The ‘Panama Papers’ scandal has once again put law firm cyber security in the spotlight. But it is far from the only attack law firms have faced in recent times. It has only recently become apparent, for example, that in 2015, hackers broke into computer networks at leading firms including Cravath Swaine & Moore LLP and Weil Gotshal & Manges LLP. And in late 2015 /early 2016, a whole list of other law firms were reportedly targeted by a Russian hacker seeking information on M&A deals.
Not that any of this is new. A report in The Lawyer back in October 2013 cited warnings from a Chief Information Officer at a top-10 City firm who was convinced a prominent legal practice would go ‘down in flames as a result of a cyber attack breaching client confidentiality’. But the threat is getting worse. According to PWC’s 2015 annual law firms’ survey, 62% of law firms reported they had suffered a security incident, up from 45% in 2014.
The leak of 11.5 million papers at Mossack Fonseca may just mark a watershed moment, though. For if law firms have been slow to ramp up their security systems, they must now realise their potential vulnerability in the face of sustained and growing attacks.
From hackers seeking data for insider trading to politically motivated ‘hacktivists’ or large-scale nation-state attacks, law firms should know they’re prime targets because of the reams of highly sensitive and confidential information they hold. And in the wake of this massive data breach, clients – particularly those in the financial services sector – are only more liable to think that law firms, including their lawyers, are the weak link in the chain.
There are signs, however, that law firms might be changing, especially the larger ones. Here at Totum, we have seen a considerable uptick in senior IT roles, following a relatively quiet period during and immediately following the recession. Sure, some of this reflects renewed investment in technology to improve legal services and operational efficiency. But we also see a marked increase in firms highlighting security as a critical component of the IT leadership role: law firms want IT professionals who can help ensure resilience, including gaining and maintaining security certification such as Cyber Essentials Plus or ISO 27001.
Yann Chatreau, Head of IT, Asia Pacific, at Allen & Overy (A&O), sees security accreditation as good, but he thinks it is only the beginning. In larger firms, for example, he has seen a real shift to recruiting senior security people, such as a Chief Information Security Officer at A&O. ‘There have been dedicated security teams for a while, but largely at middle management level,’ he adds. ‘This is much more senior.’
He says it’s about demonstrating to peers and clients that you are serious about cyber security and willing to invest. But he advises firms that they must accept they need help too – lining up partners who can provide 24/7 monitoring of the network infrastructure, noting any strange patterns and distinguishing white noise from the actual threats. ‘Because it’s not if, but when,’ he cautions. ‘Motivated hackers will always find a way and there are advanced persistent threats from nation states, with almost limitless resources. What do you do when it happens?’ It’s clearly not just about implementing a second-to-none defence system, but also having a well-rehearsed crisis management strategy in place.
If law firms are still slow to get ahead of the security curve, then it may well be clients that give them a shove. ‘Clients are much more proactive on this now, especially in financial services,’ agrees Chatreau. He says that clients commonly undertake security audits at A&O, sending someone to spend several days on site asking them lots of questions. Sometimes this might extend to penetration testing too – not always with advanced warning either. ‘Clients are very security conscious – the challenge is meeting all of what may be very different requirements,’ he says.
At Totum, we have recruited several IT leadership roles in the past 18 months and it is absolutely clear just how important this area has become in selecting the right candidates. The next few years will be testing ones for law firms who will continue to face a rising number of cyber attacks coming from myriad sources. Having the best security experts on side will undoubtedly help – and there’s no doubt that some firms have already seriously raised their game on this.
But there is a sense that things have to go further too. If attackers see law firms as the weak link, then the reputation of the profession as a whole is under threat. Law firms need to prioritise safeguarding their own businesses. But they also need to work together, sharing information and resources, to minimise the potential damage such sustained attacks may cause –not just to a single firm but to the profession as a whole. In the face of such danger, no law firm should be an island.