This document discusses the importance of cybersecurity for law firms. It notes that law firms have traditionally lagged behind other industries in implementing cybersecurity measures, despite increasingly becoming targets. It provides several recommendations for best practices including implementing information security policies, employee training, testing systems for vulnerabilities, and utilizing IT professionals for guidance. The document emphasizes that cybersecurity is about managing risks, and that as technology continues to change, firms must remain vigilant and adapt their strategies to new threats. People within a firm are also noted as one of the biggest security risks if not properly trained on cybersecurity practices.
1. 1
Written by: Richard Brzakala
Background
“Law firm hacked by cyber criminals,” is probably one of the worst
headlines imaginable for any law firm in today’s highly competitive
marketplace. Cyber criminals are extremely well funded, sophisticated,
and tenacious. Over the past decade, law firms have become
increasingly attractive targets for numerous nefarious organizations
looking to steal any type of confidential information that has economic
value.
While many corporations and private companies have been
implementing safeguards and strengthening their technology defenses,
law firms have, unfortunately, been laggards in the marketplace. All too
often, firms of all sizes have been blissfully apathetic to either
understanding or wanting to understand the information security risks
and threats lurking in the marketplace.
This article examines cyber and information security as it relates
to the legal industry and provides strategic considerations for
law firms looking to deal with information security issues.
About the author: Richard Brzakala has
20 years of experience managing
external counsel at two of the largest
financial institutions in Canada. He has
provided leadership and global
oversight of enterprise legal
management strategies, including
alternative fee arrangements, cyber
security, sourcing and innovative law
firm performance benchmarks. He has
managed relationships with hundreds
of law firms across the globe and
developed innovative practices with
regards to in house legal management,
business outsourcing and competitive
RFP practices. He is recognized as a
market thought leader with regards to
LPM and law firm management. He
has consulted international companies
on convergence, cyber security, pricing
and sourcing strategies and written
numerous articles related to outside
counsel management practices and
matters. Disclaimer: The views
expressed here are solely those of the
author in his private capacity and do
not in any way represent the views of
the CIBC or RBC.
2. 2
As we have seen in the past couple of years through media outlets and
press reports, many firms have paid the price for neglect and ignorance
as firms have increasingly been hacked by cyber criminals or have had
their confidential data compromised in some way. Governmental and
regulatory agencies across the globe have, for years, been sounding
the alarm for law firms to become more vigilant and invest in technology
tools and risk management strategies that can help a firm safeguard its
confidential client information.
If you are a firm concerned about cybersecurity measures and your
firm’s preparedness to defend against cybersecurity breaches, consider
implementing some of the following best practices that will help
safeguard your confidential information.
Cyber Security Is About Managing Risk
For a firm to truly protect itself and its client information from being
compromised, it must understand that cybersecurity and information
security are not just about the technology tools. Too often, a firm’s initial
response to cyber threats is to look to the market to see what is
available to update their antivirus software or some other type of
solution that the firm assumes will cover them for all sorts of risk and
cyber issues. Unfortunately, this is not the best approach.
It’s not “if,” but “when” a cyber attack will
happen.
The best approach for a law firm seeking to tackle cybersecurity is to
step back and assess its current state of information technology
preparedness and work with IT cyber experts to develop a
comprehensive cyber risk strategy that not only leverages the best
available tools to protect a firm but aligns the information security
strategy with a firm’s business goals. Firms should approach the
establishment of a cybersecurity strategy from the perspective that it is
not a matter of “if” a cyber attack or security event will happen but
“when” it will happen. Firms should also consider whether they are
adequately prepared to contain and respond to such events and, if need
be, manage the repercussions of any fallout due to an event or breach.
Cyber-security is about mitigating risk
It’s not a
question of “if”
but “when” a
cyber attack will
happen..
3. 3
Therefore, cybersecurity is not just about ensuring that your firm has the
proper technology in place to mitigate against breaches, viruses, or
other security threats. A successful comprehensive cyber strategy is
based on understanding the many different risks that exist in the
marketplace and within a firm as well as the changing nature of risk and
the need to stay vigilant, mitigate, and adapt to the changes of risk.
In recent years, government agencies and regulatory bodies have
stepped up to try to provide the legal community with recommendations
and assistance on managing information security. The Canadian Bar
Association (CBA) and American Bar Association (ABA) have published
a variety of information security documents aimed at assisting law firms
with implementing greater information control and security measures.
Corporations are looking for cyber savvy
firms
Increasingly, corporate clients are looking to their law firms for
documented proof of how a firm manages its confidential information
and the preventive measures that a firm has in place to mitigate against
threats and cyber risks. Firms looking to implement cyber strategies
should also consider including containerization procedures that detail
how a firm would isolate things such as computer viruses or other data
threats to stop them from spreading through a firm’s network if a breach
or security incident were to occur. Clients are also looking for post-
incident management plans detailing how a firm will deal with
notification protocol, communication and response times, escalation
procedures, and restoration plans for lost data.
If your corporate client hasn’t asked you to provide them with a cyber or
information security strategy, chances are pretty good that they will in
the near future, or they may assume that you already have a
comprehensive information security strategy in place. What you don’t
want to have happen (aside from being hacked and compromised) is to
have to explain to a client that you have absolutely nothing in place.
In short, for the sake of your relationship you should be prepared to
answer your clients in a positive way and provide them with adequate
documentation to back it up.
For many sophisticated corporate clients, such as big banks, it is no
longer acceptable for a law firm to be blissfully IT illiterate. The
Corporate clients
consider their
information and
that of their clients
to be sacrosanct.
4. 4
expectations from clients are high. How you manage the information
that a client shares with your firm speaks volumes about your
commitment to that relationship and how you value your reputation and
that of your clients. Today, firms have to be all things to all clients, and
the answer can never be “I don’t know” or “It’s not important or cost
effective to our firm.” Clients consider their information and that of their
clients to be sacrosanct, and there is an increased expectation that
firms will do everything they can to maintain the confidentiality of
information entrusted to them.
Financial Institutions (FI’s) see information
security as table stakes
Some FIs, such as the Canadian Imperial Bank of Commerce (CIBC),
have been at the forefront of managing external counsel and
information security when it comes to law firms. In 2015, the CIBC
implemented a global comprehensive information security policy for all
of its 250 law firms. The policy included a comprehensive list of
information security re uirements and principles that its panel of law
firms are re uired to comply with to represent the CI C on any of its
matters. The CIBC saw a gap in its firms and developed a unique
standardized approach with which all of its firms must comply. The
CIBC was the first institution in Canada to launch such a
comprehensive and extensive initiative with its approved counsel. In
effect, the CIBC made cybersecurity basic table stakes for its panel of
firms.
Insurance companies represent another example of an industry that
adopted information security requirements and changes in the way they
deal with law firm clients.
Insurance companies have started to factor the cost of law firm
damages and claims attributable to cyber and information security
matters into their premiums. Consequently, insurance carriers have
included cybersecurity damage coverage in their policies for items such
as damaged software, hardware, lost information and data, and even
lost law firm revenue. In some instances, large insurance carriers have
based the costs of their premiums on the level of a firm’s cyber
preparedness and have offered well-prepared firms (with a low risk
profile) discounts on their annual insurance premiums.
The last thing clients (and law firms) want is for a data breach to occur
that has an adverse impact on their reputation or that of their clients. If
your firm is looking to implement an information security strategy,
consider calculating and understanding the cost of any lost business
should you be exposed to a cyber event. How much of an insurance
claim would you need to make to carry on or reestablish your firm’s
business in the post-cyber-event period? Aligning cybersecurity to a
firm’s business strategy and goals is critical.
Information security and RFPs
Large companies that are increasingly looking to source legal work want
to partner with firms that share their beliefs on safeguarding client
information and the importance of cybersecurity preparedness. To that
effect, corporate clients have amended their request for proposal (RFP)
Some FI’s consider
cyber security to be
table stakes.
5. 5
procedures to include requirements in regard to cybersecurity and
managing information security risk.
Once upon a time, corporate clients referred to information security only
as a casual reference in their RFPs. There were few, if any, onerous
demands or requirements placed on firms when it came to safeguarding
a client’s information. In the past, RFPs would only ask that a firm use
its “best efforts” when safeguarding a client’s information.
Today, many RFPs include specific references to a client’s risk and
reputation policy, confidentiality, records management and destruction,
communication, and third-party vendor policies. In addition,
sophisticated buyers of legal services will also include a dedicated
information security section outlining numerous prescriptive IT
requirements and expectations regarding how clients expect their
information to be protected, as well as mandatory incident reporting
requirements. Firms are also finding that client RFPs and the
cybersecurity requirements referenced in the RFPs are now requiring
never-before-seen responsibility on the part of the firm for any third-
party vendors that a prospective law firm may utilize in the course of
acting for a potential client. How a law firm responds to the information
requirements in a RFP from a potential client is as important as the
firm’s pricing proposal or the depth of legal expertise the firm has to
offer and may make the difference in a competitive bid process.
Many lawyers are information technology
neophytes
Perhaps another reason that firms have been reluctant to move
progressively in embracing cybersecurity is because they are obviously
made up, principally, of lawyers and not techies. Lawyers will argue that
they went to law school, not to an IT institute, and that they are not paid
to know all of the nuances of the latest information security practices or
gadgetry in the marketplace. Quite honestly, when lawyers view
cybersecurity and the detailed requirements thereof, it is like a foreign
language to them. Consequently, most lawyers are neophytes when it
comes to technology. They may know how to use a Blackberry or tablet,
but they haven’t a clue about its inner workings, nor do they need to
know. That is why firms should seek out trusted IT experts and
consultants who can conduct thorough assessments based on
international standards (ISO27001) and make recommendations on
how a firm can improve its cybersecurity capabilities. It is worth the
investment to have firm employees who are trained in the latest
information security practices and who know how to manage a firm’s
confidential information.
Some firms have even begun to cleverly leverage their cyber
credentials and preparedness for marketing purposes to attract new and
larger corporate clients. Other firms have tried to leverage their
cybersecurity preparedness or certification by trying to negotiate lower
insurance premiums from their carriers.
Law firms cannot afford to be in denial
Over the course of my career in managing external counsel, I have
spoken to many firms and discovered that there exists a wide gap in
cybersecurity preparedness and information security literacy.
Law firms cannot
continue to be IT
neophytes.
6. 6
The education gap ranges from extremely impressive, adequately
prepared tech savvy firms to poor, inadequately prepared and,
sometimes, unapologetically indifferent firms. Some of the firms in the
latter group have yet to see a compelling business need to invest in
cybersecurity preparedness. The mantra coming from this constituency
is usually the same; we are a small firm in a small town and we don’t
need to worry about cybersecurity; the type of legal work we do doesn’t
require cybersecurity practices; we have never had any information
security incidents; who would want to hack our firm?
Quite simply, smaller firms don’t see themselves as a prime target for
international cyber criminals and, therefore, feel less compelled (than
big law firms) to invest capital and resources in something that (in their
minds) has never happened to date, and that is highly unlikely to ever
happen. They are probably right that the likelihood of a cyber hacker in
a foreign country wanting to infiltrate the computers of a small law firm
in North Dakota or Saskatchewan is highly unlikely. It’s important to
point out, however, that cyber hackers are only one of the cyber threats
facing firms today.
Core components of a cybersecurity strategy
At its core, a cybersecurity strategy should include the following
elements:
• email encryption
• a formalized information security policy for all law firm employees
• annual cybersecurity awareness training for employees
• an incident management process
• annual testing of computers
• antivirus safeguards
• proper backup and storage of client information
• strong passwords that expire
The strategic importance of cyber and information security to a law firm
cannot be understated. As innovation continues to change technology,
and the utilization of business tools by users change and they adopt
new business processes, the relevance and importance of how
information security is managed in the midst of all of that change and
flux is crucial.
Other Information Security Threats
Aside from cyber criminals, firms need to be cognizant of other security
threats such as computer viruses, malware, phishing attacks, identity
theft, and even rogue employees looking to electronically steal
information or money. All of these threats pose a significant risk to firms
regardless of size, client base, or location and underscore the
There is a
plethora of cyber
threats…always
present and
always
changing.
7. 7
importance of why a firm should invest its resources and capital in a
cybersecurity strategy.
In addition, firms should never make the risky assumption that they are
immune to security issues simply because that have never had an
incident and assume, therefore, that they do not need to invest in a
cyber strategy or security tools. This premise begs the question: how do
you know whether you have been targeted or, for that matter,
compromised if your firm doesn’t have the security measures to monitor
and identify external and internal intruders? If assumptions are to be
made, they should be based on facts as well as quantifiable and
measurable data. A firm may have malicious spy software embedded
into its IT infrastructure, or a rogue employee downloading and stealing
information without the firm even knowing it, so making such claims
may be irresponsible and risky.
People are the biggest threat
I recall that a law firm once questioned the need for implementing any
cyber and information security requirements. Their argument was that
they were (again) a small firm of ten lawyers with six assistants and that
all of their employees were loyal and had been with the firm for at least
ten years, with some having been with the firm as long as twenty years.
The firm emphasized the trust and loyalty factor and that they had never
had an information security incident. Unfortunately, this type of logic is
flawed as described in the preceding paragraph.
Most cybersecurity experts will argue that people are, in fact, one of the
biggest security risks in a security chain. If employees are not
adequately trained and updated on the latest cybersecurity practices,
then they become the weakest link and a liability for an organization as
the most at-risk personnel are often uninformed, innocent, and unaware
employees who may compromise a firm in many costly ways, and not
the cyber hacker in a foreign locale.
IT Professionals and Cyber Consultants
For a firm to understand whether its operations and procedures are
deficient or unprotected from nefarious elements and cyber risk, it
should engage the right internal and external stakeholders. Regardless
of a firm’s size, someone, be it an office manager at a small firm or a
CFO at a larger firm, should be entrusted and dedicated to managing
Training all
employees on
cyber security
practices is
crucial
…otherwise they
are a firm’s
weakest link.