“$4.6 billion to $53.1 billion claims await a Cloud based computer service hit with a malicious attack,” according to Lloyd’s and Cyenc[1].
The average (or any) Australian law firm would not suffer such losses, but the proportionate loss could be equally as devastating. The Law Council of Australia Cyber Precedent website estimates the average cost of an attack at $265,000 and 25 days loss of service.
Cybercrime stats
In 2016-2018, 45% of Australian companies were attacked by online criminals and 36% of businesses hit by fraud reported a high negative impact on reputation and brand strength.
Most experts point to a dual loss, the immediate financial loss to firm or client but equally the reputational loss.
The rise of malicious attacks and the subsequent claims for denial of service or straight theft/fraud is known to all of us.
In many ways, the smaller the firm, the weaker the defenses and the greater the risk of a ‘break-in’. This is illustrated by the ease with which a conveyancing firm lost control of its comparatively tiny network and its clients lost hundreds of thousands of dollars late last year. Fortunately, the loss was restored by the industry participants.
The Law Council of Australia, State law societies and more recently the Legal Practitioners’ Liability Committee of Victoria (LPLC) have concentrated on warning the profession of the risks.
Likewise, the Victorian Legal Services Board has reviewed the situation in its Review of Electronic Conveyancing National Law (ECNL) submitted to ARNECC on 5 April 2019 and commented on the difficulty for small firms of lawyers to combat cybercrime. It infers that many small law firms would under report cases of cybercrime, which emphasises how damaging cybercrimes can be to the reputation of legal firms.
As the Law Council says on its Cyber Practice page ‘Learn, educate and develop a culture.’
Likewise, Cam Oxley of Minters who has acted for LPLC in legal cyber-attack matters stated at the Conveyancing Seminar Melbourne in March 2019, “No firm is safe. Develop a risk averse culture which applies both socially and in business.”
Five simple steps to mitigate cybercrime
At the very least, solicitors and conveyancers should have the Don’t Fall For It LPLC black and yellow poster prominently displayed in firms and apply its advice in their daily practice. The poster outlines five steps to ensure fraudsters cannot use your firm to gain access to bank accounts, client records and information.
Double excess on professional indemnity cover claims
In Victoria, from 1 July 2019 solicitors entitled to claim under their compulsory professional indemnity policy face a double excess when a claim arises from any payment or EFT made on the basis of a purported instruction or authority, where the law practice failed to take reasonable steps to verify.
Most firms now have a warning to clients on their email tail as to the need to communicate orally to check on bank details
Insurance is not enough. It is no substitute for good risk management. It’s just a protection of last resort. Like car and house insurance, good risk management from cybercrime is essential.
We do not want to be dependent on our insurers and insurance is no substitute for proper preventative measures, practices and training.
In Australia, Marsh Insurance reported in a webinar recently that it has increased its cyber insurance staff by a factor of five, which indicates the growth in risk and also the market for specialised cyber policies.
Cyber insurance should cover both first party losses and (most importantly) third party liabilities for ‘failing to protect clients’ personal information’[2]. Fines are levied by OAIC or ASIC for breach, but there is no cover for personal injury, fraud, criminal acts or reckless claims.
Understanding your specific risk profile exposure is essential.
Solicitors should be aware and know
- What data they collect,
- The security measures in place to protect this data,
- Potential business consequences should this data be compromised,
- and to what extent privacy awareness and compliance is part of their overall risk management framework.
Will you survive?
It used be said that very few small businesses, including legal practices, recover from a fire, and one would expect that the same experience would apply to cyber-attacks, whether it is; denial of business, theft of a client’s money or a wholesale exposition of client records.
When we are beaten by the criminals, we are strongly advised to have cyber insurance in place. Otherwise, there are plenty of ways to protect your firm against cyber security threats including:
- Using the right anti-virus software.
- Educating your employees with phishing awareness training.
- Investing in two-factor authentication.
- Always verifying details with relevant parties like double or triple checking any change in details via different methods of communication. If there is a change of account details, call your client to confirm.
When undertaking a property exchange, key elements of the process that must be guarded against cyber security risk include the Verification of Identity of key persons, the electronic Contract for Sale and the exchange of trust account details for property deposit. To help keep you safe, InfoTrack launched Securexchange which stops the need to share trust account details via unsecured emails and protects the reputation of all professional parties involved in the property transaction.
The key to the service is that only verified parties can view trust account and deposit information, streamlining communication between those parties and offering transparency over the progress of the exchange.
Cyber fraud has become a major problem in the Australian property. Hackers are continually finding new ways to intercept communications and divert funds to different accounts, robbing innocent individuals. Your firm is only as strong as the weakest link in your information sharing. To protect your firm, invest in strong technology services and insurance and always be smart with what information you share. Know who you are communicating with and always choose the safest method to do so.
[1] Internet Law Bulletin October 2018 ‘The Ins and Outs of Cyber Insurance’, Bloch et al, 108.
[2] Internet Law Bulletin October 2018 ‘The Ins and Outs of Cyber Insurance’, Bloch et al, 108.
