Insurers are waking up to the legal profession as the ‘soft underbelly' of cyber security. Analysis of the website of Mossack Fonseca, the firm at the centre of the Panama Papers, reveals glaring security weaknesses. The firm is not the only one to have been targeted by cyber attacks. With one insurer exiting the legal market, and others demanding higher cyber-security standards, the legal profession must get its cyber-act together to stay in business.
This may come as a shock, but some people dislike lawyers.
So, when Mossack Fonseca described itself as a victim of crime (the massive data breach that revealed 11.5 million confidential documents), the firm was probably the only one ‘amazed' that it attracted so little public sympathy.
Whether the documents came to light from an insider, as claimed by German paper Süddeutsche Zeitung, or an external hack, or a mixture of the two, analysis by security experts exposes how with a single line of code an attacker could pwn the law firm's client data. Failure to patch vulnerabilities for years, failure to segregate, failure to encrypt - the list of basic security flaws goes on.
In fairness, Mossack Fonseca is not alone. Cravath, Swaine & Moore LLP, and Weil Gotshal & Manges LLP, two of New York's magic circle firms, are being investigated by the FBI following data breaches last year. British law firms lost £85 million to cyber-crime in the past 18 months, according to insurers QBE.
These are not unlucky incidents, against the run of play. The legal profession's poor cyber-resilience has been well understood for some time. Back in 2013, The Lawyer predicted the ‘inevitability of a prominent legal practice going down in flames as a result of a cyber-attack breaching client confidentiality.' In February 2016, Elite Insurance announced its withdrawal from the solicitors' professional indemnity market (an already thinly populated market), citing increased risk of cyber-attacks.
As a lawyer who qualified in the late 1990s - just as the commercial internet took off - I've been surprised by how many of my contemporaries display a rather patrician attitude, boasting about their lack of technical knowledge, and looking down on cyber-security experts as jargon-babbling snake-oil salesmen. This cultural problem is not exclusive to the legal profession: a recent study by Chatham House on the cyber-resilience of civil nuclear installations notes that ‘One of the biggest problems we have is that – as in any industry – the operations people dislike IT.'
Some professional scepticism is required, of course, but there is still a gap between the extensive measures to provide physical security and those aimed at securing clients' electronic data - the crown jewels of any legal practice. Rather than delegating the task to the firm's geek, while sniggering behind his back about his lack of social skills, maybe it's time for lawyers to engage their super-brains and deign to understand the technology.
The profession's regulatory rules don't help. The Law Society excludes non-lawyers from owning more than 10 percent of a legal practice - meaning it is highly unlikely that technologists would be at the heart of a practice's management or ownership, guiding investment decisions, testing the claims of security contractors.
But if some lawyers are too posh to take cyber-security seriously, they do worry about their insurance - a prerequisite of remaining in practice. So, the insurance market could become a source of much-needed change in the legal profession.
The challenges are much greater for small to medium sized practices, which have limited resources, and are facing difficult business conditions. There are fewer extenuating circumstances for the large, international firms.
It's not all bleak. There are multiple factors potentially driving change for the better. QBE is resolving to ‘ask searching questions about what exactly firms are doing to thwart the criminals'. Meanwhile, the Federal Appeals Court of Virginia has [this week] confirmed that commercial general liabilities policies may cover data breaches. If insurers are on the hook to pay out after hacks, they will make sure that they tighten requirements for their customers.
Cyber-security experts understand the impossibility of guaranteeing resilience against a determined attacker. That said, 80 percent of cyber attacks could be prevented by businesses putting simple measures in place. When insurer Aon visited a client (not a law-firm), it observed that 19 percent of employees were still using their system's default password “PASSWORD”. Six months later, after a little talking to, the client had tightened up its security - with the result that 23 percent of employees had their new passwords stuck to their screens with sticky notes.
While few people may be able to find it in their hearts to feel sorry for Mossack Fonseca, the firm's apparent cyber-security weaknesses, coupled with other high-profile hacks on magic circle law firms, and changes in the insurance market should all provide a wake-up call to the profession. Cyber-security is regarded by the UK government as a tier one threat to national security - with all the resource consequences that implies. The same should be true for major law firms.
Emily Taylor is an associate fellow of Chatham House, and editor of the Journal of Cyber Policy.