On March 26th, two days after our “Current State of Affairs” post for the Legal Industry, the New York Times reported on an internal Citigroup memo discussing specific breach and security shortcomings at Law Firms. Further, an April 8th Dealbook piece is again discussing Law Firms as vendors to major banks and Wall St. Firms who must be subject to due diligence of these critical infrastructure providers:
One particular area of concern on Wall Street is the security of large law firms, which not only do regulatory work for banks but also advise on corporate transactions. This year, a cybersecurity team at Citigroup issued an internal report that said law firms were a logical target for hackers because they are rich repositories for confidential data. The report also cautioned bank employees that digital security at many law firms, despite improvements, generally remains below the standards of other industries.
We note of importance:
1. The New York Department of Finance has continued to survey institutions, both major banks and insurance companies, as reported in a previous blogpost. Due diligence of third parties remains a significant challenge for regulated financial services companies. As quoted from the May, 2014 report on surveyed banks:
Another continuing challenge is the industry’s reliance on third-party service providers for critical banking functions. As indicated above, all institutions irrespective of size rely on third-party vendors for cyber security. In addition, most small and medium institutions outsource functions such as payment processing and most of their web application and online banking systems to external companies. This interconnectedness suggests that an institution’s cyber risk level depends in large part on the processes and controls put in place by third parties. Institutions may not be permitted by their vendors to undertake penetration testing. Even more likely, small and medium institutions may not have the resources to do so. To the extent that institutions do not have adequate insight into the sufficiency of the processes and controls of their third-party service providers, this may represent an area in need of heightened due diligence and monitoring. Cyber security and data protection requirements should be incorporated into institutions’ third-party contracts from the outset.
2. Law firms, as vendors connected to the investment banking process with corresponding confidential information and intellectual property, are considered to be a high-risk target;
3. While it has taken some time for financial institutions to come to grips with this notion, third-party due diligence expands beyond the obvious technology vendors. Criticality of vendor due diligence should be directly tied to “data classification” and the determination, from a risk management standpoint, where the greatest vulnerabilities/liabilities are present for the business;
4. Simple controls and information practices such as two-factor authentication should be applied immediately. Please see our previous Legal blog post, which reiterates this best practice.; and, finally,
5. While recent articles in the media are focusing on the link between banks and law firms, we would add that all industries with critical ties to law firms should be considering extending their requirements and requesting validation of IT security practices of the legal industry.
This would include investment advisers, broker-dealers, and other industries who make the simple determination that their legal counterparts possess critical data.
Clearly it is time for Law Firms to take definitive action on cybersecurity.
For Further Reading (Links Open in A New Window):