For the third year running, ALM Intelligence has focused its research efforts on the state of law firm and law department cybersecurity. In 2015, our research concluded that law firms and law departments (particularly law firms) were far behind the curve when it came to cybersecurity preparation and response. In 2016, our research indicated that law firms were still playing catch up, but things were improving slightly, and law departments were increasingly being held accountable for cyber-attacks in their organizations.

In 2017, much of this research has come to a head. 2017 was not just the year of the cyber-attack, but the year of the cyber-explosion. Some of the big ticket headlines for this year include: “Yahoo General Counsel Ron Bell Resigns Amid Data Breach Controversy,” “Uber ousts in-house counsel who suppressed information about 2016 data breach,” “Ransomware Attack on DLA Piper Puts Law Firms, Clients on Red Alert,”  and “Equifax looks to In-House Lawyer to ‘Build a New Future’ After Massive Breach.’”

At this point, it is clear that not only are cyber-attacks of the utmost importance to the success and reputation of companies, but also that boards and management are now reliant on the legal industry to help their organizations manage and respond to cyber threats. This reliance results in a sharp uptick in responsibility when it comes to understanding and managing cybersecurity, and can even result in law department members taking the fall for poor cyber management, and law firms being rejected by clients for cyber practices that are not up to snuff.

By the same token, for those law departments and law firms that excel at cyber management, the benefits are clear: law departments are given a true seat at the table, and law firms own a larger piece of lucrative cybersecurity matters.

This year’s research, Challenges at the Intersection of Cybersecurity and Legal Services: Cybersecurity Surveys of Law Firms and Departments (Legal Compass subscriber? Click here for free access to the data), concludes that the state of law firm and law department cybersecurity is still fractured: many continue to struggle with managing cyber threats.

When it comes to law firms, they have become slightly more prepared over the past year. As seen in the graphic below, more law firm respondents are now assessing, planning and taking action when it comes to cybersecurity (with the exclusion of a slight dip in partnering with forensic experts).

For law firms, much of this upwards trend likely stems from client pressures. Eighty-two percent of law firm respondents indicated that clients are requiring them to upgrade their cybersecurity capabilities. In interviews with law department general counsel, it became clear why. One GC of a Fortune 100 company noted that they are willing to take firms that are not meeting their standards of their preferred provider panel.

Law departments, on the other hand, have become slightly less prepared over the past year. As seen in the graphic below, when it comes to assessing, planning and taking action, less law department respondents reported implementing a formal security assessment, putting a data breach plan in place, partnering with forensic experts, and doing “fire drills” (putting the teams to the test).

For both law firms and law departments, approximately a third of survey respondents indicated that they were not comfortable with their cybersecurity readiness. This number should probably be closer to half, given that less than 50 percent of law firm and law department respondents do not test their cyber responses through “fire drills.”

So how do things improve?

 

  • Partner with your IT team

According to a study done by our UK Intelligence branch, Legal Week, in partnership with Kroll, 20 percent of legal departments, on average, never connect with their IT department on cyber-related topics and organizational readiness. To address this firms and legal departments should partner with IT to better understand the cyber risk environment, and to catch up on where the issues may lie.

 

  • Ensure the organization involves legal

As seen below, particularly on the corporate side, only 40 percent of respondents noted that the legal department is involved in security assessments while 68 percent said that they were involved on the data breach team, and only half involved legal in fire drills. Similarly, the Kroll Legal Week study found that 30 percent of global respondents, on average are central to the company’s cyber Incident Response Plan (IRP). These numbers are too low – while cybersecurity is never just a technology problem, organizations must understand it is always a legal problem.

 

  • Better manage supply chain risk management

Over a quarter of law firm and law departments do not frequently assess supply chain risk management, and less than half audit their third party vendors regularly. This number is particularly low for law departments.  As seen below, only 13 percent of respondents audit third party vendors regularly, indicating that there is room for improvement.

 

  • Become a part of an information-sharing organization

Only a quarter of law departments and two-thirds of law firms are involved in an information-sharing organization. For law firms, that can include LS-ISAO, ILTA, ABA Cyber Alert and InfraGard. For law departments, that can include FS-ISAC, SAS, Multistate ISAC. Firms and companies should try to understand through these organizations what similarly situated firms and companies are facing in terms of threat, and ways that they have learned to respond. This may be the difference between being prepared and being reactionary when it comes to a cyber-attack.

 

  • Purchase cyber insurance and require vendors to purchase cyber insurance

While the majority of law firms are incorporating cyber insurance in their response plans, only 69 percent of law departments are doing the same. Further, less than half of both law firms and law departments require their vendors to purchase cyber insurance. It is also critical for firms and law departments to ensure that they what is covered in their cyber policy. Some questions to ask include:

  1. Have risks been identified correctly?
  2. Is the amount insured appropriate?
  3. What are the conditions of the policy?

In addition, approximately a quarter of respondents to the Kroll/Legal Week survey did not know whether hacking/phishing, system glitch, employee mistakes, malicious insider, or mistakes by third-party providers were covered under their cyber policy. Beyond confirming they are insured, firms and companies must understand that basics of their cyber insurance policies, especially what is covered in the case of an attack.

What is on the horizon at the intersection of cybersecurity and legal services?

For law departments, we see an increasing amount of cyber responsibility – which is largely a positive but may also have some negative effects. The firing of law department members because of poor cyber management will continue to be a trend in 2018. We also see an increase in cyber class actions, which will keep law departments busy in the coming year. Finally, we see corporate counsel needing to proactively respond to increasing complexity in the global cyber landscape – particularly for global companies who will need to get up to speed, fast, on GDPR.

In turn, the law firms that can better assess, protect and test their systems will get the lion’s share of a growing and increasingly lucrative cyber market. All others will be left with a shrinking share of the market. Moreover, law firms will continue to face reputational damage and even closure from hacks. As we see in the survey, law firms have no choice but to improve or risk obsoletion.

ALM Intelligence Notes


Daniella is a Senior Analyst at ALM Legal Intelligence. Her experience includes advising law departments in relation to strategy, technology, market intelligence, and operations. A member of the New York Bar Association, Daniella holds a Juris Doctor degree from The Benjamin N. Cardozo School of Law. She can be reached via email, Twitter, or LinkedIn. ALM-Intelligence