Background

Paragraph 1.8 of the Code of Conduct requires regulated persons to keep the affairs of clients and former clients confidential. That inevitably includes adopting reasonable, proportionate and effective measures to secure client confidential information from hacking or other cyber-attacks.

  • Cyber security is now acknowledged as a major risk to business. Some key facts:
  • Cybercrime is now the most prevalent crime in the UK
  • £1 billion was lost to UK business from online crime (2015-2016)
  • 43% of all cyber-attacks are aimed at small businesses
  • During the first quarter of 2016, the legal and justice sector reported the 4th highest number of data security cases.

Examples of cyber-attacks include:

  • Business disruption through distributed denial of service attacks (DDoS) whereby a service/business is targeted by a large number of computers/digital devices
  • Phishing, involving emails that pretend to be from someone else; a common example is the “CEO fraud” whereby the criminal pretends to be a senior partner or director with the aim of convincing a junior member of staff to transfer money
  • Impersonation of professional firms, including the creation of bogus websites
  • Malware (computer viruses) installed on a system by a fake email attachment or infected device such as a memory stick. A well-established ruse is to leave an infected memory stick in the firm’s car park in the hope that a member of staff will connect it to the firm’s system to discover the identity of its owner
  • Ransomware, which disables files and demands a ransom for a key to retrieve them. Even if the ransom is paid, the key may not work, data may remain inaccessible or be destroyed and the firm remains vulnerable to further ransom demands
  • Hacking: the exploitation of weaknesses in a system (particularly email) to gain unauthorised access. This is what happened to the Panamanian law firm Mossack Fonseca. A particular example is modified email, whereby a criminal intercepts emails between two parties, often by hacking into one of the parties’ email systems
  • Any combination of attacks, such as phishing to deliver malware.

Consequences of a cyber-attack on your business can include:

  • Financial damage – loss of fee income as a result of systems being unavailable and data being lost or damaged
  • A significant loss of management time
  • Losses of client information or money
  • Regulatory breach (including breaches of IPReg Code and data protection legislation)
  • Client claims
  • Negative publicity, reputational damage and loss of trust among clients.

 

The next page outlines some steps you can take.