Kathryn McCann assesses the impact of the cyber attack on DLA and the wider legal market
For years, the possibility of a major cyber attack on a leading law firm has been discussed. Inevitably, it finally materialised. On 27 June DLA Piper was crippled for days after the global giant’s systems were hit by what the firm terms a ‘particularly sophisticated strain of malware’. (In cyber jargon, malware is malicious software designed to disrupt, damage or gain access to computer systems.)
The attack originated in Ukraine, where DLA has a small branch, impacting a ‘trusted software supplier’. The ‘NotPetya’ attack was aimed at Ukrainian infrastructure and affected companies as diverse as the food giant Mondelēz and Danish shipping and transport giant AP-Moller-Maersk.
With the cyber security and IT community being fuelled by gossip and Chinese whispers, a number of claims have been made regarding the attack. Many compared it to the so-called ‘WannaCry’ ransomware attack on the NHS in May this year, which caused huge disruption. Ransomware is a means of using rogue software to either block out access or publish victims’ data to extract a ransom.
For DLA’s reputation the news divides into very good and very bad camps. On one hand the firm’s internal and client data remained confidential, in stark contrast to the ‘Panama Papers’ disclosures involving the law firm Mossack Fonseca last spring. The significance of this for a law firm is hard to overstate – a major loss of client data would be hard to recover from.
But set against that DLA faced the indignity of having its systems crippled for days and there are persistent claims that it is facing months of disruption before the firm fully recovers.
The firm’s landlines were down for more than a week after the attack as were core computer systems. The firm concedes that personal emails were used during this period for ‘urgent cases where the client approved us communicating with them in this way’.
After the 27 June attack, the firm had a back-up email system in place by 29 June. By 1 July, DLA relaunched on its normal email again. However, it is clear that some disruption has lasted for considerably longer than this period and some local systems have still not come back online (see box).
There have been claims made that the incident was contributed to by lack of investment in infrastructure and has stoked tensions between the firm’s US and European partnerships, which operate as separate profit centres.
DLA global co-chief executive Simon Levine strongly refutes such assertions, highlighting the extraordinary nature of the breach. ‘We were not attacked. We had a trusted software supplier that was attacked and that supplier affected a bunch of other businesses, including ours. It wasn’t an attack on us and it wasn’t that anyone breached our systems, our firewalls. It was unprecedented, something no-one had seen before. Both the FBI and the National Crime Agency (NCA) told us that. And we were, to be blunt, unlucky. We were the collateral damage of an attack.’
‘It wasn’t an attack on us and it wasn’t that anyone breached our firewalls. It was something no-one had seen before.’
Simon Levine, DLA Piper
Commenting on claims of US/European tensions, Levine responds: ‘We are a global firm and our systems are integrated for the very reason that we are a global firm. There isn’t a them-and-us situation. It just hit the global firm.’
During the attack DLA’s head of IT risk management, Matthew Finn – the firm’s de facto chief information security officer (CISO) – worked in the Leeds office where the IT team is based, alongside third-party providers including Microsoft and Dell, who were also in the US at the same time, to put emergency back-up systems in place. Managing director for developing markets Andrew Darwin – a veteran troubleshooter for the firm – went to the Leeds office for a week to act as a point man between executives, IT and the external consultants.
At the time DLA also instructed PwC, who were also based in Leeds, to undertake an IT forensic review to give assurances to clients. It is understood that the firm is still working with the cyber security team at PwC in a separate capacity to advise on measures to prevent the same situation in the future as well as commissioning a separate independent post-incident review on crisis management. ‘This isn’t about IT,’ adds Levine. ‘It could be a terrorist attack, it could be an incident or an earthquake in Asia. It is an obvious time to go out and do it in order to refine our business continuity planning.’
Levine is adamant that the attack should not affect the firm’s budget for the next year, although substantial costs have already been incurred – mainly as a result of paying third-party providers but there is also a looming insurance claim. It is conceded that DLA is facing costs running into millions of pounds, though Levine observes: ‘I don’t think the attack will be tens of millions. It won’t cost us that.’
As to the wider impact he comments: ‘We are on budget for this year. I still believe we can achieve our budget this year.’
Levine tries to strike a philosophical note on the industry chatter surrounding the firm. ‘There is a lot of stuff swirling around the market – I
get that. But a lot of it is wrong. For example, lots of the cyber guys say it is because we didn’t apply an appropriate patch [software designed to fix, update or support vulnerable systems]. But we know it wasn’t that. That has been independently verified by lots of people, including the NCA.’
‘There’s no excuse’
If the dust has yet to settle on the impact on DLA, there is no doubt that the incident has sent a jolt through the legal industry, which for years IT professionals have argued was a juicy but vulnerable target for hackers seeking masses of valuable client data.
Cyber security was already being pushed up the agenda in recent years after a string of high-profile breaches among major companies.
Bird & Bird’s joint international commercial head Simon Shooter says that the attack has exposed how law firms lag behind other sectors, noting: ‘If cyber security wasn’t an issue before, the legal profession in general should be schooled by the DLA attack.’
‘Law firms in general are still a hell of a long way behind in terms of having a response plan to an incident. There is no excuse.’
Simon Shooter, Bird & Bird
‘As a whole, law firms in general are still a hell of a long way behind in terms of having a response plan to an incident,’ adds Shooter. ‘There is no excuse for not having plans in place. There is no shortage of free guidance and publications out there.’
Comments Rachel Reid, chief operating officer at Taylor Wessing: ‘Over the last five years companies have become increasingly technology-focused with information and data security a key factor for everyone. Clients want to make sure that we have appropriate certificates in place so they can tick that box.’
In many regards the DLA incident is a blessing for CISOs at law firms already angling for increased resources. One staffer at a Magic Circle firm observes: ‘Our CISO is rubbing his hands together. He knows he can double his budget now.’
Notably, Linklaters in July advertised to recruit its first CISO. Its Magic Circle peers already have such roles in place.
Concludes Linklaters technology counsel Peter Church: ‘The DLA breach didn’t just affect a law firm, but a number of organisations, and it is the latest in a series of high-profile attacks. It is a pattern that highlights the growing number of cyber attacks and the consequences if an attack is successful.’
This time it was DLA but no-one doubts that it will be another major law firm’s turn in the near future… and that the legal industry will be forced to beef up its collective cyber defences.
kathryn.mccann@legalease.co.uk
Additional reporting by Marco Cillario.
Fact from cyber fiction – fixing DLA Piper’s cyber breach
Legal Business put the following points to DLA Piper, which in the beginning of August responded in writing:
Is DLA Piper still affected in any way from the attack?
On 27 June, our systems were affected by a particularly sophisticated strain of malware that was able to penetrate networks that had the latest patches. We took the precaution of shutting down our IT network to protect the integrity of our IT estate and client data. We triggered our incident management response and began working with external leading industry professionals to help validate and assure our remediation and restoration protocols.
Our firewalls were effective to protect our data centres, and we have seen no evidence that client data was taken or that there was a breach of confidentiality, but could not prevent damage to some of our IT infrastructure. The information we have suggests that the malware was designed precisely to cause damage to IT infrastructure and not to access data.
Our IT team worked tirelessly to bring back the core systems we need to service our clients in a very short period. There are a number of ancillary systems, or local systems in some countries, which are yet to be brought back because the firm is taking a very vigorous approach to security before allowing access to any applications and taking the opportunity to consider whether all these systems are necessary in future.
Did DLA partners send personal emails to clients during the time when systems were down?
During the short window when our email was not available and before dlapiper.co.uk addresses were established for all fee-earners, personal email was used in urgent cases and where the client approved us communicating in this way.
Has DLA made changes to its processes in terms of how the firm deals with cyber attacks?
We have instructed PwC to undertake an IT forensic review and we will be commissioning an independent post-incident review. The firm is committed to addressing and implementing any learnings identified as a result of these reviews. We are restoring our systems with great care and enhancing anti-virus and other security measures as we do so.