The Requirement for Lawyers to Undertake Cybersecurity Training

Law firms continue to be to be targeted by cyber criminals. The most common cyber incidents notified to LPLC are lost client’s funds resulting from business email compromise — where emails have been accessed by cyber criminals who have then impersonated either the client or the firm to redirect the payment of funds to the cyber-criminal’s account. One of the best defences against social engineering and email compromise is training and awareness for all employees at your firm. Regular training helps staff stay informed about the latest cyber fraud tactics, particularly as cybercriminals grow more sophisticated, especially with the use of Artificial Intelligence tools.

In Victoria, cybersecurity training is a requirement under the VLSB+C Minimum Cybersecurity Expectations and, where applicable, the ARNECC Model Participation Rules, as stated in the PEXA Participation Agreement.

In February 2024, the Victorian Legal Services Board (VLSB) released its Minimum Cybersecurity Expectations. These expectations outline comprehensive cybersecurity controls, with each control having corresponding conduct capable of constituting unsatisfactory professional conduct or professional misconduct. A critical aspect of these expectations is the behavioural control that requires all staff to receive relevant cybersecurity training tailored to their roles. Training should cover topics such as phishing emails, social engineering, password best practices, safe web browsing, and other risks.

Furthermore, new staff must undergo this training during induction, while existing staff should receive refresher courses at least annually. The training is to ensure that all personnel understand their responsibilities in maintaining cybersecurity and can effectively respond to cyber incidents. As such, training should be regularly updated to address emerging threats.

Lawyers can face disciplinary action if it is found that they are not educating staff who use work devices and networks on how to identify, report, and respond to cyberattacks, or not providing their staff with up-to-date cybersecurity training.

If a law practice is a user of PEXA, under the ARNECC Model Participation Rules, the Subscriber must take reasonable steps to train and monitor its Users in relation to the Subscriber’s security obligations (see 7.1(a)(iv)). Moreover, all personnel accessing the Subscriber's Systems, including other principals, officers, employees, agents, and contractors, must also receive cybersecurity awareness training (see 7.2.1(b) and (c)). This training aims to ensure that users are aware of potential risks that could compromise the security of the ELN and other connected systems. A single weakness in a system can lead to wider vulnerabilities, potentially exposing sensitive data across multiple platforms.

Engaging in cybersecurity training offers numerous benefits for law firms and their personnel:

1. Protection of Sensitive Information: The primary purpose of cybersecurity training is to increase the firm’s ability to protect confidential and sensitive information. Robust cybersecurity training helps safeguard this data from unauthorised access and cybercriminals reducing the likelihood of a claim against the firm.
2. Enhanced Security Awareness: Training equips lawyers and staff with knowledge about current cyber threats, enabling them to identify and mitigate risks effectively.
3. Improved Incident Response: Well-trained staff can respond promptly and effectively to cyber incidents, minimising damage and ensuring a swift recovery.
4. Reputation Management: A firm known for its commitment to cybersecurity can enhance its reputation among clients and stakeholders, fostering trust and confidence.
5. Cost Savings: Preventing cyber incidents through proactive training can save firms significant costs associated with data breaches. In addition to the loss of the firm’s own money or the money of the client, a data breach can cost a firm in terms of fines, legal fees, recovery costs, and reputational damage.

Several sources provide free cybersecurity training that may be appropriate for law firms:

• Australian Cyber Security Centre (ACSC): The ACSC offers various resources to enhance cybersecurity awareness among businesses and individuals. Its website features useful links for basic learning resources and governance education.

• Cyber Wardens: This organisation offers free training resources to increase awareness about cybersecurity best practices.

• LPLC: The LPLC provides a range of written content to help lawyers understand their risks and responsibilities regarding cyber threats.

Now that law firms are moving to fully digitised operations, the importance of cybersecurity training cannot be overstated. By fulfilling their regulatory requirements, reaping the benefits of enhanced security awareness and utilising various available training resources, lawyers can significantly improve their resilience against cyber threats while effectively protecting their client's interests.