While quick to trumpet their tech capabilities, law firms are coy when it comes to cyber security policies. Making a defence strategy public could play into the hands of hackers, of course. But considering how devastating an attack might be for a law firm and its clients, one would expect at least some publicity of their initiatives on that front.
The issue gained notoriety last summer after a malware attack on a third party compromised DLA Piper’s systems and made the dangers to law firms as collateral damage a reality. Even according to the most conservative estimates, the disruption cost the firm $10m at the very least. But it could have been a lot worse if the attack had led to the disclosure of confidential client information, as with the email hack on Panamanian firm Mossack Fonseca & Co (the so-called Panama Papers) and the breach of offshore firm Appleby’s data in 2016 (Paradise Papers).
But while those incidents sent shock waves through the industry, change is still painfully slow to come. ‘If security isn’t keeping you awake at night, you need to check your priorities,’ says Freshfields Bruckhaus Deringer’s chief legal innovation officer Isabel Parker.
Linklaters started advertising for a chief information security officer (CISO) in the immediate aftermath of the DLA events, but the position was not filled. ‘The search for somebody who would fit well and work in a law firm was very difficult,’ admits chief operating officer Matt Peers. As with any tech professionals coming in from other industries, there are cultural challenges in integrating the most senior cyber security officer in partnerships where ‘you cannot just go to a lawyer and say to them: “You will do this course by Friday”’.
‘If security isn’t keeping you awake at night, you need to check your priorities.’
Isabel Parker, Freshfields
After Peers took over in January, the firm resolved to give up on its search and reallocate cyber security-related tasks within the existing tech team. It is now looking for a chief technology officer who will have security as part of their remit.
Yet questions remain over whether a firm of that size can get away without someone dedicated to cyber security, a position all other Magic Circle firms have.
Regardless of the professionals they employ, the recent cyber attacks have pushed most firms to move their data to the cloud, a virtual platform that is independent of an organisation’s onsite software. ‘Ironically, in a world of increased cyber security threats, organisations are often keener to move to the cloud due to the increased security that it presents over and above on-premises installations,’ says Gowling WLG head of innovation and digital, Derek Southall.
Of course, law firms could hardly match Microsoft’s $2bn investment in security. The computer giant is Allen & Overy’s top provider by spend, including its Azure cloud platform. DLA director of innovation, Adam Hembury, says that the cyber attack has made the firm ‘more enthusiastic’ about the cloud.
While it is commonly accepted that complete safety from an attack is impossible, a recent case underlined the importance of appropriate response plans. On 1 October the Financial Conduct Authority fined Tesco Bank £16.4m for its failures in a 2016 cyber attack, just shy of the maximum £17m envisaged by the Network and Information Systems Regulations 2018. The hefty charge was partly due to Tesco’s failure to respond to the attack ‘with sufficient rigour, skill and urgency’.
‘Of course, you should be looking at your security and make sure mechanisms are up to scratch, but what is absolutely urgent is making sure you are able to respond,’ says Simon Shooter, co-head of the international commercial group at Bird & Bird. Preparing a response plan involves running regular simulation exercises – the so-called ‘penetration tests’.
Although a full simulation can cause considerable disruption, having a proper response plan in place is much more about educating staff than throwing money at expensive software. But that does not make the challenge for law firms any smaller. It is about changing habits, creating an environment where it is possible to make lawyers do that cyber security course by Friday. Public horror stories and close shaves aside, there is still some way to go to get there.