← All Briefings
Briefings


Silent Ransom Gang, documented in FBI and CISA joint advisories on vishing-enabled data theft, is running sustained campaigns against law firms, with reported exfiltration windows under six hours from first call. The technical move is a phone call to a paralegal, a request for remote access framed as a help-desk ticket, and a staging server that sits outside any endpoint detection perimeter the firm operates. No zero-day required. Law firms holding pre-public M&A files or regulatory correspondence for FSI clients create an asymmetry the clients themselves rarely audit: the bank is subject to MAS TRM's one-hour major-incident notification requirement and HKMA's Cybersecurity Fortification Initiative audit cycle, but the law firm handling that bank's deal files operates under neither framework. The exfiltration clears before the bank's incident response team knows to start the clock.

The structural problem is designation. Under Singapore's Cybersecurity Act 2018, the ten designated critical information infrastructure sectors do not include legal services, meaning law firms are not subject to the mandatory penetration testing, incident reporting, and vendor assurance requirements that govern their FSI clients under CII obligations. A firm advising a licensed bank on a material acquisition holds information that would trigger mandatory MAS TRM reporting if taken from the bank's own systems. No equivalent obligation attaches to the firm. HK's Law Society Practice Circulars include no mandatory cybersecurity requirements for external counsel handling regulated-client data. CISOs managing active M&A or regulatory mandates with outside counsel should require annual penetration-test disclosure and a sub-24-hour incident notification clause written into engagement letters. The absence of that clause is the only control Silent Ransom needs.

Strong. The engagement-letter clause is the right place to land this.-- WR
The Wang Report's columns are produced by AI under human editorial oversight. See our Editorial Standards.