Large law firms, though commonly perceived to have stringent cybersecurity procedures in place due to large in-house Information Technology staff and devoted legal IT budgets, are in fact more vulnerable to cyber-attacks than smaller ones, with one in three the target of a cyber-attack over the past year, according to a legal benchmarking report on law firms from the United Kingdom.

The report by NatWest reveals that 24 per cent of all U.K. law firms suffered a cyber-attack over the past year, 16 per cent of whom were small firms (generating fees of less than $3.75 million), 31 per cent large ones (generating fees between $3.75 million and $8.3 million), and 28 per cent very large firms (generating over $8.3 million in fees).

“The fact that a quarter of law firms have been hit by a cyber-attack or fraud over the last 12 months is bad,” noted Steven Malone, Director of Security Management at Mimecast, an IT consultant. “But what is worse is that this is only half the story. Our research reveals that 20 per cent of UK organizations have experienced impersonation attacks (which involve hackers assuming the identity of executives) from their legal departments last year.”

These findings somewhat echo those yielded by the American Bar Association’s latest Legal Technology Survey Report. It found that 26 per cent of firms with 500 or more lawyers reported security breaches in the past year, followed by 25 per cent of law firms with 10-49 lawyers, 20 per cent of law firms with 100-499 lawyers, and 11 per cent of law firms with two-to-nine employees. Solos are the least likely to experience security breaches, with only eight per cent reporting that they have been breached.

The NatWest report does not put a dollar figure to the losses incurred by law firms following a security breach, but it suggests that some of the law firms incurred financial losses and potentially reputational damage. “There is huge pressure on firms to be ever more diligent and to ensure that they have a disaster recovery plan in place,” said the report.

The Solicitor’s Regulation Authority (SRA), which regulates solicitors in England and Wales, revealed recently that approximately $11.5 million of client’s money were siphoned last year thanks to cyber-attacks on law firms. The majority, three-quarters, of cybercrimes reported to the SRA involved some form of “Friday afternoon” fraud where criminals modified emails directly, usually by hacking into the email system of a lawyer. Criminals aim to alter bank details in order to redirect completion funds to the criminal rather than the client. Such scams usually take place on Fridays because that is the time when completions take place, and it buys the fraudster some time before the crime is detected.

Law firms, as custodians of confidential information, are also increasingly becoming targets by those looking for competitive intelligence, according to experts. The case of three men charged with insider trading based on information they hacked from prominent US law firms “should serve as a wake-up call for law firms around the world”,  said Preet Bharara, the former US Attorney for the Southern District of New York. “You are and will be targets of cyber hacking because you have information valuable to would-be criminals.”

Part of the problem is that law firms are not laying the basic groundwork to prevent security breaches, according to consulting firm ALM Intelligence. There are three fundamental stages of data security – assessment, planning and testing. That involves understanding data security needs and risk-profiling data accordingly, then implementing solutions on needs and profile, and finally – and critically — testing to ensure an effective response in case of breach. While 77 per cent of law firms have conducted a formal security assessment and 66 per cent have a data breach plan in place, a scant 46 per cent have tested their cybersecurity plans.

“Many firms’ confidence in their own cyberattack preparedness seems misguided,” said Daniella Isaacson, co-author of the report. “Our research indicates that most remain surprisingly unprepared for the threat. Many, for example, never test their cybersecurity protocols. This means that on the day of a breach, those firms are using an unproven response plan.”

But pressure from clients to deal with cybersecurity is mounting. Some 70% of law firms surveyed by ALM Intelligence said they are under pressure from their clients to beef up internal data security. If law firms shrug off pressure from clients, it will be much more difficult to ignore impending changes to Canada’s privacy legislation.

The Digital Privacy Act, which amends the Personal Information Protection and Electronic Documents Act (PIPEDA), came into force in June 2015. But regulations regarding breach reporting, notification, and record keeping have yet to come into force. They are however expected to come into force sometime this year, said Imran Ahmad, who heads the cybersecurity law practice at Miller Thomson LLP.

The impending changes will require custodians of data, including law firms, to report information security breaches where an organization “reasonably believes” that a breach of its security measures” creates a real risk of “significant harm” to an individual, said Ahmad. This assessment hinges on the sensitivity of the personal information that was compromised, the probability that the personal has been, is being or will be used as well as “any other prescribed factor,” added Ahmad.

Organizations such as law firms should therefore conduct a review of their existing protocols and policies to ensure that they have the ability to detect, respond and report data breach incidents. And they should also assess the types of information they hold, be it personal information, intellectual property or supplier data.

“Organizations should take steps to ensure compliance and make sure to document them appropriately,” said Ahmad.