By Rosanna Hayes
The Law Society of South Africa (LSSA) hosted a crucial webinar for legal practitioners on ‘The significant and increasing cyber threat posed to law firms’ on 26 May 2022. Acting Executive Director, Anthony Pillay, introduced the event, identifying the concerns posed to the sector as prime targets of phishing and ransomware attacks internationally. In campaigning for increased consideration of cyber risk, the LSSA has requested legal practitioners to re-evaluate their financial resources in the prevention of cybercrime and welcome the ongoing engagement of cybersecurity to ensure its members’ businesses are more sustainable. Cybersecurity should be considered a business risk, and not simply a matter of compliance, and provisions for cyber insurance are strongly encouraged by the LSSA.
Offering a closer look at the state of cybercrime and its impact within the legal sector, the LSSA was joined by Chief Marketing Officer at STORM Guidance, Harley Morlet, who discussed the complexities of cyber-attacks, and offered guidance on how to become a hard target. Building an overview of the threat landscape and the exponential growth in frequency and severity of cyber-attacks, the presentation first looked at the statistics of cybercrime, identifying the following:
In recent years, ransomware attacks have surged going beyond the global efforts to effectively prevent or respond to them. The WEF report suggests ‘cybersecurity failure’ will become a critical threat to the world within the next two years. The COVID-19 pandemic unleashed a cybercrime wave, which has seen a huge spike in phishing, business e-mail compromise, and ransomware attacks resulting in widespread fraud and extortion. With many employees now working remotely, broadening company systems to include home networks, the opportunity for fraudsters to impersonate employees has vastly increased.
Unprepared for these incidents, many victims of cybercrime initially believe that contacting the police should be their first point of call. However, the police are very limited in the support they can give, with jurisdictional confinements preventing action, and in most instances, a victim incident number will be the extent of their assistance. Concerned over liability, legal practitioners are often the next port of call, and attorney-client privilege is sought so that once attached, advice on the contractual requirements such as notifying partners, employees, and customers can be given. Companies seek out the support of their legal practitioners during their insurance claims process to ensure the agreed cover is met, and to help them demonstrate the implementation of appropriate security controls in accordance with the Protection of Personal Information Act 4 of 2013.
The vast expanse of a client’s money and confidential information held by legal practitioners and legal firms makes them the perfect target for cybercriminals. In addition, when you consider the inevitable litigation should any personally identifiable information (PII) fall into the wrong hands, the legal sector is a prime candidate for double extortion techniques. Previous opportunistic style ‘mass attacks’ have advanced at great speed over the last couple of years to a more skilled, observational approach, researching intricacies, and pursuing organisations that would suffer the greatest damage in the event of a data breach. Legal practitioners and conveyancers provide great potential for invoice fraud, and the theft of client funds, while being ideal targets for double extortion ransomware attacks, as the impact of being named and shamed and the significant reputational damage will likely lead to payment.
Conducting research publicly available online, and using social media platforms, attackers are searching for information on you, your clients, and employees (particularly those in your finance and Information Technology (IT) departments), harvesting details that can be used in their social engineering tactics. They will trawl the dark web for breached information on your employees or stolen organisational data, including breaches from other companies that held data on you, or your employees. Where passwords are available among that data, they can actively search for users that appear to recycle them, testing those passwords against the organisation’s systems. For this reason, the security community believe that passwords as a protection mechanism, without a secondary factor of authentication, are dead.
As information is generally so readily available, criminals are often able to craft precise attacks with a decent probability of succeeding. Once a cyber attacker has your data, they can use it to extort you and your clients, and where law firms are concerned, this is primarily through business e-mail compromise and double extortion ransomware techniques.
In an article, General Manager of the Legal Practitioners’ Indemnity Insurance Fund NPC (LPIIF), Thomas Harban, addressed the importance of cyber risk management for the legal sector (Thomas Harban ‘Ongoing cybercrime threats’ 2021 (May) DR 6). Mr Harban reports that statistics by the LPIIF ‘show that South African law firms have been the target of cybercriminals for over a decade’.
Conveyancers are primary targets for fraudsters in an emerging new trend observed by the security community. In many cases, the initial point of compromise is weeks and even months before the actual attack, as the attackers gather information and carefully plan the fraud. In business e-mail compromise attacks, fraudsters gain entry to a firm’s mailbox to gather information on property transactions and the exchanging of contracts, before performing highly targeted attacks. To facilitate the attacks, criminals inject themselves into the e-mail chains between sellers or buyers and their legal practitioner. In many instances, a subtle change in domain names goes unnoticed and is enough to spoof both the firm and the client. However, this may be unnecessary if the attacker is confident of their ability to remain undetected in the organisation’s mailbox, and in such instances, client messages will be forwarded to the attacker and hidden from the mailbox owner. The fraud occurs when bank details are provided to the client – and vice versa – and the victims then proceed in making payments to a fraudulent account.
Claims Executive at the LPIIF, Joseph Kunene, gave testament to the situation faced by legal practitioners in South Africa. Giving his first-hand experience of business e-mail compromise attacks against conveyancers and in particular their clients, he spoke about cases where the fraudsters impersonate the sellers. In the examples provided by Mr Kunene, the criminals attempt to divert the proceeds of the sales from conveyancers with last minute bank account changes. Funds are paid into the attacker’s fraudulent accounts, with sellers left wondering where their money is. Conveyancers are now being stung with claims, and as of 1 July 2016, the LPIIF have excluded cover for business e-mail compromise claims where payments were made to the wrong person without verification of the new bank details. He explained, ‘our policy wording defines the cybercrime exclusion, and where funds are diverted to an alternative account, taking e-mail at face value, there is a clear failure in basic security protocol’. Illustrating the gravity of the situation, he explained that since the 2016 exclusions, approximately 210 claims have been rejected under the cybercrime exclusion, with a value of around R 150 million. One example of a large claim was as much as R 8,8 million. This has the potential to completely wipe out businesses, particularly smaller firms. He added, ‘it seems many smaller practices are less likely to have risk measures in place to guard against these criminal practices, and knowing this, attackers are seeking out the low hanging fruit’.
The LPIIF have been communicating with legal practitioners regarding the exclusions, advising them to – through their insurance brokers – consider the cyber insurance products that the commercial insurance market provides.
The importance of cyber insurance cannot be underestimated, and according to the Hiscox Cyber Readiness Report, 2022 (www.hiscox.co.uk, accessed 8-6-2022), the ability to access critical expertise, such as crisis management or IT forensics, is one of the top three reasons for taking out cyber cover. Of those with in-house expertise, the number two reason is the concern that, if they suffer an attack, clients could make a claim against them. Insurers will look to assess and mitigate the risk across their books, and as a result, insured firms are more likely to bolster their defences following a cyber-attack, than uninsured firms. However, when considering your cyber insurance options, you must first assess the likely implications a cyber-attack would have on your organisation.
Your business continuity plan should evaluate the potential impact of a cyber-attack. With a full understanding of the systems and processes that would be affected by the various forms of cyber incidents, you will gain a true insight into the extent of cover you will need the policy to provide. Consider the financial impact of business interruption, the costs of response and recovery, and the implications of lost data and customer data. With clarity over how your business operates you can determine the extent of an incident and its implications for your organisation.
It is important to understand the details of your cyber policy, ensuring adequate coverage and appropriate exclusions, for example, you will need to ensure your policy covers money lost through business e-mail compromise. As the cyber threat landscape is continuously evolving, it is important to ensure you are covered for losses following a new form of cyber incident that was unknown at the point your policy was taken out. Also, consider whether your policy will cover claims for compensation by third parties, the limits of your policy, and whether your insurer will provide services following an incident to help you recover? Some policies provide services for resiliency planning, incident response, legal and crisis relief, and risk management support with remediation advice. You may have a greater chance of resilience against the impact of a cyber incident by taking advantage of these services and the expertise that comes with them.
It would be advised to evaluate your current organisational cyber risk exposure and cyber security safeguards prior to making your cyber policy arrangements. Some insurers may require you to provide this information so that they can adequately price your risk. Regardless, it is always a good idea to carry out these assessments as they can potentially lower your premiums, while also demonstrating to your clients, partners and other third parties that you take cyber security and the protection of their data, seriously. Often, this is a service provided by the insurer when determining your premiums. Similarly, your insurer will need to have an up-to-date understanding of your cybersecurity measures at the point of making a claim, and when renewing your cyber policy.
The LSSA hosted a subsequent webinar for legal practitioners looking to learn more about what they can do if they or their clients are hit by ransomware. You can listen to the recording here. As mentioned in the previous presentation, Cybersecurity specialists, STORM Guidance (www.stormguidance.com), are offering a 10% CyberProfiler discount to LSSA members using the code UDBP5DV4. CyberProfiler provides businesses with a rapid snapshot of their digital estate from an attacker’s perspective. It highlights exposed systems that criminals will leverage to deploy malicious software such as Ransomware. You can purchase a report of your organisation’s domain here: https://www.armd.digital/product/cyberprofiler-za/
Rosanna Hayes is Head of Communications at STORM Guidance in London.