More Cyber Preparedness Needed, According to 2014 Law Firm Cyber Survey
Law firms need to enhance cybersecurity to protect clients’ and firms’ confidential information.
Cyber threats feature prominently on most law firms’ risk radar and in their overall risk management strategy, and yet many lack in their preparedness against a significant event, according to Marsh’s 2014 Global Law Firm Cyber Survey.
Law firms generally need to enhance cybersecurity measures to protect their clients’ and their firm’s confidential data. Any unintended release of information related to intellectual property or a prominent legal case can be disastrous for law firms and their clients, potentially hurting business transactions, halting mergers and acquisitions, and damaging relationships forever. First-party costs can also mount from notification expenses, business interruption issues, or preparing a regulatory defense.
Key Marsh 2014 Cyber Survey Findings:
- 79% of respondents in aggregate viewed cyber/privacy security as one of their top 10 risks in their overall risk strategy.
- 72% said their firm has not assessed and scaled the cost of a data breach based on the information it retains.
- 51% said that their law firms either have not taken measures to insure their cyber risk (41%) or do not know (10%) if their firm has taken measures.
- 62% have not calculated the effective revenue lost or extra expenses incurred following a cyber-attack.
In aggregate almost 80% of respondents consider cyber/privacy security to be one of their firm’s top 10 risks, while more than 40% of those surveyed would place it even higher — as one of their top five risks. Indeed, the results support research dating back to 2011 from cybersecurity firm Mandiant, which stated that 80% of the largest 100 law firms had been hacked. In Marsh’s survey, 7% of respondents said they had been subject to a successful cyber-attack in the last three years.
While cyber remains a pressing concern, a majority of firms surveyed have not taken into account what kind of financial impact their organization could experience following a cyber incident. For example, more than 60% said their firms had not calculated the effective revenue that could be lost following a denial-of-service attack. Even more (72%) said their firm has not assessed how much a data breach would cost them due to the kind of information it retains (See Figure 1). Costs can add up quickly following an attack, and can include determining what kind of breach occurred, following up with regulators, and installing preventative software devices.
And despite the potentially high values involved in assessing cybersecurity, more than half of respondents said their firm has either not taken measures to insure their cyber risk from a data breach or resulting business interruption, or they did not know whether their company had (See Figure 2). Cyber insurance can be an effective tool in one’s overall cyber risk management program.
Almost all respondents said they take cyber/privacy risks seriously. For example, 98% of respondents have secure redundant systems, such as offsite data vaults and servers. And almost 75% have internal controls in place to detect non-compliance with privacy policies. Yet, the majority of respondents (67%) rely on outsourced vendors for their information technology needs. Recent cyber-incidents have revealed that exposure to third-party suppliers and vendors has been a weak link in a corporation’s cyber defenses, often allowing unauthorized personnel to obtain valuable information.
Still, respondents view cybersecurity with a top-down approach (See Figure 3). The group most involved in the review and overall management of cyber/privacy risks was IT (98%), followed by the firm’s management group (75%), general counsel (67%), and risk management team (54%).
As a group, law firms have been targeted by regulators and government agencies, such as the FBI, for not having enough defenses surrounding the personal data and client information they collect and store. As early as 2009, the FBI cited the legal industry as a group that could easily succumb to cyber incidents. In 2011, the FBI set up meetings with major law firms in New York to discuss their cyber preparedness. It then followed up with firms around the US to educate them on the steps needed to secure their offices from cyber attacks, hacktivists, and data breaches by third-party vendors, employees, or former staff.
Today, law firms face a barrage of cyber threats. Some may have already been hacked to some degree, without knowing it. Law firms are not required to disclose a hacking incident unlike many other organizations and consumer-oriented companies, which makes analyzing law firms’ cybersecurity a challenging task. Some of the more prominent law firm cyber incidents include:
- In May 2014, a grand jury in the Western District of Pennsylvania indicted five Chinese military hackers in a case involving an AmLaw 100 firm. In 2012, the law firm experienced spearphishing emails initiated by Chinese hackers in conjunction with the firm’s representation of a US solar panels company using a Chinese supplier.
- A large law firm in February 2014 suffered a breach of current and former employees’ personal data, which was held by a vendor. The documents in question included tax information, Social Security numbers, passport information, and other federal data.
- The Canadian government in 2014 acknowledged the hacking of some of its government websites, with earlier attacks dating back to 2011. At that time, multiple Canadian law firms were allegedly hacked by the Chinese government in an attempt to derail a multi-billion dollar corporate sale.
About the Survey
The survey was conducted in August 2014. Of the 50 firms that responded: