Law firms are commonly targeted by cybercriminals and cybercrime presents a perpetual daily risk for them. Robust controls help prevent cybercrime in the first place, but, in this edition of COFA Corner, we look at the actions a law firm and its COFA must take if the practice does become a victim of cybercrime.
There are some immediate actions the principals, the COLP and the COFA must take if the practice has fallen prey to cybercrime. These are also covered in greater detail within the Law Society’s practice note, together with various other relevant and helpful guidance.
- Notify the law firm’s bankers immediately. This is important because the bank may be in a position to stop or reverse a misappropriated payment or to freeze the practice’s office and client bank accounts, if appropriate. The sooner the bank is aware of the situation, the greater the chance of recovering all or part of the funds, thereby mitigating the loss.
- Notify the police via Action Fraud, the National Fraud and Cyber Crime Reporting Centre. See https://actionfraud.police.uk.
- Inform the practice’s professional indemnity insurers.
- Notify the SRA or an alternative, approved regulator, where applicable. They will work closely with the practice to support it and to safeguard its clients’ interests.
- Notify the practice’s insurers, where cyber insurance is in place.
These actions are vital to contain the issue and to manage the practice’s financial position. Other obligatory actions may also be required, such as notifying the specific clients affected.
Actions applicable to the COFA
Principle 8 of the current SRA handbook is a key consideration for the COFA. It tells the practice to: “Run your business or carry out your role in the business effectively and in accordance with proper governance and sound financial and risk management principles.”
In addition, any shortfall in client funds held represents a breach of the SRA Accounts Rules. Rule 7 in particular places an obligation to remedy any breach as soon as it is discovered: this includes replacing any deficiency in client funds held.
It is important the COFA actively resolves any shortfall within client funds held. This may result from the processes outlined above, where the bank or insurer, for example, may be able to resolve the shortfall. If this is not possible, or as an interim measure, the principals will need to replace the shortfall from their own resources.
Clearly the size of the shortfall is important and can cause worry to the practice while the situation is being contained and resolved. However, the practice does also need to keep in mind its obligations for its financial stability. This highlights the importance of working closely with the regulators while the situation is resolved.
The period when the situation is resolved - or is in the process of being resolved - provides an opportunity for both the COFA and the practice to reflect on what led to the cybercrime. It is essential to review and assess the existing controls to identify weaknesses which allowed the cybercrime to take place. These weaknesses, or a series of weaknesses, can then be addressed appropriately.
Very often, the systems in place to prevent cybercrime will prove to have been robust and the cybercrime will have resulted from a departure from those systems. Examples could be human error or an intentional disregard for the controls in place. Clearly the review will require follow-up action to prevent a repeat of the situation.
Understanding the nature of the cybercrime attack
Cybercriminals can attack a business in numerous ways, such as by phishing, spearing, hacking or with ransomware: businesses need to understand these so they can put in place the appropriate defensive measures.
Successful cybercrime attacks against law firms commonly arise from emails intercepted between law firms, clients and suppliers, as well as from emails which contain links to malicious software. These are often combined with telephone calls from cybercriminals purporting to be bank employees. The attacks are usually well timed for when the law firm is vulnerable; and the firm needs key controls in place to fend off such attacks.
Examples of key controls
Examples of controls include those below. This list is not exhaustive and includes points included in previous editions of COFA Corner.
- Include within the terms of business for clients that any funds will only be paid to them through the bank account nominated at the outset. Any request to pay funds to an alternative account will only be agreed in exceptional circumstances and after all the necessary checks have been made.
- Check requests to send funds to an alternative bank account with the fee earner responsible or with a principal in the fee earner’s absence. Contact the recipient by telephone using the known contact number to corroborate the instructions.
- If any telephone calls are received which require follow up action, such as contacting the client or the bank, it is wise to avoid making the follow-on call immediately and to use a different line. Scammers often remain on the incoming line in an attempt to make you to believe you have called your client or bank to confirm the instructions.
- View with special caution any payment requests received by email. Never assume the payment details contained in the email are correct: always cross check them with reliable documentation.
- Ensure IT systems have adequate protection in place by involving internal or external IT specialists to check antivirus software, email blockers, etc.
- Consider taking out cybercrime insurance. Ensure you fully understand the policy conditions to ensure that cover is not too restrictive.
It is essential to communicate the established controls and procedures throughout the firm, especially to new joiners, and to provide appropriate training in preventing cybercrime.
Several firms also use IT-testing techniques. An example is to send out internal spoof emails to identify recipients who click on the malicious links contained in them. Those individuals can then be given specific training or reminders of the established controls to make them become more vigilant.
Communicate throughout the firm a clear disciplinary process for when staff depart from security procedures. This may be seen as extreme, but it highlights the importance of adhering to the procedures to reduce the risk to client money etc.
Hopefully law firms will not find themselves in a position where they are a victim of cybercrime, but should the situation arise, the above provides some initial guidelines. We strongly recommend that the principals, the COLP and the COFA seek professional advice in these situations.
Jason Mitchell ACA,
Partner - Legal Sector Specialist
This article is produced by Francis Clark LLP for information only and is not intended to constitute professional advice. Specific professional advice should be obtained before acting on any of the information contained herein. While Francis Clark LLP is confident of the accuracy of the information in this publication (as at the date of its production), no duty of care is assumed to any direct or indirect recipient of this publication and no liability is accepted for any omission or inaccuracy.