Cybersecurity concerns are pertinent to all industries and sectors, but law firms represent a particular target for cyber security breaches. Cisco Systems Annual Security Report once judged them to be the seventh most vulnerable industry.
Because client confidentiality is such as core part of the law firm’s work, and because the data they hold can be particularly critical to their clients, the consequences of a breach are particularly severe in this industry.
There’s also the risk of cyber sabotage, which can result in damage to systems and infrastructures and also reputation damage.
A massive leak of files from Panama law firm Mossack Fonseca caused huge global repercussions because of the high profile of its clients and the subsequent high level of interest in these clients’ offshore tax dealings exposed by the leak.
Data breaches at Cravath Swain & Moore LLP and Weil Gotshal & Manges LLP were investigated to see if they were deliberate attempts at gaining information for the purposes of insider trading. The data law firms hold is valuable for many different reasons, and it’s critical to clients that their sensitive information is kept safe.
Most law firms have data that could be highly valuable to cyber criminals. This includes information that could compromise a case, such as privileged communications with clients and litigation strategy information, or data that’s valuable for manipulating markets, such as patent information.
There’s also the kind of data held by all kinds of organisation, not just those in the legal industry. These include clients’ banking details or email addresses.
Clients are also pressing for better security. Law firms that have clients from the financial or other sensitive sectors are often required to prove their security credentials before the client will engage with them. For that reason, being ahead on security issues can be a critical factor in getting work, and a key competitive advantage.
It’s important to get your organisation thinking beyond the mindset that cybersecurity is an issue for the security team alone. Managing the firm’s security is the responsibility of all because all members of the organisation contribute to keeping the organisation and its clients safe. Security consciousness needs to be integrated into all functions and activities.
Staying on top of a fast-changing field of security, and constantly updating policies and procedures, is a significant challenge. The security team needs to have a strong link with internal comms and HR so they can update and upskill the entire organisation easily.
They also need the ability to move resources quickly as new threats emerge. This may mean quickly investing in new tools, or bringing in new people as required.
Security isn’t just about getting the right technology and tools in place. It’s also important to consider the policies and procedures, the ongoing training, the organisational strategy, and other aspects such as insurance.
Firms need to develop a culture of security; one that all employees buy into. Many experts suggest starting by identifying security priorities first, then identifying how these priorities will be supported by staffing, tools, and other resources.
Some organisations also find it helpful to have anonymous reporting in order to learn from their cyber security mistakes.
Law firms may also wish to think about how their governance and reporting factors in for cybersecurity-related issues. There need to be mechanisms to report on security issues across all operations, and to deliver security information in a way that’s understandable to senior managers. It’s really important to get buy-in at this level, so decision-makers need to be kept informed.
One of the hardest elements of your cyber security approach is admitting that no firm is ever truly secure. That’s why law firms also need to have measures in place to identify if a breach has happened, and a response plan in place for when it does.
At the point when a security failure occurs, key people such as communications teams and senior leadership need to be able to understand the issue and possibly make very difficult decisions. At what point are clients notified? In cases where insider trading may have resulted from the security lapse, law enforcement and regulating agencies may also need to be informed.
Yet law firms have been accused of failing to publicly disclose security breaches they have experienced.
Many firms also take a long time to realise they have been compromised. According to Forbes, the median time for a breach to be identified is a shocking 200 days.
At the point, a firm realises it’s been compromised, it’s important to move quickly. That’s why it’s vital to have a crisis plan in place well ahead of time. Ideally, the firm will also have tested their response plan ahead of time, so everyone can spring into action quickly.
Although firms may have the best intentions, it’s extraordinarily difficult to stay on top of cybersecurity. Recruiting talented people with the right skills and experience is a major challenge.
It’s common now for major firms to appoint a chief information security officer (CISO), but finding people to staff an entire team that understands the issues facing that particular organisation remains a challenge at all levels.
After that, there’s the problem of keeping them updated in their field. Skills in this area can very quickly become obsolete if they aren’t constantly kept up to date.
Even if you have the best CISO in place, and a strong in-house cybersecurity team behind them, bridging the gap between your average lawyer and your security advisers can be an additional concern.
There aren’t enough lawyers who also have technology skills; few individuals master both these large knowledge areas. Anyone wishing to unite these two skillsets would struggle to find formal training, and keep it updated.
Most training should be focused on the firm’s ‘end user’, which means the people handling and transmitting sensitive information. These represent the biggest vulnerability for the firm and so they need to be the focus of all policies and procedures. But it’s a tricky task. Cybersecurity is often seen as a diversion from ‘real’ work, and in a busy law office, it can be an unwelcome distraction from core operations.
The fact is, law firms aren’t doing enough to counter the cyber security risks to their industry. Those that aren’t able to put adequate safeguards in place to prevent data breaches are leaving themselves vulnerable to malpractice suits, disciplinary action, or contract litigation by their clients.
Staying ahead on cyber security is tough but law firms have no choice but to stay active in this area and get a plan in place.