Reprinted from the November 2016 issue of Cybersecurity Law & Strategy with permission.
A couple of years ago, when the IT focus of a law firm was on document management and perhaps mulling the billable virtues of e-discovery, cybersecurity was well over the horizon. The cyber world was still considered flat, and the other side of the world was undiscovered. There was no idea of the risk that lurked in the embers of political instability, juvenile capitalism and a moral compass that all too often pointed to human suffering.
Yet two years ago, the undiscovered threat had already reached the new shores of Wall Street. This financial Plymouth Rock was a new haven of untapped riches within the financial sector. The post-2008 financial crash era gave rise to the 99%, dogmatic hactivists who settled on Wall Street. They perhaps polished the floor of a proverbial Internet Ellis Island, but much like the virtuous green lady watching from the harbor nearby, they beaconed a welcome of opportunity to a tired and poor who consisted of simple smash-and-grab criminals, sophisticated criminal syndicates, and, eventually, fueled the cause of offshore agents employed by rival governments. Fearing another market destabilization in our post-2008 world, multiple financial regulators grew concerned about the risk posed by smaller financial institutions such as hedge funds or regional banks. Of chief concern was that due to their size, these organizations lacked the same security defenses afforded by larger firms, such as national banks and insurance companies.
In response, financial regulators Financial Industry Regulatory Authority (FINRA), Securities Industry and Financial Markets Association (SIFMA), Federal Financial Institutions Examination Council (FFIEC) and the Security Exchange Commission (SEC) conducted sweeps of regulated firms to determine their security posture and codify the risks represented by these firms.
In the spring 2014, the SEC, Office of Compliance Inspections and Examinations (OCIE) announced a national exam program to evaluate the cybersecurity maturity of hedge funds. These “sweeps” led to a guidance report the following April making recommendations that included conducting periodic security assessments, creating a strategy to detect, contain and report breaches, and developing written policies and procedures around security and security awareness training. In September of 2015, the SEC settled charges against a registered investment adviser (RIA) that failed to adopt cybersecurity procedures (SEC Rule 30(a) of Regulation S-P) and started levying fines.
Beyond the financial industry, other industries have offered up data breaches as a sacrifice that has fueled pervasive coverage in mainstream media and made cybercrime a household term.
Multiple levels of International, Federal, State and Industry flourished to protect consumer privacy rights and protection of their financial and personal information.
While major banks, retailers, hospitals and insurance companies were the brick and mortar of a growing media monument to hubris and cyber overconfidence, law firm breaches went mostly unnoticed. That is, until government agencies and law enforcement grew concerned that the wealth of intellectual property curated by law firms could be used to manipulate financial markets by front running trades.
Law firms are not governed specifically by any one regulatory authority that demands disclosure. Yes, Lawyers must meet the standards of the American Bar Association Model of Professional Conduct to make reasonable effort to prevent disclosure of confidential client information (Rule 1.6(c), and keep abreast of risks associated with technology (Comment 8 to Rule 1.1). But, there is no single regulator or group of law firms that set cyber expectations and expects breach disclosure.
The Cross-pollination of Regulatory Pressures
As the expression goes, misery loves company, and law firms can now commiserate with their financial clientele. Law firms represent banking and investment funds, healthcare providers, pharmaceutical companies and themselves conduct myriad financial transactions. They litigate cases involving personal injury, labor disputes, file patents for new drugs, and move funds between parties during mergers and acquisitions or real estate transactions.
Law firms are at the cross roads of industry. Take for example, a firm that represents an investment institution in Manhattan and who has a position in a biopharma company across the river in New Jersey. The law firm now handles investment information that is regulated by the SEC and monitored by the FBI. The firm also handles healthcare information in the form of FDA drug test results, patient records, which now falls under Health Insurance Portability and Accountability Act (HIPAA). It might also house investor information from the fund, which means the law firm has PII and is ultimately on the hook for PII requirements.
Clients are the New Regulators
With an alphabet soup of regulators and laws, it’s no wonder that the clients of law firms are now taking cybersecurity seriously. It’s a big stakes loss in the event of a data breach, and it’s the kind of breach that will not go unnoticed. In fact, SEC regulations, HIPAA and PII all have disclosure requirements meaning that a law firm cannot quietly go about business while keeping the story out of the press.
That is why today, more law firms are receiving cyber due diligence questionnaires (DDQs) from their clients. As regulators such as the SEC tighten their rules, implications now reach their vendors; most notably legal services.
In many cases, the infamous “28 questions” from the SEC are emailed to law firms with a request for response. The questionnaire isn’t a simple set of checkboxes or yes/no answers. Many of the firms I’ve worked with required weeks and multiple experts (both employees and outside contractors) to complete the survey.
So Where Can You Start?
First, know your client’s business and understand their obligations. This means becoming familiar with its regulators and understanding its cyber requirements.
Second, familiarize yourself with cybersecurity frameworks such as NIST (National Institution for Standards and Technology) SP800-53, and perhaps the SIG (Standard Information Gathering) Shared Assessment Program. I like the SIG standard because it includes a “lite” version of the framework that allows you to quickly assess the general level of cyber preparedness, before diving deeper into readiness assessments and exercises.
Third, it’s time for the legal industry to build its own standard. Certainly the American Bar Association has their Cybersecurity Handbook (2014) and the International Legal Technology Association (ILTA) LegalSEC council has a plethora of resources. But what I’m advocating for is a framework made by and for law firms. Creating your own set of DDQs based on existing frameworks is a critical and incredibly helpful starting point. This has been done with great success in the financial space. Hedge Funds went through a cyber awakening after the SEC sweeps; investors became savvy in cyber and demanded proof that their investments would not fall prey to cyber criminals.
AITEC was founded by investment technology leaders as a private secure community of senior msanagement experts who share advice, knowledge, insights and best practices with each other for the betterment of the alternative investment industry. In response to the pressures presented by answering constant and varying DDQs, they partnered with AIMA (Alternative Investment Management Association) to create a standardized security DDQ that worked as framework for investment firms upon which to build their cybersecurity policies and procedures. It gave investors and clients a way of accurately measuring those firms and their cybersecurity policies and procedures. There are now over a 100 vendors using the DDQ within the industry.
As an industry, we are following in the financial industry’s footsteps. When it comes to cybersecurity, we’re stronger together than we are divided. Industry consortiums and resources are essential tools for every firm working through cybersecurity program requirements. We need to emulate the financial sector’s success in that regard; they’ve drawn the map, as far as cybersecurity governance management is concerned. Now it’s time for the legal industry to follow that map.