March 27, 2017

Cyber and privacy risks for professional firms

A joint report by GCHQ's newly opened National Cyber Security Centre (NCSC) and the National Crime Agency (NCA) published earlier this month warns that the cyber threat to UK business is at an all-time high. Given that 2016 was the year that law firm data security came to the fore, by means of high profile events such as the Panama Papers and the rise of ransomware, it seems reasonable to suggest that this threat will impact professional services firms in much the same way as the wider economy. Drawing on the cybersecurity trends for 2016/2017 identified by the NCSC and NCA, below we explore the current threat level to professionals, what form future threats might take and what firms can do to minimise the threat of suffering a data breach, as well as what steps can be taken to mitigate the financial, reputational and legal fall out in the event that the firm falls victim to a cyber-attack.

The current threat level to professional firms

In the above-mentioned report, the NCSC and NCA warn that "in the three months since the NCSC was created, the UK has been hit by 188 high-level attacks which were serious enough to warrant NCSC involvement, and countless lower level ones."  Indeed, a look back on the major events of the past year shows that the threat is serious and growing.  The report highlights the "pivotal incidents" of 2016 including the theft of $81 million from Bangladesh Bank and the hacking of the US Democratic National Party, which the NCSC and NCA believe demonstrate the growing "scale and boldness" of cyber incidents. 

The professional services industry has too been affected by this trend.  The so-called Panama Papers event suffered by Mossack Fonseca was history's biggest ever data breach, with approximately 11.5 million legally privileged and sensitive financial documents leaked by a whistle-blower.  This incident highlights that threats may come from within as well as without.

Professional services firms make attractive targets for malicious actors, not least due to the wealth of confidential data that they hold on behalf of their clients.  Firms are often regarded as the backdoor to the sensitive information of their clients, particularly those within the financial services and healthcare sectors, which traditionally have far more sophisticated data security than their professional advisors.  Indeed, the NCSC and NCA report that the most common vulnerabilities in 2016 were not novel but well-known, and could have been easily avoided by patching legacy systems.

Sophisticated threats such as nation state and corporate espionage have already touched the legal sector.  Last year it was revealed that a number of major US and UK law firms had been penetrated by hackers with links to the Chinese government.  It was reported that partners practicing M&A and intellectual property law were specifically targeted, indicating that the goal of the hack was to obtain confidential corporate information.

The more commonplace but no less serious attacks on law firms often involve Friday afternoon fraud, in which cybercriminals use social engineering and spear-phishing to induce unwitting employees to make money transfers to their bank accounts.  In the 18 month period to June 2016, it is estimated that hackers stole £85 million from UK law firms as a result of these types of schemes.  In December 2016, the SRA revealed that Friday afternoon frauds represented 75% of all data breaches reported by law firms.

Although breaches on a similar scale have not been publicly reported for other professional services firms, the risk should not be underestimated.  One cyber insurer estimates that the number of cybersecurity events affecting accountants has increased almost tenfold over the past decade, with a median loss amount of approximately $800k.  It goes without saying that accountancy firms hold a substantial amount of confidential financial data, which could have serious consequences for both the firm and its clients if compromised.

A further trend identified by the NCA and NCSC report is the growth of attacks involving the Internet of Things (IoT), as a result of the increasing prevalence of internet-connected devices.  It seems that this poses a singular risk to the construction and property industries, in which IoT devices are fast becoming the norm with the development of smart buildings.  As early as 2013, two cybersecurity experts were able to hack into the building management system at Google's Sydney office.  The insecure system was identified through the Shodan search engine which, by way of example, the NCA/NCSC say reveals over 41,000 vulnerable units of just a single model of digital video recorder as of January 2017.  Fortunately, in the case involving Google, the experts were not malicious.  Nevertheless, it demonstrates a developing risk and raises the spectre of liability for construction professionals where, for instance, hackers gain access to temperature controls and door mechanisms.

Finally, it should not be forgotten that all professional firms, as with all businesses, may also be under threat for the more day-to-day data that they hold, such as personal and financial information relating to clients and employees.  

The future cybersecurity landscape

Some futurists believe that we will see increasingly sophisticated cybercrime, such that data security technology will no longer be able to develop with sufficient speed to counter the developing threat. 

In the short term, the NCA and NCSC report warns that the most significant attack to come in 2017 may not emanate from state-of-the-art technology such as the IoT, but will instead relate to "the Internet's building blocks".  Such an event could take the form of an attack on an upstream provider of services critical to the running of many organisations, such as website hosting, email and database servers.  By way of example, a UK based provider of accounting and payroll software suffered a data breach in August 2016 that appeared to compromise personal information of employees at 280 UK businesses.  This demonstrates how professional firms might be at risk due to the vulnerabilities of their third party service providers, as well as their own internal systems.

In addition, the report predicts that we may see the rise of attacks that tamper with data, rather than merely data theft or extortion, such as unauthorised coding embedded in operating systems.  This has the potential to affect firms that are unaware that changes have been made to their firewall systems, allowing cybercriminals to gain control of or decrypt confidential information.  

Finally, a sea change in the way data breaches are dealt with and reported will be brought about by the EU General Data Protection Regulation (GDPR), which will come into force in May 2018.  The GDPR will introduce mandatory notification to the Information Commissioner's Office for certain types of breaches, as well as present the prospect of fines up to €20 million or 4% of worldwide turnover.  As a result, the Payment Card Industry Security Standards Council estimates that UK firms could be fined up to £122bn in 2018 alone.

Fighting the cyber threat for professional firms

Against this background, it is clear that professional services firms must take proactive steps to manage the risk posed by cybercrime in order to protect both themselves and their clients.  In light of the role that recognised vulnerabilities and unwitting staff can play, the NCA and NCSC recommend that business invest in technology, people and processes.  It is clear that appropriate staff training and awareness can provide a solid foundation for a firm's defence when paired with the very basics of cybersecurity that are still often overlooked, such as patching existing systems and encryption of portable devices.  As manual processes are increasingly digitised, firms must ensure that any resultant security weaknesses are dealt with appropriately.

Firms must also be aware of their legal and regulatory obligations. Regulators are increasingly taking a more hands-on approach to data security and publishing guidance that firms would be well-advised to apply.  By way of example, the SRA's latest paper on IT Security published in December 2016 highlights the growing risk posed to law firms by cloud computing, email fraud/phishing and ransomware.  The SRA recommends that a good defence, including up to date IT systems and educated staff, will deflect most cyberattacks.  In particular, firms are advised to develop a cyber-aware business culture, such as having clear and efficient internal procedures for handling money and considering certification schemes such as the Government's Cyber Essentials, as well as methods to avert Friday afternoon fraud, for instance establishing a policy of confirming payment details over the telephone.

Other regulatory and professional bodies have published data security guidance, such as the ACCA, RICS and the ICAEW, from which several common threads can be identified.  For example, RICS, warning that surveyors are no less vulnerable to data breaches than their accountant and lawyer counterparts, directs readers to the Government's Cyber Essentials initiative to assist in adopting appropriate internal controls, as well as recommending regular patching, training and ensuring staff only have access to information appropriate to their role.  Similarly, the ACCA warns about the risks of accountants using cloud solutions, particularly relying on the data security of the third party provider, whilst also flagging that SMEs make attractive targets for hackers since cost will usually be prioritised over security.

Firms are also advised to discuss their professional indemnity and cyber insurance programmes with their brokers, to ensure they provide adequate coverage.  Cheap premiums and the possibility of preferential rates built in to the policy for breach response vendors, such as forensic IT specialists, make cyber insurance an attractive option.  Furthermore, first party expenses will not be covered by a professional indemnity policy, such as the costs of retaining external security experts to contain the breach and any legal fees incurred in notifying regulators and affected clients.  However, cyber insurance is no silver bullet and should not be regarded as a substitute for good risk management.  Indeed, there may even be coverage issues if a firm has failed to implement reasonable measures to protect against the loss suffered.

Above all, the current threat landscape makes it clear that professional firms should regard a cyber-attack as a case of not if but when.  Therefore, in addition to the risk management strategies outlined above, firms should have a streamlined data breach response plan that can be put into motion to limit exposure as soon as a compromise is identified, such as "offline" contact details of key-decision makers within the firm and stakeholders, including insurers, regulators and law enforcement if required

Finally, the NCA and NCSC encourage firms to collaborate and share knowledge with industry peers, as well as law enforcement in the event of more serious threats, in order to provide an early warning system of potential cyber-attacks and jointly improve processes through shared experience.  In the same vein, the report recommends that cyber incidents should be reported to regulators, Action Fraud and, if significant, the NCSC.  It is anticipated that through a better understanding of the threat landscape, the cyber threat posed to the UK economy, of which professional services are an integral part, can be combated.

Authors: Tom White and Rosalind Greenwood