The Ultimate Guide to Cyber Risk, Security & Compliance in the Conveyancing Sector
Data breaches and cyberattacks are big news. And, the threat from hacks and fraud have become a stark reality for law firms around the world.
Given the level of trust between solicitors and their clients, it is not surprising that criminals target these relationships for financial benefit. However, offenders are not just looking for financial gain. They are also after the confidential data at the heart of solicitor-client relationships.
Today, law firms are at greater risk than ever before, with around 1,400 criminal organisations actively targeting the legal sector at this very moment[1]. Moreover, conveyancers are a specific focus due to the vast sums of money involved in property transactions.
There has been a 112% rise in legal sector data breaches in just two years.[2]
Despite the risk, conveyancers are ill-prepared for dealing with and preventing cyberattacks. As such, a security-first approach is now urgently required.
Common security threats facing conveyancers
There are catastrophic implications of not defending against data breaches and cybercrime. But, before you can put stringent security processes in place, you have to understand the risks.
Push Payment Fraud
Authorised push payment fraud (APP) fraud occurs when cybercriminals deceive individuals into sending them money. Because the victim believes the fraudulent transaction to be genuine, the client authorises the handover of cash. This is then quickly transferred to different accounts, often abroad, which makes getting it back almost impossible.
£11 million of client money has been stolen due to cybercrime over one year[3]
APP fraud is on the rise. And conveyancers may find themselves liable if they don’t do enough to protect their clients from scammers and are found to be negligent.
Phishing and Spoofing
Phishing sees criminals use emails, texts, websites, phone calls, etc., to pose as a legitimate person or institution. They aim to lure the people in your firm into handing over sensitive data.
90% of data intrusions start with a phishing email[4].
80% of law firms report at least one attack in the past 12 months[5]
With spoofing (or email hijacking) hackers attempt to obtain financial or other confidential information by impersonating your firm. For example, by sending emails or hosting a fake website.
The conveyancing (and wider legal) sector, is at huge risk of financial and reputational losses because of phishing and spoofing. So much so that the SRA is issuing new threat warnings most days.
With fraudulent emails and websites spoofed to a high standard, firms must improve their cyber defences. For example, email security systems can provide robust first-line protection for most attacks.
Property hijackings
Property hijackings (where criminals pose as owners) are escalating. In many cases, criminals will rent a property and steal the landlord’s post. They then use this to pose as the real owner and sell the house to cash buyers.
In one particularly high-profile case, property development company Dreamvar purchased a London property for £1.1 million from a seemingly legitimate seller. It was only after the firm began refurbishment work that the scam came to light.
Initially, despite the buyer’s solicitor acting honestly and innocently, it was still found 100% liable for compensation. However, following a long-awaited appeal[6], the court ruled that both sets of solicitors must ensure that a property transaction is genuine or face the consequences. This decision should put conveyancers on both sides of property transactions on high alert.
Money laundering
The National Crime Agency (NCA) believes that the extent of money laundering impacting the UK could be costing hundreds of billions of pounds each year. Moreover, conveyancing firms are a significant target for money launderers. And, when you consider the amount of money that can change hands in just one transaction, it’s easy to see why.
According to NCA figures, residential property transactions made up 32% of all suspected money-laundering activity in the last three years. What’s more, the SRA revealed that there was a 43% increase in money laundering reports in the opening nine months of 2018[7].
Solicitors can incur hefty fines and even go to prison if they don’t report suspicious activity. So, conveyancing firms must do more to protect against this threat.
Malware & ransomware
Malware attacks – where malicious software is installed on a user’s machine – can be extremely damaging; to your day-to-day operations, your reputation, and your bottom line. Ransomware attacks – an aggressive form of malware which prevents access to systems unless a payment is made – can be even worse.
More than 55% of British law firms suffered at least one cyber-attack in the past 12 months[8]
For conveyancers, being locked out of your IT systems, even for a short time, could make it impossible to meet essential client deadlines. For example, completing a property transaction. And the implications of this could be catastrophic.
Password spraying
Password spraying happens when hackers use common passwords to try to access a large number of accounts (e.g. password123). If one password doesn’t work, they wait long enough so that the account is not locked down before trying a different one.
Once a hacker has gained access to one email account, they use their skills to work through the rest of a firm’s systems. So, having one person using a weak password could put your entire firm at risk.
75% of organisations have accounts with passwords that feature in the top 1,000 passwords, and 87% have accounts with passwords that feature in the top 10,000[9].
Denial of Service (DDoS) attacks
Distributed Denial of Service (DDoS) attack happen when an email or website server becomes overwhelmed. Once besieged, hackers can exploit the weakness of the system to access other content on that server. Cybercriminals might carry out a DDoS attack by sending millions of emails to a single email address in an attempt to collapse a server.
DDoS attacks have been around for years. In 2014, ACSe:Law was forced offline by hacker group 4chan. While the firm’s website was restored, an error led to an archive of internal emails and financial information to be published on the home page. As you can imagine, this caused the firm serious reputational damage.
DDoS attacks have increased considerably over the years. And, as more and more connected devices come online, the risk becomes even greater.
It is estimated that 33% of all downtime is related to DDoS attacks[10].
Human threats
Insider threats happen when malicious users (e.g. disgruntled employees), get their hands on confidential and commercially sensitive data. But, when it comes to human risk factors, it is simple mistakes that are the biggest threat to your conveyancing firm. This is because conveyancers often fail to undertake adequate checks, or don’t know, or don’t follow, the necessary security processes.
Common security issues caused by human error include:
- Not undertaking the necessary client checks
- Not following established processes (e.g. how to take payments from clients)
- Losing mobile devices or leaving them open when working remotely
- Sending emails or post containing sensitive data to the wrong person
- Not using the BCC function when sending emails to a mailing list
- Installing unauthorised software onto work devices
- Clicking on dangerous links, downloading viruses or falling victim to phishing scams.
Law firms are still not taking cybersecurity seriously
If your firm is the victim of a cyberattack or data breach, and your security processes are found lacking, you could be liable for a hefty fine.
In July 2019, The Information Commissioner’s Office (ICO) announced plans to fine Marriott International £99.2 million following a data hack. It also plans to fine British Airways £183 million for security failures exploited by cyber-attackers. These fines don’t include any victim compensation payments.
Payment from the compensation fund relation to conveyancing fraud is up from £700k in 2015/2016 to a staggering £3.7m in 2017/2018.[11]
While professional indemnity insurance might cover any losses you incur as a result of a cyber-attack, it is unlikely to include regulatory fines due to negligent security processes. It is also unlikely to cover the potentially significant reputational damage.
How to combat data breaches and cybercrime
Put robust processes in place
Only 55% of law firms have documented policies and procedures for cybersecurity[12]
When it comes to protection from cyber risk, preparation should always be your first line of defence. While not a full and final list, this should include:
Establishing compliant policies and processes
Create (and regularly review) your data protection and financial security policies and processes to ensure compliance with the latest regulations and industry guidance.
You should also have a cyber incident response plan ready. Also, print out a hard copy of this, including necessary reference numbers and phone numbers. If you get shut out of your systems, you may not be able to access this.
Putting the basics in place
Put stringent security controls in place (and make sure that you document these). For example:
- Preventing staff from sharing passwords and ensuring suitably complex passwords
- Making sure passwords are changed if a firm suspects a system has been compromised
- Making sure devices are encrypted and require a password when switched on
- Establishing steps to remove outdated info
- Using encryption and two-factor authentication.
All your printers, copiers, even iKettles linked to your network need the same rigour of security and password regimes as the rest of your tech equipment. Without this, they could provide a route into your system.
Regular testing and monitoring
Set up regular penetration testing (ethical hacking) to test your systems and proactively identify any vulnerabilities that an attacker could exploit. Penetration testing can be performed manually or done automatically via security software. Also, increase monitoring across websites and apps to defend against attacks.
Keeping everything updated
In addition to ongoing maintenance, make sure that updates and patches are carried out. This should cover things like browsers, servers, operating systems, antivirus software, malware protection and firewalls.
Managing third-party relationships
Cyber-attacks are often possible due to third-party weaknesses. As such, security controls must be a crucial part of any vendor agreement. Also, analyse any data integrations for vulnerabilities.
What’s more, if you’re merging with another firm, check their cyber risk levels. If they have malware on their system, it will infect your firm when you consolidate.
Investing in security accreditation
Information security certification (e.g. ISO 27001 or Cyber Essentials) helps to protect client and employee data. This won’t just keep sensitive data secure, it will also demonstrate to clients (and the ICO) that you take your responsibilities seriously.
Meeting the requirements of the GDPR
Establish a lawful basis for data processing Personably Identifiable Information (and document this). Also, develop GDPR-friendly policies and templates such as Terms & Conditions and Privacy Notices.
Should a data security incident occur, under the GDPR, you must report this to the ICO without undue delay. So, establish compliant processes for responding to data breaches and other security threats.
Protect against human error
All too often, mistakes happen because people do not understand their data protection responsibilities.
“Challenges such as keeping information safe, cybercrime and compliance with anti-money-laundering regulations need constant attention. The threats of criminals using IT to steal client’s funds is an increasing problem. It is important that law firms develop a culture where cyber security is treated as a serious priority, and take sensible steps to warn their clients about the risks”.
SRA Chief Executive, Paul Philip
Security awareness training
Law firms are failing to train staff on data security, leaving the door open to avoidable data breaches and cybercrime. To combat this, conveyancing firms must establish an acceptable use policy (AUP) that spells out the rules of using digital technology.
In addition, training is vital to ensure everyone understands the policy, the risks, and the potential consequences of breaching data protection laws.
Client and financial checks
Law firms have more stringent security requirements than most other professions. As such, safety measures and checks are vital.
Law Society’s Conveyancing Quality Scheme (CQS)
Changes to the Law Society’s Conveyancing Quality Scheme (CQS) came into effect on 1st May 2019. These changes included a strengthening of requirements to mitigate the risk of property and mortgage fraud, money laundering and terrorist financing. Crucially, the new Core Practice Management Standards (CPMS) reinforced solicitor obligations towards client identity checks and checks against the conveyancer acting for the other party.
Find out more about these changes here.
Dreamvar v Mishcon de Reya
Following Dreamvar v Mishcon de Reya, both sets of solicitors are now obligated to ensure that a property transaction is genuine or face the consequences. According to the Law Society[13], the steps that must be followed are:
- Reviewing your policy for risk assessing transactions, identifying the facts that make a matter high risk and making efforts to ensure that you have procedures in place to deal with those risks
- Reviewing or establishing policies about when you might ask seller’s solicitors or conveyancers questions, for example, about whether they have carried out their AML investigations. Considering raising questions where there are indicators of potential fraud of the type highlighted in the HM Land Registry/Law Society joint note on Property and Title Fraud (if you raise questions but fail to pursue the responses properly, you may be exposed to additional risk)
- Reviewing or establishing policies in relation to how you will answer questions from the buyer’s solicitors when acting for a seller
- Reviewing or developing policies to establish when you should decline to act if you are not confident that the ‘seller’ is the registered proprietor.
Conveyancers must also be aware of, and put into practice, the following information:
- Anti-money laundering guidance
- HM Land Registry: Practice guide 67: evidence of identity; conveyancers
- Property and registration fraud practice note
- Joint property and title fraud advice note.
Law Commission Proposals
Conveyancers could be held liable for fraud under new proposals from the Law Commission to reform the Land Registration Act. These proposals would place a new statutory duty to check the identity of clients. Where conveyancers fail to take reasonable care, they could be forced to make indemnity payments to the Land Registry.
Find out about the red-flag indicators that mean a transaction may be suspicious here.
Use technology to combat cybercrime
Training staff to recognise common scams and risks is vital. However, as cybercriminals become increasingly savvy, education alone isn’t enough.
“No training package (of any type) can teach users to spot every phish. Spotting phishing emails is hard. Spotting spear phishing emails is even harder. Even our experts struggle. The advice given in many training packages is based on spotting standard signs like checking for poor spelling and grammar, and while these can be a good place to start, they can’t be used to spot all phishing emails. Bad guys can spell (and some nice genuine people can’t).”
Sociotechnical Security Researcher, NCSC
It’s essential that you bolster your defences. Not least because, when it comes to digital threats, it’s better if these are stopped in their tracks as soon as possible, without relying on human involvement.
In addition to things like encryption, antivirus software and two-factor authentication (which all firms should use as standard), there are some ingenious ways technology can help conveyancing firms improve their security.
Online portals
As phishing attacks and technological vulnerabilities are costing law firms millions each year, emails are coming under intense scrutiny.
Could online portals like The Cashroom’s provide the answer?
In a word, yes. With a portal, all exchanges are safeguarded, with access restricted to authorised members of the firm carrying the relevant security information.
Indeed, firms not using a secure portal service could pose severe security and GDPR risks. For example, financial and personal information sent through word processing documents and email could be intercepted and used by unscrupulous cybercriminals.
OnDMARC
Many conveyancing firms have invested in standard IT security solutions. But these won’t protect them against phishing and spoofing attacks.
DMARC technology combats email fraud by actively blocking phishing attacks and preventing rogue third parties from impersonating an email domain. For example, Lawyer Checker – which provides technology and products to help protect lawyers and consumers – has service designed specifically for the legal profession. By using OnDMARC, conveyancing firms currently vulnerable to email fraud can protect themselves from reputational or financial damage.
Blockchain technology
Blockchain is a digital ledger of every transaction ever made using cryptocurrency. These transactions are recorded forever, and duplicated thousands of times across a network of computers (so they can’t be tampered with).
Crucially, blockchain technology can be used to monitor more than just financial transactions. And, because it is impossible to corrupt, it could play a key role when it comes to preventing fraud and embezzlement.
Outsourcing reduces the security and compliance risk
Outsourced cashiering and management accounts
Your firm is professionally obliged to keep an accurate set of books, and a failure to dedicate the time necessary to accounts-related work increases the chance of human error. Especially when you don’t have access to certified experts. But, should an error occur, the impact on your bottom line and your reputation could be devastating.
The good news is that, when you use outsourced services, the risk disappears.
An outsourced legal cashier will keep your accounts in order. And prepare tax and VAT returns to ensure you meet all regulatory requirement deadlines. They will also enable compliance with the Solicitors Accounts Rules and Money Laundering Regulations. Crucially, an outsourced cashier will also ensure that there’s a clear audit trail as required by your accountant or inspector.
Also, if you have one cashier looking after payments, a fraudster need only get their hands on one set of bank login details. Even if you have multiple cashiers, they will all likely to be on the same network, so it’s easy for hackers to get all the information and access rights they need.
But an outsourced partner will have invested heavily in security measures (e.g. encryption, anti-intrusion systems, back-up procedures, etc.) It is almost impossible for conveyancing firms to ensure the same level of protection.
An outsourced legal cashier and management accounts partner should also offer:
- Robust confidentiality processes to ensure that confidential client information will be protected as per the SRA code
- A secure online portal to protect those all-important communications
- Cyber Essentials Plus certification
- A robust GDPR policy
- Regular staff training on cyber risk.
At The Cashroom, we provide all this and more. Ultimately, when you outsource to us, you get the peace of mind that comes with knowing the processes and people looking after your firm operate securely.
Outsourced risk and compliance
The burden of risk and compliance has become increasingly complex. Today, a proactive approach is essential to mitigate the risk of a regulatory issue or destructive reputational incident.
But rather than lying awake at night, many conveyancing firms are opting to outsource this aspect of their business. And, in doing so, are gaining access to appropriate experts with all the skills and expertise they need.
Often, outsourcing means taking someone on to help with more specialist work, while in-house compliance teams get on with day-to-day work. For smaller firms that don’t have the budget to employ full-time in-house risk and compliance professionals, the ability to pass everything over to a trusted partner is especially valuable.
Outsourced security technology
The progression of technology has enabled criminals to become even savvier. So, fighting fire with fire is essential when it comes to reducing the cyber-risk in today’s digital age.
This includes using:
- Technology that filters out viruses before they hit your inboxes
- Business-class antivirus/malware that offers active protection against attacks
- Regular and automatic back-ups
- Online database checks to highlight any red flags
- A digital bank account checker that validates the source or destination of funds
- DMARC technology that actively blocks phishing attacks and prevents third parties impersonating your email domain to any recipient such as clients, suppliers or employees.
Conclusion
Digital information and client funds must be safeguarded to protect firms, conveyancers, and clients. And this requires a combination of education, technology and robust processes. What’s more, cyber risk, security and compliance are not one-time activities. The challenges are evolving and require constant vigilance.
Where a failure in security occurs, solicitors could be liable for losing client funds, be forced to pay the money back to lenders, be subjected to raised insurance premiums, and face severe and long-lasting brand damage.
Outsourcing not only reduces the pressure upon conveyancers – who already have to be vigilant when undertaking daily tasks – it also frees up fee earner time. And, just as important, it leaves due diligence to specialists who can keep up with the rapidly evolving issues of a digital world.
[1] HM Government
[2] Xyone Cybersecurity roundtable
[3] Xyone Cybersecurity roundtable
[4] Xyone Cybersecurity roundtable
[5] Hiscox Cyber Readiness’ Report
[6] Dreamvar v Mishcon de Reya
[7] Upholding Professional Standards 2017/18 report
[8] ‘Hiscox Cyber Readiness’ Report
[9] The National Cyber Security Centre (NCSC)
[10] Verisign/Merril
[11] https://www.sra.org.uk/sra/how-we-work/reports/annual-review/annual-review-2017-18.page
[12] https://www.logicforce.com/2018/11/02/cyber-security-scorecard-q4-2018/
[13] https://www.lawsociety.org.uk/support-services/advice/articles/dreamvar-informative-and-case-summary/