Cybersecurity is on the tip of the tongue of nearly every business, legal and technology leader today. Cyberattacks are considered the 3rd largest global threat according to the World Economic Forum (WEF) 2018 Global Risk Report. One of hackers’ top targets is proving to be the legal industry due to the type and volume of data held by firms and the judicial system.
Attacks and breaches hit the legal industry especially hard. In 2016, for example, more than 11.5 million documents were hacked from Mossack Fonseca, a Panama based law firm. Making matters worse, these documents, consisting of more than 2.6 terabytes of data, were publicly leaked!
In 2017, DLA Piper, a global law firm with offices in more than 40 countries, was hit by a ransomware attack that shut down most of its offices. Their loss of revenue from the shutdown was huge. Conventional thinking says that they can file insurance claims for these lost billable hours – right? Sure, unless the claims are denied. Then these hundreds of thousands of dollars in billable hours are lost.
Cybersecurity vulnerabilities pose serious risks to law firms, such as business interruption, lower productivity, and damage to their reputation from an adverse media report. All of these risks have disastrous results to net profit, retention of key attorneys, and being able to get and keep clients. Few firms can survive hits like this.
Law firms who want to stay ahead of cyber threats must change their playbooks. The playbook overview involves:
- Quantify your risk and make a plan.
- Outline how current cybersecurity processes, policies and tools can or can’t handle each scenario or disruption.
- Continue this in an ongoing process that adjusts as cyber security continues to evolve.
Putting a cybersecurity playbook into action is easier said than done. Most law firms don’t have the internal security expertise to thoroughly evaluate scenarios and tools, especially as threats change and firms grow. Another challenge is that most firms usually store Personally Identifiable Information (PII) and sensitive client data in a central location. Most firms’ systems contain easy entryways for hackers. Only the newest systems – within the last 3-5 years – were designed with cybersecurity features or adapt well to modern security methods like encryption.
How To Start The Process
Start by quantifying your exposure. This is a simple exercise with just a few steps.
Step 1: Make a list of everything that could be accessed if someone penetrated your systems. You’ll start with obvious items like email, employee records, customer records, and files on your computers and servers. Then you’ll include any cloud storage your organization uses. Does your data include trade secrets, your own or your customers’? How about intellectual property? Don’t forget to list anything with PII, such as prospect lists and marketing lists.
Step 2: Make a list of any organizations or standards that impose compliance upon you. Examples include HIPAA, GDPR, and CCPA (California Consumer Privacy Act). You should detail any organization or standard that has specific guidelines for how you secure data and manage security breaches. Mark the standards that apply next to each item in the list you created in the first step.
Step 3: Now it’s time to quantify your financial exposure. There are multiple ways a breach can impact you financially. Here are a few:
- Lost productivity
- Lost work product (i.e. through ransomware)
- Fines (for failing to meet compliance)
- Reputation damage – current revenue stream
- Reputation damage – future revenue stream
- Lawsuits and damages awarded in court
- Loss of competitive advantage – (through leaking of trade secrets)
Some of these items are covered by data breach insurance. Others are not. You should assess what your insurance covers and tally items not covered by insurance.
Step 4: Now, add the total financial exposure and subtract anything covered by insurance. Can your business sustain a financial hit of that size?
Next Steps
Review your data breach insurance policy. You may want to adjust coverage based on your exposure and your risk tolerance.
You may also want to consider a 3rd party audit by a cyber security consultant. They can recommend how to fortify your environment based on your unique needs. These are often simple steps that can dramatically improve your security.
You may face the misfortune of a breach, followed by litigation. Your strongest position at that point is demonstrating that you took reasonable measures to protect sensitive information. Start taking these steps today.
Final Thoughts
If a firm develops and implements its cybersecurity playbook properly, cybersecurity can easily be developed into a competitive advantage.
Looking at cybersecurity as something to put off until tomorrow could be an accident looking for a place to happen. You can easily calculate the cost of not getting it right. For most firms, this cost is too high. The right amount of foresight and insight dedicated to cybersecurity planning can go a long way toward protecting your firm from security breaches, career-killing problems and the very real possibility of going out of business.
As you consider these questions, remember that hackers are attacking computers and networks at a “near-constant rate.” A recent University of Maryland study showed an average of one attack every 39 seconds. Will your law firm be one of them?
Bio
Bob LeBlanc is the founder and President of InTrilogy, a cyber risk management consultancy. He began his career in IT in 1971 as a software engineer. Bob was the senior technology officer for the company that created an encryption algorithm (polymorphic key progression algorithmic cypher engine). He holds four patents in cyber security with an additional ten patents pending. Bob has helped numerous companies implement cloud-based software solutions that were HIPPA compliant, and has held a number of senior level positions in IT, including CIO of a Houston based hospital group.
Disclaimer
Daniels-Head Insurance Agency (DHIA) seeks thoughts and insights from a variety of individuals and organizations in the industry. The guest content on this blog represents the individual opinion of the author and not that of DHIA. Nor is it the opinion of DHIA’s underwriters and business partners. Neither DHIA nor DHIA’s business partners are recommending, endorsing, or sponsoring any companies, or third parties mentioned in this blog.