Government cyber unit stresses legal sector threats and urges firms to protect themselves

The Government’s National Cyber Security Centre (NCSC) has called on law firms to take action to protect themselves from cyber attacks, amid concerns that many do not have adequate systems in place to ward off threats to their IT infrastructure. The NCSC, which was launched last February, has released a 'legal sector threat report' designed to "encourage industrywide adoption of cyber security best practice", citing the growing financial and reputational impact of attacks on law firm systems. The report states that between April 2016 to March 2017, the Solicitors Regulation Authority received reports of cyber attacks resulting in total losses of £11m in client money, while PwC's 2017 law firm survey found that more than 60% of all law firms reported suffering some form of security incident during the previous year. Perhaps the loudest warning shot came in June last year, when DLA Piper suffered a ransomware attack that shook the firm’s IT infrastructure, triggering lengthy global disruption. Many senior lawyers acknowledge that firms are not doing enough to protect themselves from threats such as data breaches, phishing and malware.

Mark Shillito (pictured), global head of intellectual property at Herbert Smith Freehills (HSF), says cyber crime is "one of the risks that's on every board's mind - and if it isn't, it should be."

"Everyone needs to think about it,” he says, “especially law firms, because of the role they play in the commercial value chain - it's right that the Government is getting behind that”. According to Shillito, HSF is making efforts to ensure its staff are alert to such threats. "We've adopted hacker-type tactics to help train our staff; setting up scenarios and sending fake phishing emails - you've got to keep people on top of that," he says. "You can't relax, because it's neverending. "You've got nation state attackers, but also ordinary decent criminals, so you've really got to get serious about this stuff. We also have an information security group which ensures that we are protecting our own and our client's information, and doing everything we can to minismise risk." Bird & Bird commercial partner Simon Shooter, who regularly speaks on the topic of cyber security, says he is surprised to see how few businesses are protecting themselves against increasingly sophisticated threats. "We're seeing 100% acceptance that cyber risk is a major business risk. Most would put it in their top five [business concerns]. But how many have a response plan? You'll see only 40%-50% of hands in the air. "Professional services firms have been identified for a long time as a target because of the valuable data and valuable information [they hold], and law firms are as critically exposed as anyone due to things like trade secrets and the sensitive client information they hold. "The government is saying that businesses need to do a lot more than they're doing, and need to look after themselves." The NCSC report also highlights a number of industry trends which have made the legal sector particularly vulnerable to cyber attacks, including the rise of automation, the disaggregation of legal services, as well as the use of a widening range of technologies. Linklaters counsel Peter Church, whose practice focuses on data privacy and e-commerce regulation, says the NCSC’s report is a “timely reminder to law firms of ongoing cyber risks” which “highlights the need to ensure they have in place proper processes to protect client data and funds".Church points in particular to the rise of cloud computing within law firms as posing a "particularly interesting challenge". The cloud offers many benefits for law firms, and Church believes that, while it "opens up risks, it also offers more security, particularly for smaller firms which do not have the funds or the resources to arm themselves."