Since the dawn of the new millennium, technology has been expanding the reach and ability of criminals at breakneck speeds. Regulators have constantly found themselves running behind a new era of cyberthreats and dangers, struggling to respond to accidents while fortifying the road ahead.
But with limited resources and time, their effort is one of triage. Secure the vital pillars of society first, and the rest will follow. This plan especially rings true when securing arguably the most important pillar: the one buttressing the economy. Jeremy Estabrooks, senior legal editor of Thomson Reuters Practical Law, notes that the financial industry is considered a critical infrastructure industry by the federal government. “There is definitely more emphasis on making sure they have robust cybersecurity in place,” he says.
For financial institutions, the presence of governing regulations, of which cybersecurity is now part, have always been an intrinsic part of the industry. “Because banks are a creation of a regulatory culture, they really live and breathe policies and procedures, and I think the management and directors are well aware of their responsibility and the need to meet regulatory expectations,” Estabrooks says.
But developing in-house cybersecurity is a lot like putting up a firewall up to protect a network. The protection it affords only works if the network is kept centralized and does not extend to unsecure and easily targeted endpoints. Yet, for modern day financial instructions, an expanding network ‘ from both an IT and a business perspective ‘ is a necessity. And no outside vendor is as consequential to a financial institution’s security as its outside counsel.
But with law firms by their side and immersed in their data, how do financial institutions protect their flanks? And how can law firms meet security responsibilities to shield their financial clients from exposure and risk?
Joseph Abrenio, vice president of commercial services at Delta Risk and president of the Midwest Cybersecurity Alliance, has found that law firms “keep the secrets, good and bad, of all of their clients.” He adds: “Even if a financial institution is safe behind their own walls, they will still have weak spots with the third parties they share information with. As the saying goes, you’re only as strong as your weakest link.”
The Laws of the Land
Data security in the financial and legal industries is a tale of two sectors. While the financial industry is heavily regulated and constantly watched by federal agencies, law has at times operated in an almost laissez-faire environment, more ruled by a culture of confidentiality and secrecy than hard regulatory rules.
For financial institutions, there is never a lack of oversight, says David Ray, director of information governance at Consilio. But what’s interesting about financial services is the diverse nature of the agencies to which companies are beholden: “Some of it comes from the Federal Trade Commission (FTC), some of it is the Consumer Financial Protection Bureau (CFPB), some of it is the Federal Deposit Insurance Corporation (FDIC) ‘ acronyms abound as far as who is responsible. Financial intuitions tend to be a bit of a Swiss cheese as far as enforcement goes.”
Such regulatory power can be traced back to 1950, with the passage of the Federal Deposit Insurance Act. Abrenio notes that the safety and soundness provision of 12 U.S.C. Section 1831p-1 of the Act applies to the cybersecurity practices of federally insured financial institutions. He adds that the section requires several of the federal banking regulators to develop regulations and guidelines to ensure the security of covered financial institutions.
The Act, however, left it open for regulators to interpret what security means. “The benchmark of keeping financial firms ‘safe and sound’ is intentionally vague. As such, there is no uniformity in the industry as what qualifies as ‘safe and sound,’” Abrenio explains.
Over 40 years later, regulators were given more power over financial institutions under the Gramm’Leach’Bliley Act (GLB Act). But while the Act created the modern foundation for industry-wide cybersecurity enforcement, it was primarily focused on the protection of consumers. The law, explains Thomson Reuters’ Estabrooks, “imposes the responsibility to protect customers’ privacy and confidentiality ‘ their personal information ‘ so that results in requirements for having an information security program in place to protect data.”
And like the Federal Deposit Insurance Act, the GLBA Act was also kept intentionally vague. The GLBA Act only “imposes the general requirements of maintaining or having information security in place,” so regulators have consistently used “guidance in the form of booklets and papers on information security” to implement broader standards, Estabrooks says.
Though there are exceptions, such as the Federal Deposit Insurance Act of 2003 that regulated consumer data disposal to combat identity theft, financial cybersecurity has mainly progressed through a hodgepodge of agency guidance. “There’s no certain specific comprehensive regulatory regime that spells out what the cybersecurity requirements are for financial institutions. It’s an evolving process; in this case, they have elected to rely on booklets and other guidance,” Estabrooks says.
Legal’s Liberal Laws
While financial institutions must heed an ever-advancing set of regulations, the situation is far different in the legal world. Through his work with the Midwest Cybersecurity Alliance, Abrenio has found that law firms “are much less regulated, especially given the quality and quantity of confidential information they hold. They are generally obligated to maintain their clients’ information under the umbrella of a reasonable standard of care.”
But this standard is less than definitive, and certainly not all-encompassing, Abrenio adds. He notes that while there have been some cases discussing what is “reasonable” in the digital age, there are currently no enforceable industry standards “other than a common law legal obligation to act reasonably to protect information, and legal ethical standards arising from Rule 1.6 of the American Bar Association’s model rules.”
And for the most part, financial regulators historically have not been concerned with outside counsel, adds Consilio’s Ray. A lot of the financial regulations “tend to be about the protection of end users, and there aren’t necessarily prescribed standards as, say, HIPAA [Health Insurance Portability and Accountability Act]. ‘ I think there was a sense because of the Swiss cheese of rules and regulations applied to financial services companies, it’s very hard to rely on [regulations] alone to pressure law firms to do certain things.”
But that, however, has been changing recently. Given the growing awareness of enterprise risk and vulnerabilities, many in the regulatory and financial worlds are moving to more clearly define the responsibilities of third parties.
In 2015, for example, the Federal Financial Institutions Examination Council (FFIEC), which is comprised of federal regulators and financial organizations, updated its guidelines “to elaborate on managing third party risks and mention also cybersecurity risks of using third party vendors,” Estabrooks notes.
Spurred by the recent public breaches of law firms and others, regulation guidance “now requires these financial institutions to vet any third party vendor,” says Judy Selby, a former lawyer and current managing director at BDO Consulting. “I know law firms don’t like to think of themselves as vendors, but in this situation, they certainly are a vendor of the financial institution.”
The Cyber Differentiator
Holding law firms to the same security standards as other third party vendors did not at first receive a welcome reception by many in the legal world, who heralded their industry as one established on trust and confidentiality. “It’s been interesting for law firms, because for a long time they’ve really dealt with things from a confidentiality perspective,” Ray says. “Those client communications, privileged communications, are treated as confidential. It is sort of an ethical gentlemen’s agreement with law firms, but unfortunately a hacker couldn’t care less about confidentiality and the agreement.”
Financial institutions also played a part in holding outside counsel to a different set of standards. Until recently, Ray explains, “most law firms didn’t have to go through a formal [vendor] procurement process and were therefore exempt from going through these same types of [cybersecurity] questions and contractual limitations.” He adds: “The challenge with laws is that they were all based on a reasonableness standard for the most part, and reasonableness is a moving target.”
Given the limited language of financial regulations, financial institutions have taken it upon themselves to specifically define what cybersecurity protections they expect from their outside counsel. Many do so through contractual agreements, Ray says, which set up the preferred security minimums, the company’s audit rights, and specific security standards.
While specific cybersecurity assessments will vary from company-to-company, Selby notes in her law firm experience, they usually go beyond just what technical infrastructure a firm has in place. “They want to see you have good cybersecurity practices. They want to see if you have an updated and practiced incident response plan, [if you are] training your employees, things of that nature. They’ll ask about your history with regard to cyber incidents; they want to see you are prepared to detect, remediate, and recover from an incident. And the recovery is more than just the forensic recovery, the technical fix ‘ they want firms that can recover [their reputation] as well.”
Building up robust cybersecurity practices is a complex and difficult task, but it is one that firms have recently dived into head-on. “What I can say has changed over the past few years is initially, there was a lot of pushback in some firms against changing their practices or having to fill out a lot of these assessments and audit reports,” Ray notes. “What I have seen, especially since a lot of these breaches, is a change in attitude.”
But then again, firms have had little choice but to adapt. Robust cybersecurity, after all, is now the modern day cost of doing business. “It’s become a real corporate differentiator,” Selby explains. “Firms that can’t demonstrate that they have good cybersecurity practices are at a real disadvantage not only with financial institutions, but also with other potential clients.”
Financial institutions, for example, may withhold certain types of work from law firms if they deem the less secure firm to be a risk to the organization. They will tier law firms out based on the type of work they get, Ray says, and “if they are getting very sensitive pre-deal M&A information or the type of thing that is high value to hackers, they will choose the law firm that not only meets the contractual requirements, but goes above and beyond.”
Certification and Collaboration
For firms aiming to serve financial clients, there are a few wise places to look when building a robust cybersecurity apparatus. Some certifications, for example, can offer law firms a structured approach to data protection while ensuring their clients are aware of just what that protection entails. For financial services, Selby notes that the two most important are the International Organization for Standardization (ISO) 27001 certification and the National Institute of Standards and Technology (NIST) framework certification.
Yet while there is a movement in the industry toward such standards, implementation of relevant certifications still remains nascent. “I find a lot of law firms are going after their ISO 27001 standards or related standards, [but] very few have achieved them yet, or they are brand new off the vine, so there’s only so quickly you can move,” Ray says. “And for a lot of these firms, they had to hire chief information officers (CIOs) or security managers and set up road maps. So they’ve had a lot of catching up to do.”
Beyond certifications, there have also been efforts to push the legal industry toward a more open and collaborative threat prevention culture, similar to the one in the financial industry. “Financial services are very good about sharing threats,” Ray explains. “It will very quickly go from the information security team in one financial services organization to another ‘ that helps them be proactive.”
But on the other hand, he adds, “law firms tend to be very reticent to share when they’ve had breaches, and certainly it’s because they are quite often in litigation representing clients on opposite sides of the table. There is a culture not to share information.”
Recently, however, the passage of the Cybersecurity Information Sharing Act (as enacted as part of an appropriations bill), HR 2029 (CISA), and a subsequent executive order from the Obama administration, has helped bridge this divide. The law was instrumental in creating the Financial Services Information Sharing and Analysis Center (FS-ISAC), which in August 2015 launched the Legal Services Information Sharing & Analysis Organization (LS-ISAO) for law firms.
The organizations allow closer intra-industry collaboration, as well collaboration between financial institutions, law firms and federal agencies on current cyber risks and best practices. Its foundation highlights just how intertwined cybersecurity and data protection is for those in two different, but closely connected industries, where information is vital, and protection and confidentiality a cornerstone of their daily operations and success.
The views expressed in the article are those of the authors and not necessarily the views of their clients or other attorneys in their firm.