Cybersecurity and the Bar

Consider this scenario: On a Monday morning you, as counsel, receive a call from one of your frequent briefing solicitors who advises their client, in respect of whose interests you had been briefed and provided written advice over the previous 12 months, has been contacted by hackers saying that they have gained access, by hacking your IT system, to the client’s documents (briefed to you) and your advices, and they are to be disclosed on the net unless the client pays a hefty bitcoin ransom. Within an hour your chambers receives a ransomware demand from hackers who demonstrate that the entire IT system in your chambers has been breached by them, and the full content thereof – by way of electronic briefs and advices – will be disclosed on the net short of payment of $200,000 worth of bitcoin. How real is this? The article by John Meredith below confirms such reality.

The issue

Cybersecurity is becoming increasingly relevant and pressing in importance with respect to legal practice.  The Bar is not immune from this reality.

In early 2022 the Bar Council and the Bar Standards Board in the United Kingdom were the subject of cyber attacks that were part of a raft of such attacks on the legal profession in London. 

In respect of those cyber attacks, it was reported:[1]

The General Council [of the Bar] … has suffered a malicious cyber attack.  Action was taken swiftly and required taking our IT systems offline in order to stop the attack and prevent any data loss.  Our priority remains the protection of our IT systems and data from further attack.  We do not believe any data has been lost.                 ……

Law firms, barristers’ chambers and legal professional bodies are emerging as prime targets for malicious attacks, frequently with the aim of extorting money.  Yesterday top-100 firm Ward Hadaway obtained a High Court injunction against ‘persons unknown’ who last month made a $6m (£4.75m) blackmail demand after confidential documents were obtained in a cyber attack.

(emphasis added)

Suffice it to say that cyber attack upon any professional person, at the least, is commercially embarrassing, and inexorably harmful to the prospect of future dealings with the professional’s affected clients.

In addition, in Australia, statutory obligations are imposed upon professional financial services licensees pursuant to s.912A(1)(h) of the Corporations Act 2001 (Cth) to promulgate “adequate risk management systems”.  These have been found to embrace cybersecurity (see below).

Such obligation may be expected to be expanded – by regulation or simply as good commercial practice –  to other industries, including the legal profession. So much is a function of solicitors and barristers harbouring confidential client information in digital form.  Barristers need to address the cyber resilience of their business systems.

RI Advice 

The recent case of Australian Securities and Investments Commission v RI Advice Group Pty Ltd[2]  involved the application of the above s.912A(1)(h). 

Findings were made by the Federal Court of Australia against the respondent – an Australian financial services licencee – whose business was targeted in cybersecurity attacks,[3] and who was found to have failed to have adequate cybersecurity risk management systems in place to meet the risk of such attacks.[4]

In RI Advice, Rofe J canvassed cyber attacks and cybersecurity generally:

[27]  As the holder of an AFSL, RI Advice is required to comply with the general obligations of a financial services licensee set out in s 912A of the Act. This includes the requirements:

(a)     pursuant to s 912A(1)(a), to do all things necessary to ensure that the financial services covered by the Licence are provided efficiently, honestly and fairly; and

(b)     pursuant to s 912A(1)(h), to have adequate risk management systems.

[28]  By reason of the broad standards prescribed by ss 912A(1)(a) and (h) of the Act, and the factual matters set out above, RI Advice admits that at all material times, it was required to:

(a)     identify the risks that the ARs faced in the course of providing financial services pursuant to RI Advice’s Licence, including in relation to cybersecurity and cyber resilience; and

(b)     have documentation, controls and risk management systems in place that were adequate to manage risk in respect of cybersecurity and cyber resilience across the AR network.

…

[57] Cyberspace, and cyber-attacks, concern digital or computer technology or networks, and involve attacks directed at computers, computer systems or other information communication technologies. Cybersecurity is the ability of an organisation to protect and defend the use of cyberspace from attacks. Cyber resilience is the ability to anticipate, withstand, recover from and adapt to adverse conditions, stresses, attacks or compromises on systems that use or are enabled by cyber sources.

[58] Risks relating to cybersecurity, and the controls that can be deployed to address such risks evolve over time. As financial services are increasingly conducted using digital and computer technology, cybersecurity risk has also increased. Cybersecurity risk forms a significant risk connected with the conduct of the business and provision of financial services. It is not possible to reduce cybersecurity risk to zero, but it is possible to materially reduce cybersecurity risk through adequate cybersecurity documentation and controls to an acceptable level.

(emphasis added)

Her Honour also considered the expertise required in order to effect cybersecurity:

[46] Cyber risks, an adequate response to such risks and building cyber-resilience requires appropriate assessment of the risks faced by a business in respect of its operations and IT environment. Cyber risk management is a highly technical area of expertise. The assessment of the adequacy of any particular set of cyber risk management systems requires the technical expertise of a relevantly skilled person.

[47] Cyber risk management is not an area where the relevant standard is to be assessed by reference to public expectation. Rather, the adequacy of risk management must be informed by people with technical expertise in the area. I note that during the course of this litigation, both parties engaged highly qualified experts to produce reports outlining their opinions on the cybersecurity measures expected of an organisation like RI Advice. Some of this evidence is referred to in Australian Securities and Investments Commission v RI Advice Group Pty Ltd [2021] FCA 1193. Further, the parties’ proposed orders requiring the engagement of a cybersecurity expert to identify any further measures to be implemented in respect of cybersecurity and cyber resilience.

(emphasis added)

With reference to RI Advice, national legal firm Allens, in a recent article by three of its partners Valeska Bloch, Christopher Kerrigan and James Campbell, noted that while the case focused upon the particular risks present in the financial services sector, “it is now more important than ever that all organisations take steps to improve their cyber security posture”.[5]

It was also noted by such authors that RI Advice is an example of “ASIC following a path well-trodden by its overseas counterparts and we don’t expect this to be a one off”, and that “[s]ystems and processes for managing cyber risk must respond to the evolving nature and profile of the risks”.[6] 

In a recent article in ‘Lawyers Weekly’,[7] it was reported that a partner and head of cyber insurance at national legal firm Lander & Rogers, Melissa Tan, observed that cyber security risks and challenges now span across all sectors and businesses: “It’s such an important area only because it cuts across every industry, every size of business, and every individual; it really does not discriminate. It’s just an area where, as long as you have an iPhone, as long as you have a connection to the internet, you will be impacted somehow; the question is only when. That’s why it’s so important and so topical. And also, that’s why it’s so difficult to grapple with for some people because it’s so deep and it cuts across everywhere, and it’s broad”. 

Cyber attack countermeasures

National accountancy firm KordaMentha, in a recent article by partners Brendan Read and Eric Eekhof,[8] wrote of the use of artificial intelligence in the fight against hacking:

Cyber and ransomware attacks have never grown faster than at rates we are seeing today – and worse is yet to come. Hackers are starting to use artificial intelligence (‘Al’) to create viruses faster than detection methods can keep up, to devise even more deceptive phishing emails and texts and to scan corporate networks for weaknesses.  But also still active is the traditional low-risk, low-cost, high-reward ransomware. Driven by the lucrative nature of the trade, cybercrime is only set to rise. The European Union Agency for Cybersecurity noted that 2021’s 150% rise in ransomware is basically a spiralling trend.

Al is, of course, a double-edged sword used by both sides. While it makes life easier for cybercriminals, it can also be used to increase resilience and scope of cybersecurity systems. Still, managers must continue to coach their entire workforces, top to bottom, in how to recognise potential attempts to hack into company systems. If, for instance, an employee has already been taught how to recognise a phishing email, they must now be educated on how the weaponisation of machine learning models is potentially allowing cybercriminals to read their social media posts and customise the emails they send. Tactics now being employed by cybercriminals are boundless.

We will continue to see Al driving an increase in sophisticated cyber attacks.  However, AI used for prevention, at its current rate, looks set to win the battle.

(emphasis added)

In the United Kingdom, it is now accepted instructing solicitors expect that the barristers they brief undertake – and substantiate to the solicitors in writing by checklist – appropriate cybersecurity measures in an effort to secure client information.

A ‘Professional Update’ issued by The Law Society (UK) on 16 July 2022, reported that an ‘information security questionnaire’ has been jointly produced by The Law Society with the Bar Council for use with such an objective in mind. The questionnaire, along with an explanation of the same is, at the following link: 

https://www.lawsociety.org.uk/topics/cybersecurity/information-security-questionnaire.

In consequence, the time may well come when solicitors or their clients – government or private – will require like questionnaire completion and compliance by counsel selected for briefing.

The  Australian Cyber Security Centre – a division of the Australian Government’s  Australian Signals Directorate – has published a “Small Business Cyber Security Guide” which can be found at:

https://www.cyber.gov.au/sites/default/files/2021-11/ACSC_Small_Business_Cyber_Security_Guide_V6.pdf. 

See also :

https://business.gov.au/online/cyber-security/protect-your-business-from-cyber-threats. 

The above materials are informative and relatively easily digested sources for barristers to assess and address their cyber resilience.

The Bar need act

The publication ‘cybernews’ reports that so sophisticated are cyber criminals, whose profits are said to far outstrip those of international drug lords, they even go by commercial business names eg Conti, Quantum, BitPaymer and Doppelpaymer.[9] ‘cybernews’ says that in making ransomware demands cyber criminals hit hard and quick, and if tardiness in response is discerned they will even pepper the management executives, and their families, with emails and mobile phone calls demonstrating that they can and will do the damage they threaten, and in the short term.[10]

Lawyers, of course, are not immune from this insidious cyber reality.  Implementing and monitoring adequate cybersecurity risk management systems are likely to become imperative requirements in legal practice.  This is as much a matter for the Bar, as it is for solicitors. 

Barristers – whether collectively in their chambers, or individually – would do well to re-visit their current cyber resilience regime with their (aptly qualified – see RI Advices  at [46] and [47] above) IT provider so as to ensure that their protection from hacking is as up-to-date as possible. This ought entail, in addition, barristers having some modest understanding of the same – a not insignificant challenge in itself. 

Garnering a comprehensive written report from such IT provider may not just be preventative, but could well prove a useful evidentiary tool in responding to litigation or regulatory intervention – including possibly the Legal Services Commission – resulting from exposure of a client’s confidential material (eg briefs, advices) upon a hacking event ensuing.  The above mentioned UK questionnaire and Australian materials could be given to the IT provider to assist in report formulation.  The answer, undoubtedly, would afford audit of the status quo and inform improvement in system resistance to cyber attack.

Cyber security infrastructure is only as good as the humans safeguarding it and the systems they implement. Generally cyber attacks result from humans letting “threat actors”[11] into their systems. So in addition to engaging reputable IT support, barristers should carry out cyber security training themselves, to ensure they can spot the risks (eg phishing – by email, smishing – by text) and learn to behave defensively with their data and systems day-to-day.

I thank the Editor, Richard Douglas QC, for his review and helpful suggestions.

[1] Michael Cross, “Bar left reeling from malicious cyber attack”, The Law Society Gazette (UK), 27 April 2022.   Further, in a High Court (UK) decision of 12 July 2022, Justice Heather Williams ordered “a final injunction against the ‘person or persons unknown responsible for engaging in a cyber attack on the [firm] … and/or who is threatening to release the information thereby obtained’, preventing the use or publication of the stolen data”.   At that hearing the Court was informed by the applicant (Ward Hadaway) that ‘a number of confidential files obtained from the [applicant’s] IT systems were uploaded to the dark web and made available for download’ shortly after it had obtained the interim injunction: “Hacker uploaded Ward Hadaway documents after injunction, court hears”, by Sam Tobin, The Law Society Gazette (UK), 12 July 2022.

[2] [2022] FCA 496 (5 May 2022) Rofe J.

[3] Involving nine such incidents that occurred between June 2014 and May 2020: at [4].

[4] Prior to the hearing an agreed statement of facts and proposed declarations and orders were tendered: at [8].

[5] Valeska Bloch, Christopher Kerrigan and James Campbell, “Lessons for lawyers from ‘Australian First’ cyber case”, Lawyers Weekly, 12 May 2022.

[6] Ibid.

[7] 5 August 2022, “‘Cyber risk ‘really does not discriminate’”, by Lauren Croft.

[8] Brendan Read and Eric Eekhof, “Cybersecurity risks for 2022”, FINSIA, InFinance, 18 February 2022.

[9] Many are based in Eastern Europe and Russia.

[10] https://cybernews.com/security/quantum-ransomware-gang-fast-and-furious/

[11] https://www.cyber.gov.au/acsc/view-all-content/glossary/threat-actor