Law firms must guard against cybercriminals
Read this article on the Law Institute of Victoria’s News page, featuring Law and Cyber’s Founder, Simone Herbert-Lowe.
Law firms must guard against cybercriminals
Karin Derkley
29 January 2024
The lawyer may be the first person a client will sue if they lose money as the result of a law firm’s cybersecurity breach, says Law & Cyber founder and principal Simone Herbert-Lowe.
“That’s because chances are the client is never going to be able to find the cybercriminal and they'll never get their money back.”
That makes it essential that lawyers set up and protect their IT systems to ensure the security of client information, she says.
Ms Herbert-Lowe will be presenting on ways law firms can manage and mitigate the risks of cybercrime at the LIV CPD Intensive in March. CPD Intensive 2024 is an all-day conference with sessions covering legal innovation and technology, practice management, substantive law and wellbeing initiatives.
Cyber risk is a completely different risk to the kinds of risk that solicitors have faced in the past, Ms Herbert-Lowe points out.
“It's got nothing to do with your professional skills as a lawyer. And yet it's totally connected with your work as a lawyer because you have a duty of confidentiality, a duty of care, and fiduciary duties in managing trust accounts.”
Lawyers and law firms are particularly vulnerable to cybercrime and cyber incidents because of the types of information and transactions they manage, she says. “Law firms are treasure troves of useful information.”
Common cybercrime incidents involve emails impersonating a lawyer and directing money to a fraudulent bank account. These have become particularly prevalent in property transactions, which can involve substantial amounts of money.
The LPLC last year reported a steady rise in notifications of cyber fraud incidents, including by many small firms and sole practitioners, with claim costs for the first half of the year exceeding that for all of 2022.
Another increasingly common form of cybercrime is cyber extortion, where cybercriminals hack into the firm's network and blackmail the firm with threats to release confidential client information. HWL Ebsworth last year suffered a major data breach after it refused to pay up in a ransomware attack.
In some cases, hacks can be conducted to steal a competitor’s information, such as in a mergers and acquisitions matter.
Generative AI has created new risks for law firms by being used to create highly credible fraudulent emails and even voice messages. But AI can also provide a tool to detect whether cybercrime activity is occurring, she says.
Training to recognise and deal with cybersecurity threats is essential, she says. “And it needs to be compelling and relevant and engaging, not just a tick the box exercise.”
It's not enough to assume this is something that will be taken care of by the IT department, she warns. “Fraud can happen in ways that are specifically targeted to individuals.”
That includes senior lawyers, who sometimes believe they don’t need to worry about cybersecurity. “In fact, they’re the really big fish because people know that they have access to valuable information and can approve payments out of the trust account.”
Training needs to emphasise the impact of a hack or a fraudulent transaction, she says.
“Once people realise that it's not just a boring IT issue that they've been forced to sit through, but that it’s an important issue for them personally and professionally, that's much more persuasive for people.”■