<b><i>Online Extra:</b></i> Am Law 200 Firms Spending $7M on Cybersecurity Annually

With unfettered access to critical documents and information, law firms are an attractive target for hackers. Even when firms employ cutting-edge data security techniques, their possession of corporate data still multiplies the surface area of risk for that information. A recent survey of the Am Law 200, which tapped nearly one-third of firm CIOs for their experience, is showing the extent to which the highest grossing firms are spending to mitigate the risk associated with data security.

According to the findings of Chase Cost Management's 'What Price Peace?”survey'spending on information security at Am Law 200 firms rarely exceeds 1.9% of gross annual revenue. Firms spent around $6.9 million on average, though the survey cautions some of that may have gone to non-cybersecurity projects.

While the survey was able to determine the average that respondent law firms were spending on these efforts, harder to determine was whether or not that was enough. Respondents split 50/50 on whether their spending was 'about right' or 'not enough,' though predictably, no respondents indicated there cybersecurity spending was 'too much.'

Firms also varied in what areas they were spending. When asked to rank their top three spending priorities, respondents most frequently indicated a need to strengthen in-house security expertise (22.2% of respondents). The runners-up priority wise split three ways: Assessment to identify gaps in security posture, cyber liability insurance policy and risk transferring, and training for employees to increase awareness each made the priorities list 12.1% of the time.

Overall, the survey suggested that the priorities set by firms were positive. Chase Cost Management wrote, 'Traditionally, many law firms have chosen, likely to control expenses, to give the CIO or IT Director the responsibility for security management and an existing network systems engineer the responsibility for security operations. A hands-up survey of the audience suggests that most firms still do not have dedicated security staff. However, there were a few, albeit larger firms, who have managed to get support for four and five FTEs who are focused on information security initiatives.”

Chris DiMarco writes for'Legaltech News, an ALM sibling of e-Commerce Law & Strategy.

With unfettered access to critical documents and information, law firms are an attractive target for hackers. Even when firms employ cutting-edge data security techniques, their possession of corporate data still multiplies the surface area of risk for that information. A recent survey of the Am Law 200, which tapped nearly one-third of firm CIOs for their experience, is showing the extent to which the highest grossing firms are spending to mitigate the risk associated with data security.

According to the findings of Chase Cost Management's 'What Price Peace?”survey'spending on information security at Am Law 200 firms rarely exceeds 1.9% of gross annual revenue. Firms spent around $6.9 million on average, though the survey cautions some of that may have gone to non-cybersecurity projects.

While the survey was able to determine the average that respondent law firms were spending on these efforts, harder to determine was whether or not that was enough. Respondents split 50/50 on whether their spending was 'about right' or 'not enough,' though predictably, no respondents indicated there cybersecurity spending was 'too much.'

Firms also varied in what areas they were spending. When asked to rank their top three spending priorities, respondents most frequently indicated a need to strengthen in-house security expertise (22.2% of respondents). The runners-up priority wise split three ways: Assessment to identify gaps in security posture, cyber liability insurance policy and risk transferring, and training for employees to increase awareness each made the priorities list 12.1% of the time.

Overall, the survey suggested that the priorities set by firms were positive. Chase Cost Management wrote, 'Traditionally, many law firms have chosen, likely to control expenses, to give the CIO or IT Director the responsibility for security management and an existing network systems engineer the responsibility for security operations. A hands-up survey of the audience suggests that most firms still do not have dedicated security staff. However, there were a few, albeit larger firms, who have managed to get support for four and five FTEs who are focused on information security initiatives.”

Chris DiMarco writes for'Legaltech News, an ALM sibling of e-Commerce Law & Strategy.