According to a recent unsealed federal indictment, three Chinese traders hacked into the computer systems of prominent U.S. law firms and stole non-public information on mergers and acquisitions, netting the hackers more than $4 million in illegal profits. These allegations are just the latest red flags for law firms, which have long been considered vulnerable to cyber attacks.
The traders upon hacking into the systems bought shares of at least five publicly traded companies, including drug and chip makers, prior to the announcement of the M&A deals, according to an indictment from the Manhattan U.S. attorney’s office. The traders learned about the deals by gaining access to email accounts of law-firm partners working on the transactions, the indictment said. Prosecutors said from April 2014 to late 2015, the traders took millions of documents from two law firms’ servers.
Manhattan U.S. Attorney Preet Bharara said the case “should serve as a wake-up call for law firms around the world: you are and will be targets of cyber hacking because you have information valuable to would-be criminals.”
Law firms serve as advisers to corporations, and in this role are routinely privy to sensitive information and intellectual property that could be misused if stolen. The information taken from the two firms’ servers included client email attachments sent to the firms that detailed the proposed purchase prices of pending deals.
Five other law firms were targeted, prosecutors allege, though hackers weren’t able to access their networks. Prosecutors say the three defendants targeted the five firms on more than 100,000 occasions between March and September 2015.
The Chinese traders gained access to the deals by installing malware on the firms’ computer networks. This enabled them to download information from email accounts. The defendants compromised the accounts of an information-technology employee at each law firm and then posed as the employees to gain access to the firms’ private networks and email servers, according to prosecutors.
Why are law firms so vulnerable to cyber attacks? Many of them still largely run as partnerships, according to John Reed Stark, a cyber security consultant and former Securities and Exchange Commission enforcement attorney, and lack the sophisticated infrastructure needed to implement the toughest cyber security systems. “Law firms are a virtual treasure trove of sensitive information that could be valuable…and traditionally they have some of the weakest cyber security regimes and infrastructure.”
With cyber attacks a front-and-center issue, corporate clients are demanding that law firms take the steps needed to bolster their security and keep confidential information protected. Indeed some law firms have formed groups to share information on potential threats.
In addition to implementing robust cyber security measures that include employee training on malware and phishing exposures, law firms should also ensure they are properly protected in the event of a loss. This involves having a Cyber Liability insurance program in place. General Liability insurance does not provide coverage for cyber exposures, therefore, it’s critical that a separate policy is provided that meets the risk profile of the client. At Axis Insurance Services, we specialize in Cyber Liability/Privacy & Network Security insurance and can provide you with a program to help mitigate your risk. For information about our insurance solutions, contact us at (877) 787-5258.