National Post (National Edition)
HACKERS SELL CREDIT CARD INFORMATION ON THE DARKNET FOR $2 TO $4 A POP.
that the spyware responsible had been formulated on a Chinese-language keyboard and could be traced to servers in China linked to stateowned enterprises.
It was no secret that the Chinese government, worried about a global potash monopoly, opposed the deal. As the Chinese have long been accused of resorting to cyberespionage for various political and commercial purposes, the evidence implicating China was telling.
It subsequently emerged that an unrelated attack had targeted another major M&A, while a third was aimed at high-profile litigation.
“For someone who wants easy access to competitive typed in the firm’s trust account password, it sent the password to the hackers. It then became a simple matter to access the account and transfer out what has been reported as a “six-figure sum.”
So what are Canada’s law firms doing to shore up their security? Both firms and outside experts agree that awareness is increasing, often as a result of pressure from clients.
“Banks, for example, are ensuring that the law firms who act for them have a stringent cybersecurity protocol and insisting that they have adequate training and insurance,” Ahmad said. “And many law firms are introducing policies relating to M&A cybersecurity due diligence programs.”
Following the Potash incident, Toronto-based Goodmans LLP (which was not a target in the M&A-related cyber attack) introduced application white-listing technology developed by Massachusetts-based Bit9 Inc. The software allows only trusted programs to run on a law firm’s system.
By contrast, Torys LLP simply locked down end user privileges on the firm’s desktops, which prevented end users from installing unauthorized applications without authorization.
According to Ahmad, 2017 will be a watershed year for cybersecurity because impending changes to Canada’s privacy legislation will require custodians of data, including law firms, to report information security breaches that pose a “real risk of significant harm.”
“About 47 U.S. states already have that requirement,” Ahmad said.
The new reporting requirement may well reveal that cybersecurity is a much bigger issue than the profession cares to admit. Because losing confidential information is high on the list of factors that can undermine a firm’s reputation, law firms have not been prone to acknowledge publicly that they’ve been the target of attacks, especially successful ones.
Several years ago, a survey revealed that almost one in five law firms in the U.K. had suffered a cyberattack in the preceding 12 months.
Chief information officers at some of the country’s largest law firms later told media “the threat and frequency of cyber attacks is likely to be much higher than the perceptions of those surveyed.”