Sign In
    Wisconsin Lawyer
    October 12, 2022

    Managing Risk
    Stay Secure Online with Cyber 'Fluxing'

    One activity that hasn't slowed during the COVID-19 pandemic is cyber crime. Here are tips for remaining aware of risk levels and preventing and recovering from computer crimes.

    Matthew M. Beier

    delorean car

    Movie buffs might recognize the line, “Time circuits on... Flux Capacitor... fluxing... Engine running... All right!” from the film Back to the Future. The main character, Marty McFly (played by Michael J. Fox), runs through his checklist as he prepares to travel through time in Doc Brown’s DeLorean time machine, which is powered by 1.21 gigawatts of electricity passing through a “flux capacitor.” In general, “flux” can be understood to mean continuous change, and this is an appropriate characterization of the current cyber universe we all face every day: the risks of cyber attacks and associated damages that follow and the need for cyber security and cyber insurance. With so many moving parts, it would seem now, more than ever, lawyers need a flux-capacitor security program to help manage and control their cyber exposure.

    The Risks and Damages

    No matter how hard we try to get ahead of the issue and create a culture of risk awareness and mitigation, cyber attacks don’t go away. Despite efforts to shore up front-line protection with training, strong passwords, dual or multifactor authentication, software and hardware upgrades, and other measures, crimes are becoming more sophisticated, more automated, and more widespread year over year.

    Matthew M. BeierMatthew M. Beier, U.W. 2000, is senior vice president and director of business development at Wisconsin Lawyers Mutual Insurance Co., Madison.

    Network penetration was the focus of a recent study by Positive Technologies that found, “In 93 percent of cases, an external attacker can breach an organization’s network perimeter and gain access to local network resources…. An attacker’s path from external networks to target systems begins with breaching the network perimeter. … Credential compromise is the main route in [71% of companies], primarily because of simple passwords being used, including for accounts used for system administration.”1 That such a high percentage of information systems can be penetrated is truly frightening and is often why risk managers reach the conclusion that it is a matter not of “if” but of “when” any business or individual will be the subject of a cyber attack.

    As custodians of highly sensitive, confidential information, lawyers and law firms are increasingly becoming the targets of cybercriminals. The ABA’s 2021 TechReport found, “[In 2021], the reported percentage of firms experiencing a breach ranged from 17% of solos and firms with 2-9 attorneys, about 35% for firms with 10-49, 46% with 50-99, and about 35% with 100+.”2

    Perhaps the best way to start developing a law firm security program is to understand the methods cybercriminals are using to access and exploit the information lawyers are entrusted to keep secure. Some of the risks law firms face are the following:

    • Distributed denial-of-service (DDoS): a cybercrime in which the attacker floods a server with internet traffic to prevent users from accessing connected online services and sites.

    • Ransomware: a form of malware designed to encrypt files on a device, rendering any files and the systems that rely on them unusable. Cybercriminals then demand ransom in exchange for decryption.

    • Phishing: a form of fraud in which an attacker masquerades as a reputable entity or person in email or other forms of communication. Attackers commonly use embedded links or attachments, which, if clicked by the recipient, serve as gateways to a system to steal credentials or install malware.

    • Data breach: a security incident in which internal or external attackers access confidential data or sensitive information. The information is often used for personal gain, extortion, or both.

    • Social engineering: an email hack executed around the time of a real estate closing (or other transaction) and usually involving fraudulent wire-transfer instructions. This may cause a law firm to unknowingly wire-transfer closing funds to a different account, to which the hacker has access.

    Harm caused by cyber events has been increasing for several years. According to JD Supra,3 cybersecurity threats are becoming more prevalent and more expensive.

    • In 2021, the average cost of a data breach reached $4.24 million per incident, the highest in 17 years.

    • Data breaches in the first half of 2021 exposed an estimated 18.8 billion sensitive records.

    • The total number of security breaches increased by 17% in 2021.

    Law firms have seen an increase in cyber threats since the onset of the COVID-19 pandemic.

    • 24.9% of all ransomware attacks in the first quarter of 2021 targeted small and medium-sized law firms

    • A 2021 report revealed that the networks of 15% of a sample of global law firms have been compromised and that all firms in the survey were subject to targeted threat activity.

    As we continue to grapple with the pandemic, many lawyers are working from home. Leveraging technology to create a more mobile workforce, although convenient and, perhaps, overdue, also has increased exposure to the sensitive information lawyers are entrusted to protect.

    The amounts of harm and costs stemming directly and indirectly from cyber attacks are staggering, including downtime and loss of billable hours, consulting fees to identify and repair information systems, destruction or loss of files, and time and money to replace hardware and software. And don’t forget the potential damage to a firm’s reputation once clients are notified.4

    Cyber Security

    How can lawyers and law firms protect themselves from these risks? A complete answer to this question goes beyond this article, but a good place to start for a review of a lawyer’s ethical obligations is Wisconsin Formal Ethics Opinion EF-21-02: Working Remotely (Jan. 29, 2021).5 While none of the practices suggested in the opinion are new, they are a reminder of what should be front of mind for lawyers as they perform work functions on their information systems.

    1. Develop and implement a written information-security plan.

    2. Outline security controls and business practices for handling personal identifying information (PII) that address the security and confidentiality of PII and protect against any anticipated threats or hazards to the security and integrity of such information.

    3. Conduct background checks on employees who have access to PII (many acts of theft occur within a company or law firm).

    4. Develop and practice an incident response plan.

      Don’t wait until a crime has occurred to engage data security and privacy counsel. They can a) assist with reviewing and practicing the incident response plan; b) be identified in your cyber liability policy, so you are not required to use data breach counsel without institutional knowledge of your operations; and c) assist in the review of your cyber liability policy to ensure there are no surprise sublimits or exclusions and that coverage is commensurate with the risk.

    5. Be alert and stay alert.
      • Train employees, including by providing law firm-wide privacy risk and awareness training on an annual or semi-annual basis.

      • Conduct an audit on your computers, printers, scanners, copiers, wireless devices, and any other electronic devices that can store personal or sensitive information to determine if PII is unnecessarily stored in an unintended place.

      • Monitor and watch for common fraud schemes. For example, social engineering-involved wire fraud can be prevented by confirming money transfers through non-email means, such as by telephone or in person.

      • Instruct lawyers and other staff members how to recognize phishing attempts. If an email message is not expected, the email address seems to contain an intentional misspelling – for example, “www.northemtrust.com” instead of www.northerntrust.com – or the recipient does not know the sender, the recipient should not open the email.

    6. Use technological measures to reduce the attack surface and mitigate common risks.
      • Maintain firewalls on any computer device connected to the internet.

      • Use anti-virus software and update it no less than every 30 days.

      • Use strong passwords or have password managers.

      • Consider using other measures, such as encryption; two-factor or multifactor authentication; and testing by security experts, such as penetration testing or social engineering testing.

    Ask Us!

    Questions about ethics or practice management? Confidential assistance is a phone call or click away:

    Ethics Hotline: (800) 254-9154, or (608) 229-2017
    9 a.m. to 4 p.m., Monday through Friday.

    Formal Ethics Opinions: wisbar.org/ethop

    Practice411: (800) 957-4670, or practicehelp@wisbar.org

    Real Estate Lawyers and Wire-Transfer Fraud

    Perhaps the best way to prevent situations such as wire-transfer fraud ruining a real estate transaction is to add two additional steps to the real-estate closing checklist and to make sure not to skip these steps.

    Make clear to all parties involved with a real estate transaction that any changes must be 1) communicated and 2) confirmed before executing. Use “low-tech” means for confirmation – call a known and trusted person at a known and trusted telephone number to confirm the changes. With so many options to communicate digitally, we often avoid talking on the phone. The people committing these crimes are counting on communication being via email. Simple telephone calls can often prevent catastrophic results.

    If a fund transfer goes sideways, don’t hesitate. The lawyers will have only a few hours – maybe only a few minutes – to recover lost funds. Contact the bank right away and file a complaint with the FBI.6 Of course, the lawyers should contact their malpractice and cyber liability carriers as soon as possible. Those carriers may have advice or incident-response teams to assist in recovering the money and repairing any damage.

    Lawyers who assist with real estate transactions must educate themselves and their staff members and others involved in these transactions about the possibility of wire-transfer fraud and how to prevent it.

    Insurance

    Wisconsin Lawyers Mutual Insurance Co. (WILMIC) has often informed its policyholders how vulnerable IT systems can be and about the importance of cyber security insurance protection. Unfortunately, obtaining cyber security insurance has become more difficult and more expensive.

    Tom Watson, WILMIC’s CEO, says, “As cyber claims have risen, especially among large law firms, cyber security insurance carriers have pulled back from the market to some degree, and have instituted rate increases and tighter underwriting guidelines in an effort to recoup some of the losses endured through rising and more expensive cyber claims.” Several factors contribute to the difficulty in obtaining cyber insurance: the features of cyber events, including a limited loss history; the unreliability of past data when predicting future events; and the possibility of a large-scale attack in which losses are extensive and spread across many companies or industries.

    According to many reports in the industry, the challenges the cyber insurance market are facing include:

    • Rapid growth in exposure without adequate underwriting controls;

    • The growing sophistication of cyber criminals, many of which have exploited malware and cyber vulnerabilities faster than companies and law firms have taken steps to protect themselves; and

    • The cascading effects of cyber risks and the lack of geographic or commercial boundaries.

    At least one carrier has figured out how to reach law firms with cyber coverage. On June 1, 2022, the State Bar of Wisconsin announced a new member-benefit program to provide a cyber liability coverage option to Wisconsin lawyers. With the help of Bultman Financial, the State Bar is offering its cyber liability program with carrier HSB, part of the Munich Re family of global companies. “The HSB comprehensive coverage offers cybersecurity insurance and response solutions for members quickly and conveniently, via an online portal, taking the time out of identifying coverage.”7

    Conclusion

    The cyber universe is constantly changing. As cyber criminals are figuring out new ways to steal information, lawyers might find it increasingly difficult to protect themselves and their clients. Putting together a flux-capacitor cyber security program to recognize the ongoing risks, adopting new methods of protection, and obtaining adequate insurance coverage will go a long way to buy some peace of mind.

    Endnotes

    1 Ian Barker, Cybercriminals Can Penetrate 98 Percent of Company Networks, betanews, https://betanews.com/2021/12/20/cybercriminals-penetrate-93-percent-of-company-networks/ (last visited Sept. 15, 2022).

    2 ABA, ABA TechReport 2021, www.americanbar.org/groups/law_practice/publications/techreport/2021/ (last visited Sept. 15, 2022).

    3 JD Supra, Why Cybersecurity Should Be Top of Mind in 2022 (Jan. 27, 2022), www.jdsupra.com/legalnews/why-cybersecurity-should-be-top-of-mind-1297423/.

    4 See SCR 20:1.4 Communication and Wis. Stat. § 134.98, which outline notification requirements, including language, timeline, and notice to regulators.

    5 www.wisbar.org/formembers/ethics/Ethics Opinions/EF-21-02 Working Remotely.pdf.

    6 FBI, Business Email Compromise: The $43 Billion Scam (May 4, 2022), https://www.ic3.gov/Media/Y2022/PSA220504.

    7 State Bar of Wis., New Member Program: HSB Total Cyber Offers Comprehensive Cyber Insurance, InsideTrack (June 1, 2022), www.wisbar.org/NewsPublications/InsideTrack/Pages/Article.aspx?Volume=14&Issue=10&ArticleID=29123.

    » Cite this article: 95 Wis. Law. 43-45 (October 2022).


Join the conversation! Log in to comment.

News & Pubs Search

-
Format: MM/DD/YYYY