Outside Law Firm Cybersecurity Under Scrutiny
Bank of America Merrill Lynch is auditing the cybersecurity policies at its outside law firms, partly under pressure from government regulators to do so, according to the banks assistant general counsel Richard Borden.
Borden, a panelist at Corporate Counsels 25th Annual General Counsel Conference on Wednesday, said that Bank of America is one of the largest targets in the world for cyber attacks, and that law firms are considered one of the biggest vectors that the hackers, or others, are going to go at to try to get to our information. Bank of America is the second-largest U.S. bank by assets.
Regulators at the Office of the Comptroller of the Currency, which oversees BofA and other financial services companies, have focused on law firms, Borden said. They are coming down on us about security at law firms. So we have no choice but to check the information security and to auditto actually auditthe information security of our law firms that have confidential information. We spend a lot of money and use a lot of law firms, so this is casting a very wide net.
As cyber attacks directed at U.S. business have grown more prevalent, the Federal Bureau of Investigation and others have flagged concerns over cybersecurity at law firmsgiven the value of their corporate clients information to potential attackers, and law firms often slow adaptation to new technologies.
For a major financial services company like Bank of America, being considered part of the U.S.s critical infrastructurethe subject of an executive order issued earlier this yearpresents additional pressure to examine their contractors and supply chain, including law firms.
Its been really interesting dealing with the law firms, because theyre not ready, said Borden, who is the banks in-house cybersecurity lawyer and is assisting the group thats reviewing BofAs outside counsel. Some of them are, I should say, but there are many that arent. And it actually does pose a threat.
CorpCounsel.com asked Borden what the company is looking for law firms to demonstrate in the audit of their information security policies and practices. One, were looking for them to have an information security plan, he said.
Next, Borden said, BofA wants to see that the firms actually follow that plan. For example, he asked, How are they dealing with mobile devices? Is our information going onto mobile devices in an encrypted way?
And the bank isnt simply relying on the law firms own audits of their information security practices. Were really looking at their whole structure and focus on information security, and we test it. We send in people to test it, Borden said.
Amid efforts to bolster the banks own cybersecurity defenses, BofA is currently focused on training employees about the dangers of social hacking, such as so-called spear-phishing techniques that entice employees with official-looking messages that contain malicious links.
Borden reviews and approves the companys training on the topic. I cant tell you how much focus were putting on just that, he said, adding that the company has already hardened other defenses. Weve survived [distributed denial-of-service] attacks that should have taken down the whole Internet. Weve done that. But were still getting hit with people opening links on emails or websites that they just shouldnt open. That is huge.
Yet despite the scale of threats across industries, members of the panel continued to sound the alarm that corporate America isnt prepared to handle todays cyber attacksor tomorrows.
There are a lot of companies, public and private, that are really not ready for whats coming, said Craig Newman, a partner at Richards Kibbe & Orbe.
While Borden spends most of his time as assistant general counsel on information security, he estimated that he is one of very few in-house lawyers to do so at U.S. companies.
You probably have people involved in privacy, but you probably dont have people involved in the information security, he told the audience of attorneys at the GC East event.
But legal issues in the cybersecurity arena abound. For starters, Borden recommended that in-house attorneys understand which type of nationally or internationally accepted standard the companys information security policy is based on.
Understand how that works at your company and how you are able to respond to your customers when they start asking, Whats your policy? How do you protect information? he said.
Two recent actions by regulators should also be getting in-house counsels attention. A lawsuit filed by Federal Trade Commission against Wydham Worldwide stems from a hacking incident at the hotelier. And just last week, New York Governor Andrew Cuomo requested information on the cybersecurity practices of large insurance companies regulated by his state.
Borden called Cuomos move astounding: No state regulator, I dont think any federal regulator, has done anything at that level, he said.
Which is part of yet another cybersecurity challenge for in-house counsel right now. Regulations are in their infancy, said Borden, adding, Yet all of these different regulators are looking at us to make sure were doing things exactly the right way.