Law firms are a prime target for hackers and cyber thieves. While not as obvious a target as a financial institution that houses massive amounts of personal financial information, or a healthcare or retail organization holding credit card or health information, law firms are unique in terms of the corporate confidential information they are responsible for. Trade secrets, merger and acquisition plans, and financial account and fund information are a small sampling of the information within a law firm's custody at any given time.
According to the American Bar Association's 2019 Legal Tech Survey, 26% of law firms experienced a data breach in 2019.
In addition, Logictech's Q4 2019 Cybersecurity Scorecard showed:
- 54% of law firms report being audited by one or more clients at least once '” a 13% increase since the last scorecard.
- Only 37% of law firms are vetting the cybersecurity and data management policies of their third-party service providers.
- 55% of law firms surveyed have documented policies and procedures.
- 54% of law firms have formally documented training programs for staff.
- Only 24% of law firms have implemented SOC monitoring.
As the above statistics demonstrate, data breaches have become a risk to every law firm throughout the world regardless of the number of attorneys, revenues or practice areas.
Due to the large amount of highly sensitive information obtained, stored and used by law firms, coupled with the weaker security protocols typically employed by firms, cyber attackers often focus on law firms to obtain valuable corporate confidential information. Weaker security can offer back-door entry into client systems, and the information in their possession is more likely to be of interest to a hacker and likely less voluminous than that held by their client.
As indicated above, this information may include merger and acquisition plans, other valuable corporate financial information as well as the personally identifiable information, including personal health and financial information, of their employees and clients. If at any time a law firm is hit with a cyberattack and client information is compromised, loss of client trust can be catastrophic.
Sophisticated attacks against law firms often include phishing, ransomware, denial of service attacks, business email compromise, monitoring for insider trading information, malware/spyware and cryptojacking. If a law firm is hit with any of these type of attacks, they face detrimental consequences including loss of client trust, negative impact on billable hours and overall loss of revenue, destruction of client data/files, and consulting fees to repair damage. In addition, preserving confidentiality is a core professional duty and failure to do so can lead to a number of exposures, including constituting professional misconduct and
negligence in their professional services.
How Can Law Firms Respond and Protect Themselves and Their Clients Against Cyber Crime?
Sophisticated attacks against law firms often include phishing, ransomware, denial of service attacks, business email compromise, monitoring for insider trading information, malware/spyware and cryptojacking. If a law firm is hit with any of these type of attacks, they face detrimental consequences including loss of client trust, negative impact on billable hours and overall loss of revenue, destruction of client data/files, and consulting fees to repair damage. In addition, preserving confidentiality is a core professional duty and failure to do so can lead to a number of exposures, including constituting professional misconduct and
negligence in their professional services.
Law firms should also have formally documented cybersecurity policies such as incident response or business continuity plans. These should also be tested on an annual or semi-annual basis. In light of the pandemic, with employees remote, these plans should be revisited so that law firm senior management knows their roles and responsibilities should a cybersecurity incident occur.
Given the smaller nature of some law firms, it may prove costly to hire a dedicated CISO to oversee the firm’s cybersecurity. As such, a firm executive could oversee this responsibility so long as they have consistent advice from some of the best cybersecurity experts they can find. The biggest mistake firms can make is to put this responsibility on non-IT executives at the firm.
Firms should have a good backup of their data. That can protect them from ransomware that holds their data captive and malware that destroys it. They should also have antivirus software that is effective and keep it up to date. The same goes for operating systems and software — firms should ensure they are using the most current operating systems and software, and promptly install software patches.
Data access management is no different — access to data should only be provided to those who really need it. Sometimes employees themselves can be a threat, and even if they are not, they offer just one more point where a hacker can break in.
File transfers and email security is of paramount concern. Proper file handling should be part of your employee training. If employees must transfer files, they should be encrypted and password-protected. In addition, email should only be sent from firm accounts that can also be encrypted.
Lastly, law firms should consider cyber liability insurance. This policy provides an effective risk transfer solution to address these risks and exposures. In addition, a cyber policy provides many proactive resources including those outlined above to help your firm prepare for and mitigate damage from a cyberattack when it occurs.
Law firms have made significant progress in taking measures to protect against cyber risks, but they must do more. Law firms need to be regularly assessing their risks. Most do not have the expertise to do that and should look for the most qualified outside experts they can find to advise them. Technology is constantly changing and so are security threats. Establishing good cyber security is an ongoing process, not a one-time or random event.
To learn more about how you and your entity can benefit from NFP’s cyber and technology leadership, find an NFP Professional near you today!