Do As I Say, Not As I Do: Most Law Firms Lack Adequate Cyber Protection

Marsh survey reveals many law firms have not assessed the effects of a security breach on their business, despite acknowledging the damages associated with cyber threats.

By: Hannah Bender, PropertyCasualty360.

Cyber threats are on the radar for most law firms in their overall risk management, yet many lack in their preparedness against a significant event, Marsh’s 2014 Global Law Firm Cyber Survey reveals.

For law firms, protecting the confidential data of clients and the firm is imperative as any unintended leak of information related to intellectual property or a prominent legal case can be disastrous. A security breach could potentially harm business transactions, halt a pending merger or acquisition, or damage relationships. Furthermore, firms could face financial burdens associated with the expenses following a breach. First-party costs can mount from notification expenses, business interruption issues, or preparing a regulatory defense.

It is no surprise that 79% of survey respondents view cyber and privacy security as one of their top 10 risks in their overall strategy, and more than 40% of those would place it as an even more critical threat, listing it as one of their firm’s top five risks.

The concern surrounding cyber threats in the legal profession supports research dating back to 2011 from cybersecurity firm Mandiant, which stated that 80% of the largest 100 law firms had been hacked. In Marsh’s survey, 7% of respondents stated that they had been subject to a successful cyber attack within the last three years.

Even within the last year, many law firms have faced serious cyber incidents. In May 2014, a grand jury in the Western District of Pennsylvania indicted five Chinese military hackers in a case involving AmLaw 100 firm. Another large firm suffered a breach in February of current and former employees’ personal data, which was held by a vendor. The documents included tax information, Social Security numbers, passport information and other valuable federal data.

But despite the pressing concern, results indicate that 72% of respondents acknowledged that their firm has not assessed and scaled the cost of a data breach based on the information. Furthermore, 51% have not taken the precautionary measures to insure their cyber risk, or are unaware if their firm has taken such action. And nearly two-thirds of respondents have not calculated the effective revenue lost or extra expenses incurred in the aftermath of a cyber attack.

Yet, almost all of the respondents say they are aware of the risks and take cyber/privacy risks seriously. The legal industry, as a whole, has been a target of regulators and government industries for not having enough defense surrounding the personal data and client information they collect in store. As early as 2009, the FBI has cited that the legal industry, as a group, could easily succumb to cyber incidents. Furthermore, in 2011, the FBI began an initiative to bring awareness and education to law firms at risk, meeting with major law firms in New York to discuss their cyber preparedness. The Bureau also followed up with the firms to educate them about precautions to secure their offices from cyber attacks, hacktivists and data breaches by third-party vendors, employees or former staff.

And many firms have taken some security precautions. Ninety-eight percent of respondents have secure redundant systems in place, including offsite data vaults and servers. Another 75% have internal controls in place to detect non-compliance with privacy policies.

However, many firms are still vulnerable in other areas. Survey results show that 67% of respondents outsourced vendors for their information technology needs, despite the fact that recent cyber incidents revealed that exposure to third-party suppliers and vendors is a weak spot in a business’ cyber defense, often allowing unauthorized personnel to access valuable and confidential information.

Still, most respondents treat their cyber and privacy security with a top-down approach. Information technology teams were most involved in the review and management of overall cyber/privacy risks, followed by the firm’s management group, general counsel and risk management team.

Ameliorating the threat can still be a difficult (and even impossible) task, especially as hackers find new ways to obtain confidential information. Law firms are also not required to disclose a hacking incident, unlike many other organizations or consumer-oriented companies, making analyzing a firm’s cybersecurity a challenging tasks. They may have been hacked, and not even know it.

For an industry that pushes for their clients to protect themselves extensively against risks that could lead to extensive damages to their business, results show that not all firms practice what they preach. When it comes to cyber security—and insurance protection—lawyers sometimes approach with a “do as I say” mentality, not “do as I do.”