legal Technology Association, nearly 50 member firms have achieved certification, with the same number working towards it. In fact, the London office of the BSI Group, which provides cybersecurity certifications, including ISO, report an exponential increase in related inquiries from law firms.6
While not all law firms can afford to venture down the ISO roadway, mid-sized firms are investing to increase their cybersecurity resilience. ISO27001 requires considerable financial and resource investment, but other non-attestation frameworks can serve as a benchmark for establishing good cybersecurity posture. For example, the National Cyber Security Centre (a part of GCHQ) recently introduced Network and Information Systems (NIS) guidelines and objectives and frameworks for essential services.7 The objectives set out obligations:
- Manage security risks: Adopt organisational structures, policies, and processes to assess and systematically manage security risks to the network and information systems.
- Protect against cyber attacks: Adopt proportionate security measures to protect systems from cyber attacks.
- Detect security events: Adopt capabilities to detect cyber security events affecting, or with the potential to affect, essential services.
- Minimize the impact of cyber incidents: Adopt capabilities to minimise the impact of a cyber security incident on the delivery of essential services, including the restoration of those services where necessary.
The NCSC frameworks makes a distinction between security monitoring (section C1) and proactive event discovery (section C2). Security monitoring pertains to known threats and compliance management through web and traffic monitoring and IP connection reputation. Section C2 addresses the need to detect unknown attacks through proactive event discovery. Rightly so, the NCSC breaks a common misconception that compliance mechanism will detect all security threats. Security operations data commonly reveals billions of events that are detected inside perimeter defences. Cyber criminals employ techniques to evade standard security monitoring tools, such as anti-virus software, or signature-based intrusion detection systems, which give a direct indication of compromise. It’s these attacks that plague and harm law firms.
Section C2 is critical to law firms, particularly those with highly regulated clients, who must defend against determined and well equipped cyber attackers. Proactive discovery methods scour indirect, non-signature based indicators of compromise. Other, less direct, security event indicators may provide additional opportunities for detecting attacks that could result in disruption to essential services:
- Deviations from normal interaction with systems (e.g. user activity outside normal working hours).
- Unusual patterns of network traffic (e.g. unexpectedly high traffic volumes, or traffic of an unexpected type, etc.).
- ‘Tell-tale’ signs of attack, such as attempts to laterally move across networks, or running privilege escalation software.
- The retrieval of large numbers of essential service design documents.
While the Bar Standards Board does not provide direct guidance on cyber security, the American Bar Association published its ABA Cybersecurity Handbook: A Resource for Attorneys, Law Firms and Business Professionals.8 The exploration of threats, such as social engineering, ransomware, and business email compromise (BEC) demonstrates that both sophisticated and non-technical attacks continue to plague law firms (as they do across most industries). The handbook also explores how to address these threats and consider the risks associated with the critical technologies that now pervade law firms. The book also provides greater depth around regulatory requirements and international legislation and explores when and how counsel should initiate a conversation with the client about cybersecurity (let’s hope most are proactive and not reactive, in the event of a breach).
When it comes to cybersecurity, the size of the firm often sets the budgetary tone. A small law firm cannot afford the security technologies and practices adopted by their larger peers. And it’s not unreasonable to think that the standards, to which a large law firm is held, are not the same as those that a small firm can manage. Yet attacks like ransomware don’t prejudice by size of firm – it just locks files and demands payment.
All too often, smaller firms have no back-up mechanisms in place and fall victim to such extortion; whereas larger firms use multi-level back-up services to weather these kinds of attacks. The book contains a resource-right-sized approach with a 12-point checklist that smaller firms can use to build a simplified cybersecurity program. For larger firms, the recommendations are more strenuous and strike a tone of requirement rather than “nice-to-have” or “try-your-best”. The recommendations are aligned to industry best practices and reflect the core tenants of other security frameworks and highly regulated industries, such as healthcare.
Closer to home, The Law Society offers the Cyber Security Toolkit. This toolkit provides background information to help barristers understand cybersecurity risk and the impact of breaches. It also includes prescriptive guidelines to mitigate cyber security risks and manage a data breach.9
As is the case with other critical services, such as healthcare and infrastructure, law firms have an obligation to recognize the risk they pose to their clients. Cyber criminals see law firms as a top target that provide a growing source of illegal gains. And the currency is your clients’ confidential information. Whether divorce filings, business registration, or mergers and acquisition, or information used to front run trades on the stock markets, law firms are the custodians of this potentially damaging information. We are well beyond plausible denial. Laws firms must now adopt a cyber security posture that reflects the size of the firm, the risk to their clients if their data is exposed, and the resulting privacy fines, suits, or insurance claims.
Mark Sangster is a cybersecurity evangelist who has spent significant time researching and speaking to peripheral factors influencing the way that legal firms integrate cybersecurity into their day-to-day operations. In addition to Mark’s role as VP and industry security strategist with managed cybersecurity services provider eSentire, he also serves as a member of the LegalSec Council with the International Legal Technology Association (ILTA).