SRA Risk Outlook 2018/19 – Cyber security a priority
The SRA have released their Risk Outlook 2018/19 and have included two new priority risks this year:
1. Managing claims
‘We are increasingly concerned about the practises of some firms that offer personal injury work, including holiday sickness claims. Similarly, some firms bringing payment protection insurance claims may not always be meeting the high standards we expect.’ SRA Risk Outlook 18/19 page 4
2. Cyber security
‘Cyber security has always featured in the Risk Outlook as a consideration when protecting people’s information and money. But we recognise that this is of increasing concern to the profession, so we have set it out as a separate risk. We have worked with the National Cyber Security Centre to provide you with top tips on keeping cyber-safe.’ SRA Risk Outlook 18/19 page 4
What stands out from the above that’s particularly relevant to conveyancers is the focus on risks associated with cyber security.
We know that residential property is a target for criminals due to the high values of money being transacted.
The risk Outlook has again highlighted risks such as:
- Email modification fraud
- Phishing and vishing
- CEO fraud
- Identity theft
It’s worth noting that three out of the 5 points above are forms of email impersonation. This is now more important than ever, with the total amount of client monies reported to have been lost as a result of cyber crime in 2017 at £10.7m.
Within the industry there seems to always be a focus on financial loss as a result of these frauds however criminals can just as easily use these methods to gain confidential data, whether that of a client or a firm’s own employees. Email impersonation is also a key method of criminals encouraging recipients to click on links or download files that result in malware attacks. It’s worth asking ourselves if we’re putting in adequate mechanisms and procedures to combat these types of attacks as well as just those targeting client monies.
What are legal professionals doing to try and combat these attacks?
The SRA recommends the following in regards to preventing email modification fraud
‘…make sure everyone in the firm knows how to recognise the signs of email modification fraud and common phishing scams’
When the practice of email impersonation has now evolved the point where criminals are easily able to hijack firm’s exact emails addresses, which are not able to be identified as fraudulent by the recipient via checking the domain alone, it’s hard to see how this training alone is adequate enough protection.
There are ways of preventing criminals in hijacking a firm’s exact email address, with one solution being implementing the DMARC email protocol on your email domain, however a recent report https://www.lawyerchecker.co.uk/media/1117/lc-ondmarc-law-firms-industry-report.pdf indicated that only 1 law firm out of the top 100 firms in the UK had this implemented.
As a legal professional are you..
- worried about email modification fraud?
- do you consider it a key risk to your practice?
- only consider it a threat to loss of client monies?
- are happy relying on just staff training alone to prevent this?
We’d be interested to know your thoughts on the above questions. Please comment below or email: [email protected]