In 2008, the government cybersecurity community expressed concern that U.S. critical infrastructure represented the nation’s soft underbelly. There was further unease with respect to law firms and other professional service firms, which have access to the sensitive business and other information of their clients. While government and the private sector spent cycles assessing and planning to manage cyber risks among the then-18 critical infrastructure sectors, professional services generally were not part of the dialogue. Although a series of subsequent public and private sector high-profile cyber incidents suggest that critical infrastructure and professional services firms are no softer than much of government, there clearly remains a national aggregate risk that is comprised, in part, by the cyber risk introduced from professional services including law firms.
As a corporate transactional associate from 2000 to 2006, this risk was not top of mind. One constant consideration, however, revolved around transactional specialization—securities offerings, mergers and acquisitions, general corporate advising. An interesting dynamic that is seemingly irrelevant, but actually presents a fantastic departure point for discussing law firm cyber risk, was the quest among corporate associates to find identity in popular culture. Whereas the mergers and acquisitions community had Bryan Burrough and John Helyar’s Barbarians at the Gate as a guide point, and securities enforcement attorneys had James B. Stewart’s Den of Thieves, budding securities transactional lawyers were left searching. Then, a colleague stumbled upon Arthur R. G. Solmssen’s The Comfort Letter, which focused on critical aspects of a securities transaction. Although published in 1975, it largely captured the life of an offering 25 years later (other than the in-person versus EDGAR filings with the SEC).
