Hackers turn up the heat on the legal sector

SECURING THE LAW FIRM

25th January 2024

Hackers turn up the heat on the legal sector

 

This year has seen a slew of high-profile attacks around the world: what can we learn?

The cyber threat to the legal sector has increased so much that the UK’s NCSC this year released an updated version of its 2018 report on the cyber threat to law firms. The update follows a string of law firm data breaches reported in the past 12 months, most of them outside the UK, but all with lessons for everyone.

 

Firms including Kirkland & Ellis, K&L Gates and Proskauer Rose lost data through breaches, while Gibson Dunn & Crutcher and Loeb & Loeb also reported system breaches.

 

Proskauer Rose was hacked via a third-party Cloud vendor, while an attack on Cave Leighton Paisner exposed the personal data of more than 50,000 current and former employees of food company Mondelēz International – illustrating the extent to which law firms represent a key third-party threat to the world’s largest firms, including systemically important entities such as banks.

 

And an attack on Cadwalader, Wickersham & Taft, the oldest continuously operating legal practice in the United States, put the personal information of over 90,000 clients at risk.

 

The increasing reports of data breaches across several large law firms have come alongside increased attention from states’ national security agencies, with both the U.K.’s GCHQ and France’s ANSSI recently releasing reports of cyber-attackers targeting the legal sector.

 

As well as the obvious damage to their clients and to their reputations, data and systems breaches also expose law firms to litigation themselves.

 

At least five class action suits have been filed against law firms mentioned above, with plaintiffs claiming variously that they didn’t sufficiently guard against the possibility of cyberattacks or that they failed to make timely disclosures to the ultimate owners of the data.

 

So, are law firms learning lessons? Well, there are concerning signs that they are not.

 

First, as the class action suits suggest, firms seem not to be taking sufficient precautions and also dragging their feet on disclosure. When they do disclose they often refuse to give any details of the attacks.

 

And in at least one case, a firm is even refusing to disclose to a regulator the extent to which a breach has harmed its clients. The Securities & Exchange Commission subpoenaed Covington in January over a 2020 hack that may have resulted in client data being stolen. The firm claims client confidentiality stops it from revealing the facts and 83 US law firms are backing it in its fight.

 

None of this seems consistent with the idea that information sharing is key to defeating the hackers. And secrecy only adds to the impression that not enough is being done at some firms to prevent these kinds of data loss.

 

It’s not just the US. Recently Australian commercial law firm HWL Ebsworth has fallen victim to a ransomware attack, with Russian-linked hackers claiming to have obtained 4TB of client information and employee data, including employee CVs, IDs, financial reports, accounting data, client documentation, credit card information, and a complete network map.

 

So, what can law firms do better? What are the key challenges? And where are the key problems?

 

Securing the Law Firm will look at the latest thinking around legal cybersecurity. As well as presentations from some of the world’s largest firms we will also be asking how small and medium-sized organisations can keep up with cybersecurity best practice in the sector.

  • Re-thinking email and messaging: is there a better way?

    • From secure web gateways to clever tools designed to let employees flag suspicious emails, technologists have tried to solve the problem of email and message-delivered malware. And they’ve failed.
    • This is still the number one vector for the cyber attacks that cause real damage.
    • Is there another way?
  • Streamlining tools and information: focus on insight

    • To solve their problems cybersecurity teams are told to add ever more tools to their stacks, and ingest ever more internal and external data.
    • And then they are told to somehow aggregate all of that complexity to detect cyberattacks, determine risk metrics and all the rest of it.
    • So how to change the paradigm?
  • Solutions for CISO burnout

    • The number of security professionals on LinkedIn who’ve left without another job to go to is astonishing given the shortage of cyber-talent.
    • Are CISOs being fired for breaches?
    • Are they quitting companies who’ve lied about their commitment to security?
    • How can firms solve this problem?

     

  • Re-engineering the SOC: the problem of alert overload

    • One specific example of staff overload is the SOC.
    • There are debates over the value of network traffic analysis and other data.
    • Meanwhile SOC teams are flooded with false positives and even ‘smart’ solutions do not alter this calculus very much.
    • Is the answer to outsource or evolve?
  • Fixing Cloud configuration

    • Cloud security is a multi-dimensional problem.
    • But underneath all the technology and complexity, once again it is human error that is likely to cause the most material losses.
    • For large firms with complex hybrid and multicloud environments, this problem is compounded.
    • So, what are the most common errors and how can they be avoided?
  • From awareness to behaviour

    • There’s too much talk of awareness in cybersecurity and not enough talk about actually changing behaviour.
    • There’s too little talk of personal accountability and disciplinary enforcement of security policies.
    • These are controversial statements - but should they be?
    • Isn’t part of the paradigm shift we need a fundamental change in employee responsibility?

Who attends

Job titles

Chief Information Officer
Global I.T. Risk Manager
Senior Risk & Security Manager
Senior Cyber Security Manager
CISO
CIO & IT Director
VP Cyper Defense Response
Head of Digital Risk Management and Compliance
Partner - Head of Data Protection
CISO
Senior Information Security Executive
IT Infrastructure and Operations Manager
Head of IT (UKMEA)
I.T. Manager
Legal Technology Co-ordinator
In-house Privacy and Data Protection Lawyer
Senior Manager IT Security
Senior Auditor
In-House Counsel
Manager IT Security and Compliance
Head of Cyber, Partner
Enterprise Architect
Head of Information Security
International Head of Operational Risk
Information Security & Business Continuity Manager
Head of IT Security
IT Director - EMEA
Director de Sistemas de Información
IT Enterprise Architecture Manager
Head of IT Europe & ME
Technical Solutions Architect
I.T. Director EMEA
Cyber Security Manager
Senior Security Risk Analyst
IT Security and Governance Manager
Head of IT, UK, EMEA & Asia
Information Security & Compliance Officer
Head of Information Security
Director of I.T. & Knowledge Management
Information Governance, Senior Manager
IT Director
Global IT Operations & Security Manager
Chief Information Security Officer (CISO)
Deputy CIO / CISO
Global Business and Information Risk Manager - Legal
Global Head of I.T. Controls
Head of Commercial & I.T. Risk
Head of IT Security & BCM Leader
Global Director of I.T. Risk & Information Security
Global Data Privacy Officer
Information Security & Risk Manager EMEA
Head of IS & DP
Risk And Compliance Manager
Security & Data Manager
Manager of Technology
Compliance Manager & Data Protection Officer
Head of Information Systems and Technology
I.T. Security Manager
Senior Information Security Engineer
Director of Technology Compliance
Senior Risk Advisor - Privacy & Data Protection
Senior Information Security Manager
Chief Operating Officer
Lead Information Security Officer
Partner & Director of Risk Management
In-House Counsel
Chief Information Security Officer
Head of IT
Director of Global Infrastructure
Global Information Security Risk Manager
Head of Global Information Security
Global I.T. Security Manager
Head of Risk - Associate Director
Head of I.T. Operations & Security
Information Security / Risk Manager
Director of I.T. Security
Senior Manager, IT Security, UK, EMEA & Asia
Senior Legal Counsel
Director, Global Enterprise Security Architect
IT Solution Delivery Manager
IT Operations & Security Manager
Head of Compliance & Risk Management
Head of IT and Projects
Global I.T. Director
In-House Lawyer
Regional Information Security Manager - EMEA & ASIA
CIO
Global Director of Information Technology
Head of Supply Chain Information Risk
Senior IT Security and Compliance Analyst
I.T. Security & Networks Team Leader
Risk & Compliance Partner
Regional IT Manager (Europe)
Data Privacy Manager
Senior Enterprise Architect
Group Head of Content Protection, Cyber Security & Investigations
Risk & Business Continuity Manager
Operations and IT Director
Data Protection/Privacy Manager
Information Security Compliance Manager
CISO
Global Information Security Manager
Head of IT Operations
Senior Information Security Officer
Global Director of IT Risk & Security
CISO
Risk & Compliance Executive
Head of Network & Infrastructure
Infrastructure & Network Security Specialist
IT Risk & Compliance Analyst
National Head of Counter Fraud
Global Security Manager
Group Head of Information Risk and Security
Senior Manager of Cyber Security
Group Security Lead
IT Director
Head of I.T. Security
Vice President, Information Security
Director of Technology - Europe
Head of Technology, Cyber & Data
GDPR Manager
Global CISO
Head of Compliance
Chief Information Security & Technology Officer
CTO
EMEA CIO
CISO, Head of Cyber Security and Data Protection Officer
Information Security Manager
General Counsel
Global Business Information Risk Officer (BIRO) - Group Legal
Risk and Compliance Analyst
Partner
Head of Systems and Infrastructure
Director of Compliance and Data Protection - Europe
Head of Data Protection & Cyber Security Group
Director of Technology & Information
Global Business Continuity Manager
Corporate Security Awareness Transformation Manager
European I.T. Manager
Director of IT
Head of I.T.
Chief Technology Officer
Head of IT
Global Security Engineer
Head of Information Security
Global Infrastructure & Security Manager
Head of Cyber Security
I.T. Infrastructure Manager
European Privacy Counsel
IT Security Operations Manager

Organisations

23 Essex Street
11 South Square
Boodle Hatfield
Slaughter and May
Serle Court
Boyes Turner
Howard Kennedy
Mills & Reeve
Phillips Solicitors
Covington & Burling
Lester Aldridge
Anthony Gold
Weightmans
Stewarts Law
Kemp Little
FBI
5 Paper Buildings
Ropes & Gray
Watson Farley & Williams
Withers
Bristows
Taylor Vinters
Sacker & Partners
Osborne Clarke
Carter Perry Bailey
Dehns
Payne Hicks Beach
Kennedys
Seddons
Latham & Watkins
Kerman and Co
King & Wood Mallesons
Lee Bolton Monier-Williams
Stephenson Harwood
Charles Russell Speechlys
Russell-Cooke
HM Prison Service
Gannons Solicitors
Reddie & Grose
4 New Square
Wedlake Bell
DAC Beachcroft
Fladgate
Edwards Wildman Palmer
Travers Smith
The Bar Council
Lewis Silkin
Kingsley Napley
Mayer Brown
Linklaters
Wellers Law Group
Michelmores
Keystone Law
Horwich Farrelly
Trowers & Hamlins
Dentons
Howes Percival
Ashfords
Dawson Cornwell
GE Capital
Browne Jacobson
Taylor Walton Solicitors
iLaw
Bentleys Stokes & Lowless
3 Verulam Buildings
Keoghs
Foot Anstey
Womble Bond Dickinson
Squire Patton Boggs
Joseph Hage Aaronson
Clarke Willmott
Cripps
Baker McKenzie
TLT
Holman Fenwick Willan
Arnold & Porter Kaye Scholer
Blake Morgan
Thrings
DLA Piper
Mathys & Squire
Carter Bells
Uría Menéndez
Hogan Lovells International
Laura Devine Solicitors
Arendt & Medernach
Vodafone
Magrath
DMH Stallard
Taylor Wessing
Simons Muirhead & Burton
Freeths
Orrick Herrington & Sutcliffe
ticketmaster
Hiscox
Burness Paull
DWF
Clifford Chance
Mishcon De Reya
Asda
Forsters
Bindmans
Pinsent Masons
Ince & Co
Gateley Plc
Glovers
Doyle Clayton
Simmons & Simmons
Bryan Cave Leighton Paisner
Herbert Smith Freehills
Ward Hadaway
Penningtons Manches
Reed Smith
Laytons Solicitors
HSBC
Milbank
Macfarlanes
Eversheds Sutherland
Mewburn Ellis
Memery Crystal
Beale & Company Solicitors
Kilburn & Strode
McGuireWoods
Clyde & Co
Ashurst
Colman Coyle
Allen & Overy
Cloth Fair Chambers
Hengeler Mueller
Fieldfisher
Irwin Mitchell
Bevan Brittan
Bird & Bird
Fountain Court Chambers
Shoosmiths
Crown Prosecution Service
Wiggin
Boult Wade Tennant
Littleton Chambers
Carpmaels & Ransford
Freshfields Bruckhaus Deringer
Addleshaw Goddard
Norton Rose Fulbright
Brodies
Sidley Austin
Cushman & Wakefield
Fragomen
Gilchrist Solicitors
Farrer & Co
Edwin Coe
Simkins

Industries

Barristers Chambers
Legal
Legal
Legal
Banking
Insurance
Legal
Insurance
Legal
Legal
Legal
Banking
Legal
Legal
Legal
Automobiles/Parts
Legal
Legal
Barristers Chambers
Legal
Legal
Legal
Legal
Legal
Legal
Legal
Legal
Legal
Legal
Legal
Legal
Legal
Legal
Legal
Legal
Legal
Legal
Legal
Legal
Legal
Insurance
Legal
Legal
Legal
Legal
Legal
Legal
Legal
Legal
Legal
Legal
Legal
Legal
Legal
Legal
Legal
Legal
Legal
Legal
Oil/Gas
Legal
Legal
Legal
Legal
Legal
Legal
Legal
Barristers Chambers
Legal
Legal
Legal
Legal
Legal
Legal
Legal
Banking
Legal
Legal
Legal
Legal
Legal
Barristers Chambers
Legal
Legal
Legal
Legal
Legal
Legal
Legal
Legal
Legal
Legal
Legal
Legal
Legal
Banking
Legal
Legal
Legal
Legal
Legal
Legal
Legal
Legal
Legal
Legal
Legal
Legal
Legal
Legal


Venue

Park Plaza Victoria, London

vpp

Location:
Park Plaza Victoria
239 Vauxhall Bridge Road, London, UK, SW1V 1EQ
Telephone: 0333 400 6140

Directions:
Please click here