Law firms are increasingly confident in their cybersecurity capabilities, despite many falling short of adequate breach response preparation. This finding is according to ALM Intelligence’s “Cybersecurity and Law Firms: Defeating Hackers, Winning Clients” report, a survey of 210 law firm respondents holding a variety of roles, including internal legal counsel, managing partner, chief technology officer and chief privacy officer.
The survey found that cybersecurity pressures are being acutely felt across the legal industry — 90% of respondents felt attacks against the industry were increasing, while 73% noted receiving pressure from their clients to shore up their cybersecurity defenses.
But far from being cowed by such responsibilities, 75% of respondents expressed confidence in their firms’ abilities to withstand a security incident, an increase of 10% from 2015.
Given law firms’ management of their incident response plans, it’s not difficult to see why respondents are confident. Almost all (96%) of respondents said their firms train employees in response plan policies and procedures, while 80% said their firms’ plans involve identifying regulatory bodies to notify should a breach occur. In addition, 75% said their firms partnered with data forensics experts to aid in their cybersecurity capabilities.
Yet despite robust breach incident plans, firms’ confidence in their cybersecurity abilities still belie evidence of breach unpreparedness and vulnerability. Only two-thirds of firms surveyed actually had an incident response plan in place, a 7% decrease from 2015. In addition, less than half of respondents said they tested their incident response plans, while only 6% of firms regularly audited third-party vendors’ security protections. Fifty-four percent said they do not audit any vendors at all.
Steven Kovalan, senior legal analyst at ALM Intelligence and co-author of the report, noted that law firms’ “confidence is misplaced. When considering the danger as a hypothetical, they respond with confidence. This is due to the fact that there is a greater understanding and awareness of threat.
“Firms have taken some concrete steps in the right direction. Unfortunately — though I’m generalizing here — that’s all they’ve done,” he added. “They’ve moved a little in the right direction, but as the results of our survey and research indicate, they still have a long way to go before they can be considered having implemented comprehensive security measures.”
In lieu of uncovering and managing vendor security infrastructure, the survey found that many firms are moving to limit liability exposure, with 60% placing risk-shifting provisions into their third-party vendors’ contracts. Kovalan believes that this may be due to lawyers’ instinct “to focus on liability.” But, he added, “shifting liability doesn’t ensure security.”
Such a practice, Kovalan said, represents a disconnect from what clients demand in terms of cybersecurity protections. “How would a top financial institution react to being told by its dedicated outside counsel that the counsel does not audit the data security practices of its vendors, but that the client shouldn’t worry because if something goes wrong, the vendor will shoulder the blame?”
Beyond potentially unsafe vendors, other security risks of respondent law firms included implementing bring-your-own-device (BYOD) policies, which 81% of respondents noted their law firms had, despite only 65% believing such policies provide sufficient security.
For a significant amount of law firms, cybersecurity was also not just an expensive business, but a business opportunity. Almost all (88%) of Am Law 200 law firms, for example, had a dedicated practice group focused on handling cybersecurity matters. The survey noted that the driving factor behind these groups was demand from corporate counsel clients.
Around two-thirds of these cybersecurity practice groups focused on regulatory compliance and breach response processes, while around 60% also engaged in vendor contract reviews and developing cybersecurity best practices. In addition, around 57% handled litigation concerning cybersecurity, while 56% also focused on online privacy matters.
Ricci Dipshan writes for Legaltech News, an ALM sibling publication of this newsletter in which this article also appeared.
The views expressed in the article are those of the authors and not necessarily the views of their clients or other attorneys in their firm.