‘Law firms, large and small, must take note’ of the IPH cyber incident
After ASX-listed legal services group IPH noted it could be facing multimillion-dollar costs after a recent cyber incident, smaller firms have been warned of the extensive impacts a breach like this could have on them.
In mid-March this year, IP services group IPH Limited (ASX: IPH) detected unauthorised access to a portion of its IT environment and subsequently halted trading and launched an investigation into the breach.
Later that month, the firm provided an update to the market, confirming that it was continuing to investigate the cyber incident. IPH then noted in an announcement to the market last week that the forensic investigation is now “substantially” complete, and it has identified that a “limited set of data” was compromised by an unauthorised third party during the cyber incident.
While there are a number of key lessons from the incident for the legal profession as a whole, smaller firms, in particular, should be taking “appropriate steps” to prepare themselves for a cyber attack, Mills Oakley cyber risk and insurance partner Jason Symons told Lawyers Weekly.
“In 2023, law firms really must be using multifactor authentication for access to email and document systems, and administrative privileges should be limited as much as possible. And, of course, passwords or passphrases need to be strong, routinely changed and not used across work and personal accounts. There are also some fantastic cyber training courses available to law firms at relatively low cost provided by specialists who understand the cyber risks faced by law firms and can help address them,” he explained.
“Smaller firms just don’t have the resources to do what the big firms do. But they can focus on some things that do not cost the world and can be implemented fairly quickly and easily. On the technology side, smaller law firms should be using reputable security software with anti-virus and anti-phishing protection that is continually kept up to date.”
IPH also incurred costs in the course of responding to and investigating the cyber incident, it reported, including the engagement of specialist third parties and remediation of its network and IT systems. These costs, added Mr Symons, could be detrimental to a smaller firm.
“The financial impact of this cyber incident on IPH will be significant. It has announced a service charge budget shortfall of $4.4 million for the two impacted firms and $2–2.5 million in costs incurred in responding to the incident and remediating its systems,” he said.
“These amounts do not include costs associated with any customer complaints or regulatory action. How much a particular law firm will lose following a cyber incident will depend on the nature of the incident, the size of the firm, its revenue streams, and a number of other factors. But it is safe to say that smaller boutique firms or sole practitioners are at greater risk of a cyber incident being detrimental to the business, and even an insolvency event.
“Smaller firms will generally run on tighter margins, and have less of an ability to survive a downturn in revenue or significant harm to their reputation and loss of clients, on top of the cost of responding to the incident and any subsequent regulatory costs or client disputes.”
Cyber risk has already been revealed to be a key issue for organisations across a range of sectors, including legal, in 2023, with companies urged to implement protective measures such as cyber insurance and take a closer look at their positive security obligations.
For SMEs and boutiques, contractual obligations are also important to consider — particularly as a cyber breach may have a bigger impact on them than BigLaw firms.
This, Lander & Rogers partner Melissa Tan emphasised, comes down to the trust between firms and their clients.
“Lawyers owe fiduciary duties to their clients, and ‘fiduciary’ means trust. In other words, the client places their trust, confidence, good faith and reliance on the lawyer who is providing the legal services. This includes trusting them with their data and information and trusting that the solicitor will keep it safe, secure and confidential.
“When clients’ data are compromised due to a cyber attack, it is not just a breach of the contractual obligations. Once breached, the confidential and privileged status of the information can be deemed as lost, in which case, there can be significant impact on the client’s matter. Depending on the circumstances of the breach, it could also give rise to a breach of the lawyer’s professional and ethical obligations with serious implications for the practice,” she explained.
“More importantly, a loss of reputation can have a very real impact on client retention and attraction. In other words, a data breach may cause a competitor firm’s reputation to be improved and result in a diversion of work to law firms with better protections in place. In some cases, the loss of clients could more adversely impact boutique and smaller firms [that] have a smaller client base and lack the sophistication, by virtue of size and access to resources, to carefully manage a cyber incident and restore service and confidence to clients.”
While Ms Tan noted that cyber and data security vulnerabilities could “make or break a law firm, regardless of size”, there are certain resources BigLaw firms tend to have that smaller firms lack or don’t have the budget for.
“The types of data and information held, and the nature of the risks faced, including financial, reputational and data risks, does not differ based on the size of a firm. The key difference between small and BigLaw firms are the resources available to put in place the practical steps highlighted above to safeguard their business from financial, reputational and data risks,” she added.
“For example, some BigLaw firms may have dedicated subject matter experts like a CISO or heads of cyber governance who understand and are responsible for establishing safeguards, whilst smaller firms with limited resources may not have such subject matter experts in-house and will have to make a call and prioritise the most critical safeguards within their budget.”
In terms of practical steps smaller firms can take to safeguard their business from financial and reputational risks, transparency and a continuance plan should be top priority, according to Mr Symons.
“A well-managed cyber incident will help minimise damage to ongoing relationships with clients and complaints or disputes. Being transparent and clear about the incident and how it is being met can even be seen in a positive way if it demonstrates professionalism, good management and that the client’s concerns are being addressed.
“The financial risk of cyber incidents to law firms can be addressed in a number of ways. Most importantly, firms need to try and minimise the disruption to the delivery of legal services and, in turn, revenue loss caused by, for example, the loss of access to document or practice management systems like we have seen with IPH. Getting back to business as usual as soon as possible is critical, which will be aided by a rapid forensic response and having accessible recent back-ups,” he explained.
“Law firms can also manage their financial risk through their cyber insurance, which can cover the incident response costs, business interruption losses, and potential third-party liability, including from regulatory investigations or litigation that arise. The law firm may also be a member of a limited liability scheme, which caps their liability under the terms of the particular scheme.”
And while the forensic investigation into the IPH cyber incident is still ongoing, the situation remains an “important reminder” to Australian law firms that the documents and information they hold on behalf of clients are “attractive to cyber criminals”, Mr Symons added.
“Given that lawyers owe their clients duties of care and confidentiality, as well as obligations under contract and legislation, which can all be triggered by this kind of cyber incident, law firms, large and small, must take note,” he said.
“It is also a stark reminder of the significant impact a cyber incident can have on a law firm’s brand and reputation by association with an incident, even when the cause is still unknown.”
Lauren Croft
Lauren is a journalist at Lawyers Weekly and graduated with a Bachelor of Journalism from Macleay College. Prior to joining Lawyers Weekly, she worked as a trade journalist for media and travel industry publications and Travel Weekly. Originally born in England, Lauren enjoys trying new bars and restaurants, attending music festivals and travelling. She is also a keen snowboarder and pre-pandemic, spent a season living in a French ski resort.