Editor’s Note: The authors of this post work on technology services consulting.
The legal profession has finally realized there’s no escaping the digital revolution — and the technology risks that come with it. And like every other industry that deals in information, law firms are vulnerable to cyber espionage and data exploitation.
Several recent data breaches at prestigious firms have highlighted that 1) law firms have access to a treasure trove of confidential information that makes them prime targets; 2) most are woefully unprepared to defend, detect and respond to a cyberattack, and 3) many law firms underfund information security technology and employee training.
In an industry founded on the legal and ethical obligation to keep information confidential, a data breach erodes trust and may even be grounds for legal and regulatory actions. But a data breach isn’t the only way an insufficient cybersecurity posture can harm a business. Law firms that cannot withstand a cyber “vetting” may find themselves unable to compete for many clients’ work or retain existing relationships. In fact, it is becoming more routine for law firm clients to conduct third-party assessments of their law firms’ vulnerability to cyber risks. And very recently, the New York Department of Financial Services (NYDFS) proposed the country’s first-ever cybersecurity requirements for financial institutions, which will require those institutions’ third-party vendors, like law firms, to comply with minimum cyber standards, due diligence processes and periodic assessment.
Firms of all sizes are at risk. Last year, 43 percent of cyberattacks were against small businesses with less than 250 employees, according to data from Symantec. Cybercriminals may specifically target midsized and smaller law firms, which may not have prioritized cybersecurity like their larger counterparts, but possess client data of significant value such as material nonpublic information or sensitive intellectual property. Having fewer resources to devote to cybersecurity won’t absolve smaller firms from their clients’ data privacy standards or their legal requirements. The price of good security isn’t nearly as expensive as the cost of lost business and trust.
Here are three ways cyber underinvestment and negligence can cause real harm to law firms, even if they’ve never had a breach:
1. The firm can’t survive an initial cyber vetting.
It used to be that only large financial institutions conducted cyber audits of their law firms. Now, with greater scrutiny from regulators and others on third-party risks, even smaller companies are requiring firms to demonstrate sound cybersecurity practices. In addition, the standardization of third-party cyber risk assessments makes it easier than ever for companies to vet their service providers, including their outside counsel. Law firms that either lack these internal controls or are unable to effectively communicate them may be unable to survive many Request for Proposal (RFP) processes—or may even be ineligible to participate.
2. Existing clients may be forced to change firms.
Small law firms don’t necessarily have small clients, especially if they specialize in niche practice areas. Being small, however, doesn’t immunize firms from the same cybersecurity audit standards imposed on large firms. In fact, clients are being forced to reduce the number of small firms on their outside counsel roster because some haven’t complied with these heightened cybersecurity standards. Law firms that serve clients in highly regulated industries are particularly vulnerable.
3. Your competitors offer more security.
All things being equal, given the financial and reputational fallout from a cyber incident, clients will opt to entrust their data to firms with strong, documented cybersecurity practices. Since law firms are aggregators of their clients’—and often their clients’ adversaries—most sensitive information, today’s law firm clients aren’t taking any chances, even in cases of long, successful attorney-client relationships. To protect their own reputations, decision makers within the client’s enterprise are likely to place a high priority on this issue, making cybersecurity an important differentiator in the marketplace.
Whether driven by client demand or regulatory requirements, law firms are under increasing pressure to up their cybersecurity game. Being able to demonstrate a commitment to strong cybersecurity practices is becoming a key issue for today’s law firms, even if they’ve never experienced a data breach.