In this series of news alerts, our regulatory and professional discipline partner, Andrew Pavlovic, identifies three key regulatory trends of which firms and solicitors need to be aware in 2022. In this third alert, Andrew Pavlovic considers the steps law firms can take to better protect themselves from the rising risk of cyber-security issues and the regulatory implications of cyber-crime on firms, including the obligations firms have to report cyber-security breaches.
Cyber risk has been an issue for law firms for many years. However, the changes in working environments brought about by the Covid-19 pandemic have been particularly helpful to cyber-criminals, with increased homeworking and remote authorisation processes resulting in increased opportunities for fraudsters. Many firms have had to invest significantly in their IT infrastructure in order to ensure that their systems are sufficiently robust to resist attack.
Ransomware has emerged as a growing threat in the last year, with the UK National Cyber Security Centre reporting that there were three times as many ransomware attacks in the first quarter of 2021 as there were in the whole of 2019. Ransomware is typically deployed through phishing attacks – where employees/members are tricked into providing details or clicking a link that downloads the ransomware software onto a computer.
Law firms are particularly vulnerable to ransomware due to the large amount of confidential and privileged information that they hold. Any release of that information has the potential to result in large fines and regulatory action from both the Information Commissioner and the SRA. Where attacks occur, the SRA will require evidence that sufficient training has been provided to staff and that its IT systems are adequate.
In the summer of 2021, two high-profile and highly regarded Chambers were subject to ransomware attacks, resulting in the Bar Council issuing a cyber-attack warning for Chambers, and advising that Chambers should investigate obtaining insurance for cyber-attacks or business interruption if they had not already done so.
More recently, the Simplify Conveyancing Group was hit by a cyber-attack, significantly compromising its IT systems, and leading to complaints of delays on transactions from clients. Their regulator (the Council for Licenced Conveyancers) publicly stated that the Group needed to improve its communications with clients and lenders. The attack has been raised in parliament with some MPs calling for an inquiry and compensation for clients whose transactions have been delayed.
Finally, “Friday afternoon fraud” remains a significant issue in the conveyancing sector, with millions of pounds a year being diverted to fraudsters sending e-mails impersonating solicitors. In 2021, the Law Society, National Crime Agency, Action Fraud and the National Economic Crime Centre issued joint guidance to consumers to highlight this issue.
The vast majority of law firms repeatedly emphasise in engagement letters/e-mail footers that their bank details will not change during the course of a transaction, and similarly solicitors should be suspicious of any e-mails by “clients” requesting that completion proceeds are sent to a different bank account. Notwithstanding this, frauds do continue to occur, and solicitors can face breach of trust or negligence claims where their conduct has contributed to the fraud occurring.
It is clear that cyber attacks will represent an increased risk in 2022, and that there are potential regulatory implications for firms that fall victim to such attacks.
If you have any questions arising from this alert, or for any other regulatory queries, please contact our Partner, Andrew Pavlovic, who specialises in regulatory and professional discipline issues for law firms and partners, high-net-worth individuals, companies, charities and regulators.
Read Part 1: SRA Investigations into Personal Misconduct here.
Read Part 2: SRA Treatment of Junior Solicitors here.
Andrew Pavlovic is recognised by Legal 500 UK 2021 & 2022 as a ‘Rising Star’ in the field of professional discipline, and has substantial regulatory experience, having previously acted for the Solicitors Regulation Authority over several years in complex disciplinary proceedings and subsequent appeals.
Read our Partnership and LLP Law Practice Booklet and Annual Review here.