Wiring funds or sensitive, valuable information demands cybersecurity at both ends of the wire transfer. Cyber criminals have gotten very astute at intercepting wire transfers of data and money.
But no matter how cybersecure your law firm is, if the other side of the transfer is not secure your firm is exposed, if not financially, quite possibly in the eyes of your clients. There is also the downtime for your computer system that follows a breach. Many firms that get hacked and don’t have adequate cybersecurity simply go out of business.
Law firms dealing with medical information or PHI such as personal injury law firms are subject to HIPAA. They must have the policies, procedures and security controls, security risk assessments as required by law.
But there is no one-size-fits-all for firms that don’t handle medical information.
YOUR FIRM’S CYBERSECURITY
If your firm is using Microsoft Office 365, for instance, there are a series of security controls that need to be enabled to protect the law firm from being breached. Other software has similar protection controls.
Your firm should also be doing security awareness training, social engineering training and phishing email training. The attacks don’t just come by e-mail. They can come by malicious software or there could be an infection with a trusted vendor like what happened with Target.
A local law firm relied on a member of its staff to be their inside IT person. When that person did not configure the controls properly, the firm was hacked, and a half million dollar wire transfer was intercepted. A hacker had broken in and spied on their e-mails for three months. They watched for the words ‘wire transfer’ and once the hacker saw that come through, they registered the domain name of the law firm with an ‘s’ at the end of the name. Then the hacker intercepted the communication and the wire transfer instructions. They said the routing numbers were wrong and sent new ones…the routing number for the hacker. The hacker copied and pasted the signature and made it look very authentic and that’s how they were able to exfiltrate the money.
THE OTHER PARTY’S CYBERSECURITY
If your firm is going to be sending or receiving wire transfers or other valuable data to an entity you have not done business with in the past, such as a real estate firm, before sending anything, you should ask them what cybersecurity they have in place.
You can assess the other party by requesting their cybersecurity risk assessment report and their cybersecurity maturity analysis. You want to know what they are doing and what they have in place to make sure that the sensitive information you are sending them is safe and secure. If they can’t answer these questions, that means they are not a cyber mature organization and they may be a high risk.
If a law firm uses an encrypted email service but the recipient or sender doesn’t use encrypted e-mails, the recipient or the sender needs to use the law firm’s e-mail system so both sides can be encrypted and decrypted. If one side uses encryption and the other doesn’t, it nullifies the security of the transfer.
Some vendors and partners are now requiring a certain level of cybersecurity in order to do business, it’s part of their protocol.
As lawyers, you are not expected to be experts in cybersecurity. A reputable cybersecurity company can help your law firm by auditing both sides of transfers in advance.
An increasing number of law firms are buying cybersecurity insurance to cover the risk of a wire transfer being breached, hacked or attacked by ransomware. However, insurance companies are now denying coverage and claims if law firms don’t have certain policies, procedures, and security controls in place. A readiness assessment can help your law firm determine if you have the necessary protection that will be required to obtain a breach insurance policy. Craig A. Petronella