Professional services firms make attractive targets for cyber criminals and are experiencing an increase in cyber-attacks. The professional services sector, a term that encompasses firms across the spectrum of accounting, legal, insurance and other client-focused businesses, has become a prime target for a number of reasons. One major factor is their access to confidential and sensitive client information, which typically is of great value.
By their very nature, professional services firms often handle their clients' most sensitive information, including financial details, tax returns, identification numbers, asset investments, corporate strategies and intellectual property, all as relate to both private individuals and businesses. Any of this information, if leaked, could cause devastating financial loss and reputational damage.
Professional service firms also of course hold large amounts of client money. 'Friday Afternoon Fraud' is, as the name suggests, the term used for fraudulent attacks on law firms (often on a Friday afternoon to coincide with traditional conveyancing transactions and giving the fraudster the weekend to avoid detection).
Cyber criminals use various fraudulent means to induce staff members to transfer money to their bank account, often involving some form of email interception.
Traditionally professional services firms (particularly those in the small to mid-market) are seen as soft targets. Larger organisations often have extensive security budgets and resources to implement strong perimeter and internal defences, but many professional service firms do not have the internal resources to commit that same level of investment into IT security, leading to inferior detection.
Other sectors such as healthcare and financial services have typically had far more sophisticated security than their professional advisors.
Are We Really at Risk?
PwC's Annual Law Firms' Survey 2019 contains a telling statistic: 100% of the Top 100 firms suffered a cyber security event in the past 12 months, with phishing attacks being reported as the most common. Phishing is a fraudulent attempt to obtain information through an electronic form of communication, whereby the criminal disguises him or herself as a trustworthy contact.
The criminal typically uses an email as a type of weapon to try to obtain information or to get the recipient to click on a link or download an attachment. Beyond the exposure to external cyber criminals, professional firms are vulnerable to attack from within - rogue employees are a major threat as are the inadvertent actions of staff (for example, lost or stolen devices).
The risks associated with the use of tablets, smartphones and other devices cannot be overstated – with increased access and flexibility comes a much greater security risk, from data leaks to harmful malware and viruses. Cyber threats present a considerable risk and a possible hefty cost to professional services firms.
DLA Piper, one of the largest law firms in the world, experienced a paralysing cyber incident in 2017 when it was hit hard by the NotPetya 'ransomware' campaign. Its network became infected via a supplier, encrypting all affected files. DLA Piper's security system detected the malware and the team responded promptly to mitigate the emergency.
The system was eventually brought back online but not without huge financial ramifications including the cost of funding 15,000 hours of overtime to IT workers.
In addition to the financial impact, the potential reputational damage must be appreciated. This sector is founded on trust and discretion - those practising have client confidentiality as a core value. Maintaining a healthy reputation is at the heart
of any successful professional services firm and a key part of its business strategy. Loss of client data can have a devastating impact on the firm's credibility and its long-term position in the market place. Failure to protect highly sensitive client information can put an entire practice at risk.
Immediately prior to his departure from an insured law firm, an associate who had resigned by email wiped out all of the hard drives available to him and removed the firm's intellectual property and proprietary information from storage devices and backup systems. The insurance company's cyber security response team worked closely with the law firm to recreate all of the applications and information that had been erased, a process that took about 1,100 hours to complete. The law firm was reimbursed approximately $300,000 in costs.
Tracking Your Hacking
A law firm insured received a call from an IT contractor who reported it had been tracking hacking activity related to a particular domain name. The contractor reported that it had detected evidence that IP addresses associated with the law firm's computers were purportedly communicating with the suspicious domain name. The firm retained a forensic investigator to assist with the investigation and legal counsel to provide advice with respect to the breach. These services cost between US $400,000 and $600,000 and were covered by the firm's cyber policy.
The Phish Are Biting
Approximately 100 lawyers and staff members were Bcc'd on a phishing email attaching a file that appeared to be work-related. When each user attempted to open the attachment, the user was prompted to enter his or her Outlook username and password. Over the next 20 hours, the intruder entered the firm's Outlook server and accessed several hundred email messages. The firm retained a forensic consultant and law firm and the matter was resolved within the firm's retention.
The Value of Data
Global accounting firm Deloitte faced a significant disruption when its email was hacked, accessing data on 350 clients. Deloitte has confirmed that since this attack, its security protocol has been subject to a comprehensive review, involving a team of cyber security and confidentiality experts.
Cyber Specific Insurance
We cannot overstate the importance of implementing a comprehensive cyber-security strategy for your professional services organisation. At Lockton, we currently act for 23 of the Top 100 law firms in England and Wales. This gives us an excellent exposure to the cyber purchasing habits and exposures faced by the professional services sector.
It is worth mentioning that many traditional policies will not respond to a cyber breach. While it is possible that, for example, a professional indemnity policy will respond to a Friday Afternoon Fraud incident, when faced with a traditional 'cyber breach', affirmative cover under a standalone cyber policy will be vital.
A cyber policy is designed to respond to the following events, which wouldn't necessarily be met by more traditional policies:
a. Data breach from an external cyber attack
b. Reputational and financial loss from a computer system's failure due to a malicious attack
c. Regulatory defence and civil awards fines and penalties as a result of security breach
d. Breach response costs
e. Ransom request following computer systems attack
A cyber-attack can have far-reaching ramifications for the professional services sector. Understanding the risks and proactively mitigating against them is key. Our team of cyber risk experts will work with you to create a customised solution that protects and insures your business exactly where you need it, and ensures that cyber risks are integrated into your risk management process. Rebuilding confidence is vital.
Your customer's data security is in your hands. Place your business security in ours.