Cyber Bytes banner RPC law

Cyber_Bytes - Issue 53

Published on 08 June 2023

Welcome to Cyber_Bytes, our regular round-up of key developments in cyber, tech and evolving risks.

New fixed recoverable costs for professional negligence claims

The new fixed recoverable costs regime ('FRC') is due to come into force on 1 October 2023, despite opposing opinions from various legal associations.

Under the new rules, professional negligence claims issued on or after 1 October 2023 where £100,000 or less is sought, will be subject to a sliding scale of FRC. The new limits on recovering costs will apply to claims allocated to the fast or newly created intermediate track, regardless of whether the actual sums incurred by the parties are higher or lower than the FRC.

In practice, the new rules are likely to apply to less complex cases where:

  • The sum sought is between £25,000 and £100,000.
  • The trial will last 3 days or less.
  • There are no more than 2 experts giving oral evidence per party.
  • There are no more than 3 parties (2 claimants and 1 defendant or 1 claimant and 2 defendants); and
  • There are no allegations of fraud.

These changes are likely to have a significant impact on litigants and insurers, which will give rise to new tactical considerations and impact the likelihood of claimants pursuing litigation, if they are unable to recover a significant portion of their legal costs.

See RPC's full article here and Lawyer's Covered publication here.

Big names caught up in big cyber attack

British Airways (BA), Boots, BBC and Air Lingus are among the latest companies caught up in a recent mass hack. The exploit at the root of this mass hack was disclosed last week by US company Progress Software. Progress Software warned that hackers were able to access its MOVEit Transfer tool, which is designed to move sensitive files securely and is utilised globally. It is suspected that the ransomware group, Cl0p, is responsible for the hack, who are alleged to be based in Russia.

Staff at BA have been warned that personal data, including possible bank details, may have been stolen by the group. Other personal data relating to staff at the BBC has also reportedly been compromised.

The National Cyber Security Centre has urged organisations using the compromised software to carry out security updates that have been provided by Progress Software. The National Crime Agency is aware of a number of UK-based organisations that have been impacted by a cyber incident as a result of the security flaw and is "working with partners to support those organisations and understand the full impact on the UK."

Click here for the full article.

Cyber-attack costs conveyancers £7m

In November 2021, conveyancing services giant, Simplify, suffered a cyber-attack when a threat actor gained unauthorised access to their systems, including internal files containing personal data. This incident led to a major IT systems outage. Simplify spent 10 weeks restoring their systems and had to significantly reduce their level of new cases. The group complied with all relevant obligations required by the Information Commissioner's Office (ICO), which does not intend to take any further action against the group.

According to the parent company, UKLS Acquisitions Limited, this impacted Simplify's results for the financial year which, had it not been for the cyber-attack, would have been on track to turn around a record number of completions.

Simplify also suffered from a one-off cost of £7.3m and exceptional income of £6.8m arising from the cyber-attack alone. Although the giant successfully recovered from its insurers in relation to lost business, they had to enter discussions with its funders to fulfil long-term funding and capital structure of the group. Shareholders have since injected a further £15m of working capital into the company.

This provides a stark example of the impact than ransomware can have on professional services businesses. Please see Lawyer's Covered publication here and Legal Gazette's full article here.

AI and "Friday Afternoon Frauds" on Law firms

Law firms are under continuous pressure to stay aware of fraud risks. The rapid progress of AI technology gives new rise to more uncertain risks of phishing fraud. There is particular concern about GPT-4, the successor of Open AI's ChatGPT, where there have been reports of scammers using generative AI to clone voices to perpetrate frauds.

Although law firms aim to keep up to date with possible fraud risks, new technology assists in undermining routine checks that law firms tend to rely on. For example, following up with a client on the telephone following the receipt of a suspicious email. The use of new technology will mean that scammers can clone voices and potentially undermine routine checks employed by firms.

The Law Society presently has guidance including warning signs to make firms familiar with ongoing fraudster activity, which can be found here. However, this guidance does not take the impacts of generative AI into account.

RPC have prepared a blog suggesting that the Law Society will need to strike a balance between addressing specific risks as they emerge and putting in place flexible guidance which can respond to a variety of novel, and yet unknown, risks.

See our full article here.

The "Unicorn Kingdom's" AI White Paper

The UK's AI White Paper has recently been published, heralding a pro innovation and light regulation approach. However, the Future of Life Institute almost simultaneously published an open letter calling for a six-month halt in work on AI systems more powerful than the generative AI system: GPT-4.

The White Paper suggests a wait and see approach to allow regulation to be appropriate for innovators of AI to progress and thrive. There is no intention to introduce legislation and the framework will be principles-based. There are also no current plans to appoint a separate AI regulator. The Government suggests monitoring functions to determine how the regulatory framework can be performed. This monitoring will include test beds, sandbox initiatives, conducting horizon scanning, and promoting interoperability with international regulatory frameworks. This approach differs from the US and EU's more formal risk-based focus.

The current Government consultation is ongoing and due to close on 21 June 2023. We await further details as to the implementation of the regulatory framework. However, the concern is that with such a tentative approach to regulation, businesses, large and small, operating in the UK's AI landscape could require more immediate regulatory certainty to protect them.

See our full article here.

Joint blog post by the NCSC and ICO on transparency around cyber attacks

The National Cyber Security Centre (NCSC) and the ICO have co-produced a blog post which aims to dispel common misconceptions that can discourage organisations from reporting a cyber-attack. This follows concerns that unreported incidents are denying organisations the opportunity to learn from them and prevent future attacks. The post focuses on six misconceptions that often discourage organisations from reporting attacks, particularly ransomware attacks, and sets out to dispel them.

The six ‘myths’ which the NCSC and the ICO have identified as commonly held by organisations that have fallen victim to cyber incidents are:

  1. If I cover up the attack, everything will be ok
  2. Reporting to the authorities makes it more likely your incident will go public
  3. Paying a ransom makes the incident go away
  4. I’ve got good offline backups, I won’t need to pay a ransom
  5. If there is no evidence of data theft, you don’t need to report to the ICO
  6. You’ll only get a fine if your data is leaked

This latest press release comes amidst threat actors continuing to cause significant disruption through cyber attacks. The NCSC and ICO are growing increasingly concerned that silent incidents make future attacks more likely, while sharing information amongst communities about an attack can ultimately improve the threat landscape for everyone.

The NCSC and ICO have also stressed the importance of transparency in the aftermath of an attack, highlighting that a lack of evidence that data has been stolen does not mean theft did not take place. Reporting incidents in accordance with regulatory responsibilities can help improve wider awareness and cyber resilience.

Click here to read the full NCSC publication or here to access the blog post.

The need for cybersecurity

The argument that 'cyber-attacks won't happen to me, they only target big companies' is unsustainable for smaller businesses in today's climate.

Smaller companies ("SMEs") can be the victim of security incidents on the basis of the security vulnerabilities that they might have, rather on the basis of any specific targeting. It can also be more profitable to carry out a simple, less risky attack on a small company than a large corporation with a dedicated security team. The NCSC, supported by BT, are taking clear steps to tackle this issue as apart of the Cyber Aware campaign.

SMEs should remain vigilant and keep a firm focus on getting their basic security protocols right, to reduce the risk of falling victim to a cyber-attack. For example, ensuring that antivirus protection is in place for all systems and devices, securing back-up data, implementing regular patching across systems and keeping passwords secure. Further, using business-grade Wi-Fi with built-in security and protection should be standard for SMEs to ensure total security across the firm and updating all relevant business devices to guarantee that everything has the correct protection.

BT has noted that the NCSC is offering support to them as a CNI operator and targeted guidance and tools for smaller companies as part of the Cyber Aware campaign.

See BT's full article here.

Global ransomware payments double in one year

A recent survey by British cybersecurity firm Sophos has revealed that the average global ransomware payment rose to £1.2 million over the past year. The average payment by UK organisations in 2023 is also higher than the global average. The Sophos report was drawn from a survey of 3,000 senior IT and cybersecurity professionals across a range of organisations, such as schools, retailers, and healthcare providers.

The two main trends identified in the report concern the targeting of high grossing companies as well as sectors with a lower level of resources and technology. The average pay-out by companies with revenues of more than $5bn a year was approximately $2.5m. Sophos have warned that this illustrates the tendency of threat actors to adjust the amount they will accept based on an organisation's ability to pay. The education sector was the most likely to have experienced an attack last year. IT, tech and telecoms companies reported the lowest level of attack, likely indicating a higher level of cyber readiness.

The Sophos report acts as a good reminder to organisations to ensure that they are regularly engaging in sound cyber practices. The report noted that nearly all organisations that had their data encrypted were able to retrieve it, largely through backup systems. Having proper backups for data recovery as well as general cyber readiness is imperative for all companies, and especially those without the annual revenue to consider funding a ransom payment.

Click here to read the full Guardian article.