Cybersecurity expectations for NSW Trust Account Management

The following guidance outlines minimum cybersecurity expectations that are considered best practice for legal practices operating trust accounts in NSW. These controls represent a baseline standard only. Where critical controls are not in place, they should be implemented as a matter of priority.

Cyber risks affecting trust money typically arise at identifiable points. Best practice for law practices is to ensure that appropriate controls are in place at each stage.

1. Preventing unauthorised access

The first line of defence is to prevent unauthorised access to systems used to manage trust money.

Ensure that:

• Security updates are applied promptly to all systems, applications and devices, preferably through automated processes. Failure to maintain current software exposes systems to known vulnerabilities e.g. a practice management system used for trust accounting is configured to install critical security patches automatically rather than relying on manual updates.
• Strong and unique passwords are enforced across all systems, particularly those used for trust accounting, email and online banking. Shared credentials and password reuse are not appropriate e.g. each staff member has their own login for online banking and trust accounting software, rather than using a shared ‘accounts’ profile.
• Multi-factor authentication (MFA) is enabled for all critical systems, including financial platforms and remote access tools. Where available, MFA is an essential safeguard against unauthorised access e.g. access to online banking requires both a password and a one-time-code generated on a staff member’s mobile device.
• Security software, including antivirus, endpoint protection and firewalls, is installed, maintained and actively monitored.

Failure at this stage significantly increases the likelihood of system compromise and unauthorised access to trust funds.

2. Restricting and controlling access to trust money

Once systems are secure, make sure that access to trust money and sensitive information is appropriately restricted.

Ensure that:

• Access to trust account systems is limited to authorised personnel only, based on role and necessity e.g. a junior administrative assistant does not have access to initiate or approve trust account payments.
• User permissions are regularly reviewed and updated, particularly when staff change roles or leave the law practice e.g. access for a departing employee is disabled immediately on their last day.
• Devices used to access trust accounts or client information are securely configured, regularly updated and, where appropriate, encrypted.
• Any personal devices used for work purposes are subject to appropriate security controls e.g. a solicitor accessing emails on a personal mobile phone must use a secured app with device-level passcode and remote wipe capability enabled.
• Trust account and client information is stored and transmitted securely, with appropriate safeguards when sharing sensitive financial information e.g. bank details are shared through a secure client portal rather than in email.

Inadequate access controls increase the risk of both internal misuse and external compromise.

3. Verifying instructions and preventing fraud

The risk to trust money is highest at the point of disbursement. Cyber incidents involving trust accounts most commonly arise from fraudulent or manipulated instructions, including business email compromise.

Ensure that:

• Robust verification procedures are in place before acting on any instruction involving the transfer of trust money.
• Bank details and payment instructions are independently verified using a trusted method. Reliance on email instructions alone is not sufficient e.g. if a client emails updated settlement account details, staff confirm the change by calling the client using a previously recorded phone number.
• All staff receive ongoing training to identify phishing attempts, email compromise and other common cyber threats e.g. staff are trained to recognise urgent or unusual payment requests that deviate from normal transaction patterns.
• Clients are clearly informed that the law practice will not provide or change trust account details via email, and that any request to deposit funds must be confirmed directly with the law practice using a known and trusted telephone number.
• An appropriate fraud warning is included in all email communications e.g. “Fraud Alert: We do not change bank details via email. Always verify payment instructions by calling our office using known contact details.”

Failure to properly verify instructions may result in irreversible loss of trust money and potential breaches of professional obligations, including obligations to implement appropriate safeguards, protect and properly deal with trust money, act competently and in the best interests of clients.

4. Responding to cyber incidents

Despite appropriate safeguards, incidents may still occur. Law practices must be prepared to respond promptly and effectively.

Ensure that:

• A documented incident response plan is in place, setting out how cyber incidents will be identified, contained and managed.
• Staff understand their responsibilities in the event of a suspected or actual incident e.g. staff know to immediately report a suspected phishing email or accidental credential disclosure to a designated internal contact or IT provider.
• Appropriate steps are taken to minimise loss, secure systems and meet any reporting obligations eg. if unauthorised access is suspected, the law practice promptly disables affected accounts and contacts its bank to prevent further transactions.

Delayed or ineffective responses can significantly increase the impact of a cyber incident.

5. Maintaining data integrity and recoverability

Make sure that trust account data can be restored and relied upon following a cyber incident.

Practices should ensure that:

• Regular backups of critical systems and data are performed.
• Backups are securely stored and protected from unauthorised access or compromise e.g. backups are stored offsite or in a secure cloud environment that is isolated from the main network.
• Backup systems are tested periodically to confirm that data can be restored promptly and accurately e.g. the law practice periodically performs a test restoration of trust records to confirm backup integrity.

Failure to maintain reliable backups may compromise a law practice’s ability to reconstruct trust records and meet regulatory obligations.

Expectations

• These controls establish a minimum standard for the protection of trust accounts.
• Principals must assess whether additional safeguards are required, having regard to the size, complexity and risk profile of their law practice.
• Effective cybersecurity is an essential component of trust account compliance and critical to protecting client money and maintaining confidence in the legal profession.

Additional resources

• ASIC cyber resilience resources – External guidance on building cyber resilience and implementing good security practices.
• Australian Cyber Security Centre – Australian Government guidance, including current threat alerts, practical security advice, and incident reporting pathways
• Cyber fraud prevention flyer – Resource for practices to share with clients to reduce the risk of cyber fraud.
• Cyber Incident Procedure and Emergency Contacts – Guidance to assist practices in identifying, containing and responding to cyber incidents.
• Cyber risk management checklist – Practical checklist covering key risk areas, including payment processes, email fraud, and data storage.
• Data and cyber security for law practices – Guidance on safeguarding client data, responding to cyber incidents and meeting obligations when handling personal information.
• Lawcover cyber resources – Additional guidance, tools and updates relating to cyber risk and professional obligations.

Sharon Blake is Chief Trust Account Investigator with the Law Society of NSW.