What Legal Teams Need to do to Respond to Cyber Risk More Effectively

What Legal Teams Need to do to Respond to Cyber Risk More Effectively


In focus: Simple steps to mitigate cyber risk

A group effort: Managing the firm’s security is the responsibility of all because all organization members contribute to keeping the organization and its clients safe.

Build internal relationships: IT teams must strongly link with internal comms and HR to efficiently update and upskill the entire organization.

Focused training: Most training should be focused on the firm’s ‘end user,’ which means the people handling and transmitting sensitive information; they need to be the focus of all policies and procedures.

Cybersecurity concerns are pertinent to all industries and sectors, but law firms represent a particular target for cybersecurity breaches. Cisco Systems Annual Security Report once judged them the seventh most vulnerable sector.

Because client confidentiality is such as core part of the law firm’s work, and because the data they hold can be particularly critical to their clients, the consequences of a breach are particularly severe in this industry.

There’s also the risk of cyber sabotage, which can damage systems and infrastructures and reputation damage.

A massive leak of files from Panama law firm Mossack Fonseca caused huge global repercussions because of the high profile of its clients and the subsequent high level of interest in these clients’ offshore tax dealings exposed by the leak.

Data breaches at Cravath Swain & Moore LLP and Weil Gotshal & Manges LLP were investigated to see if they were deliberate attempts at gaining information for insider trading. The data law firms hold is valuable for many different reasons, and it’s critical to clients that their sensitive information is kept safe.

Most law firms have data that could be highly valuable to cyber criminals. This includes information that could compromise a case, such as privileged communications with clients and litigation strategy information, or data that’s valuable for manipulating markets, such as patent information.

There’s also the kind of data held by all kinds of organisation, not just those in the legal industry. These include clients’ banking details or email addresses.

Clients are also pressing for better security. Law firms with clients from the financial or other sensitive sectors are often required to prove their security credentials before the client engages with them. Therefore, being ahead on security issues can be a critical factor in getting work and a key competitive advantage.

Staying safe

It’s essential to get your organization thinking beyond the mindset that cybersecurity is an issue for the security team alone. Managing the firm’s security is the responsibility of all because all organization members contribute to keeping the organization and its clients safe. Security consciousness needs to be integrated into all functions and activities.

Staying on top of a fast-changing field of security, and constantly updating policies and procedures, is a significant challenge. The security team needs to have a strong link with internal comms and HR so they can update and upskill the entire organisation easily.

They also need the ability to move resources quickly as new threats emerge. This may mean quickly investing in new tools or hiring new people as required.

Security isn’t just about getting the right technology and tools in place. It’s also important to consider the policies and procedures, the ongoing training, the organizational strategy, and other aspects such as insurance.

Firms need to develop a culture of security that all employees buy into. Many experts suggest identifying security priorities first, then determining how staffing, tools, and other resources will support these priorities.

Some organisations also find it helpful to have anonymous reporting in order to learn from their cyber security mistakes.

Law firms may also wish to think about how their governance and reporting factors in for cybersecurity-related issues. There need to be mechanisms to report on security issues across all operations and deliver security information in a way understandable to senior managers. Getting buy-in at this level is essential, so decision-makers must be kept informed.

One of the hardest elements of your cyber security approach is admitting that no firm is ever truly secure. That’s why law firms also need to have measures in place to identify if a breach has happened, and a response plan in place for when it does.

When a security failure occurs, key people, such as communications teams and senior leadership, must understand the issue and possibly make tough decisions. At what point are clients notified? In cases where insider trading may have resulted from a security lapse, law enforcement, and regulating agencies may also need to be informed.

Yet law firms have been accused of failing to disclose security breaches they have experienced publicly.

Many firms also take a long time to realise they have been compromised. According to Forbes, the median time for a breach to be identified is a shocking 200 days.

When a firm realizes it’s been compromised, moving quickly is essential. That’s why having a crisis plan well ahead of time is vital. Ideally, the firm will also have tested its response plan beforehand so everyone can act quickly.

Skills shortage

Although firms may have the best intentions, staying on top of cybersecurity is extraordinarily difficult. Recruiting talented people with the right skills and experience is a significant challenge.

It’s common now for major firms to appoint a chief information security officer (CISO), but finding people to staff an entire team that understands the issues facing that particular organisation remains a challenge at all levels.

After that, the problem is keeping them updated in their field. Skills in this area can very quickly become obsolete if they aren’t constantly kept up to date.

Even if you have the best CISO in place and a robust in-house cybersecurity team behind them, bridging the gap between your average lawyer and your security advisers can be an additional concern.

There aren’t enough lawyers who also have technology skills; few individuals master both these large knowledge areas. Anyone wishing to unite these two skill sets would struggle to find formal training and keep it updated.

Most training should be focused on the firm’s ‘end user,’ which means the people handling and transmitting sensitive information. These represent the firm’s most significant vulnerability, so they must be the focus of all policies and procedures. But it’s a tricky task. Cybersecurity is often seen as a diversion from ‘real’ work, and in a busy law office, it can be an unwelcome distraction from core operations.

The fact is, law firms aren’t doing enough to counter the cyber security risks to their industry. Those that aren’t able to put adequate safeguards in place to prevent data breaches are leaving themselves vulnerable to malpractice suits, disciplinary action, or contract litigation by their clients.

Staying ahead on cyber security is tough, but law firms must remain active in this area and get a plan in place.

Related posts

Get a Quote
HTML Snippets Powered By : XYZScripts.com