INTEL Series: Simone Herbert-Lowe on Cybersecurity
In the rapidly evolving cybersecurity landscape, law firms are increasingly finding themselves in the crosshairs of cybercriminals. The recent INTEL Session hosted by PracticeEvolve delved into this critical issue with cyber resilience expert Simone Herbert-Lowe providing valuable insights for legal professionals, highlighting the essential developments and strategies for managing cyber risk in the legal sector.
Key Developments in Cyber Risk and Professional Responsibility
During the session, Simone emphasised the significant developments in cyber risk management, particularly in the context of professional responsibility. She highlighted that while there is a lack of published case law due to the sensitive nature of cyber breaches, regulatory bodies are beginning to set clear expectations for law firms. For instance, the Law Institute of Victoria’s minimum cybersecurity expectations for law practices, published in February this year, serve as a benchmark. These standards are divided into three categories: critical controls, system controls, and behavioural controls.
What makes these guidelines particularly noteworthy is that failure to meet them could be deemed unprofessional conduct or even professional misconduct. Simone urged all law practices to familiarise themselves with these standards, regardless of their location, as they set a precedent that is likely to influence expectations across other states.
Major Cyber Risks Facing Law Firms
Simone identified three primary cyber risks currently threatening Australian law firms: information theft, funds transfer fraud, and ransomware.
- Information Theft: Law firms are treasure troves of valuable information, making them prime targets for cybercriminals, especially those linked to hostile nation-states. The consequences of information theft can be severe, including identity fraud and targeted attacks based on the stolen data.
- Funds Transfer Fraud: This type of fraud, where clients or solicitors are deceived into transferring funds to the wrong bank account, remains one of the most visible and damaging forms of cybercrime. Law firms must be vigilant in verifying payment details and implementing strict protocols to prevent such incidents.
- Ransomware and Cyber Extortion: Ransomware attacks, where cybercriminals encrypt files and demand a ransom for their release, have become increasingly common. Additionally, cyber extortion—where attackers threaten to publish sensitive client information unless a ransom is paid—is a growing concern. The implications of these attacks extend beyond financial loss to potential reputational damage and legal liability.
Meeting Evolving Regulatory Standards
Law firms are not only grappling with cyber threats but also facing heightened regulatory standards. Simone pointed out that the duty of competency now includes technological competency, which encompasses cybersecurity. Law firms must ensure they are managing technology competently, which includes being aware of cyber risks and implementing measures to mitigate them.
To mitigate cyber risks and meet regulatory expectations, Simone recommended several practical steps for law firms:
- Adopt Comprehensive Cybersecurity Measures: Law firms should implement the critical, system, and behavioural controls outlined by regulatory bodies. This includes measures such as multifactor authentication, regular software updates, and staff training on cybersecurity best practices.
- Regularly Review and Update Policies: Cybersecurity policies should be regularly reviewed and updated to ensure they align with current threats and regulatory requirements. This includes having a clear incident response plan in place.
- Educate and Train Staff: Ongoing education and training for all staff members are crucial in creating a culture of cybersecurity awareness. This can help prevent common threats, such as phishing attacks, that often exploit human error.
- Engage with Cybersecurity Experts: Law firms should consider engaging with cybersecurity experts to conduct regular assessments and provide guidance on improving their defences.
In summary, the INTEL Session on Cyber Risk Management underscored the urgent need for law firms to prioritise cybersecurity in an era of increasingly sophisticated threats and stricter regulatory standards. To safeguard client data and uphold their professional responsibilities, firms must adopt proactive, robust cybersecurity practices and stay updated on emerging risks and legal requirements.
For a deeper dive into cybersecurity, including insights on AI developments, evolving digital identity laws, cyber insurance, and client management, you can watch the full session recording on-demand.
Upcoming INTEL Sessions
The INTEL series by PracticeEvolve continues to offer valuable learning opportunities. Don't miss the next session:
Business Development Strategies for Law Firms: Transforming Lawyers into Rainmakers with Scott Simmons
05 September 2024 | 3:00 pm AEST
Register here
These sessions are designed to equip Australian law firms with innovative strategies for sustainable growth in a rapidly evolving industry. Be sure to register and gain insights from some of the legal industry's most influential experts.