Cybersecurity: Law Firms Are Coming Up Short

Law firms are increasingly confident in their cybersecurity capabilities, despite many falling short of adequate breach response preparation. This finding is according to ALM Intelligence's “Cybersecurity and Law Firms: Defeating Hackers, Winning Clients” report, a survey of 210 law firm respondents holding a variety of roles, including internal legal counsel, managing partner, chief technology officer and chief privacy officer.

The survey found that cybersecurity pressures are being acutely felt across the legal industry — 90% of respondents felt attacks against the industry were increasing, while 73% noted receiving pressure from their clients to shore up their cybersecurity defenses.

But far from being cowed by such responsibilities, 75% of respondents expressed confidence in their firms' abilities to withstand a security incident, an increase of 10% from 2015.

Response Plans

Given law firms' management of their incident response plans, it's not difficult to see why respondents are confident. Almost all (96%) of respondents said their firms train employees in response plan policies and procedures, while 80% said their firms' plans involve identifying regulatory bodies to notify should a breach occur. In addition, 75% said their firms partnered with data forensics experts to aid in their cybersecurity capabilities.

Still Unprepared?

Yet despite robust breach incident plans, firms' confidence in their cybersecurity abilities still belie evidence of breach unpreparedness and vulnerability. Only two-thirds of firms surveyed actually had an incident response plan in place, a 7% decrease from 2015. In addition, less than half of respondents said they tested their incident response plans, while only 6% of firms regularly audited third-party vendors' security protections. Fifty-four percent said they do not audit any vendors at all.

Steven Kovalan, senior legal analyst at ALM Intelligence and co-author of the report, noted that law firms' “confidence is misplaced. When considering the danger as a hypothetical, they respond with confidence. This is due to the fact that there is a greater understanding and awareness of threat.

“Firms have taken some concrete steps in the right direction. Unfortunately — though I'm generalizing here — that's all they've done,” he added. “They've moved a little in the right direction, but as the results of our survey and research indicate, they still have a long way to go before they can be considered having implemented comprehensive security measures.”
In lieu of uncovering and managing vendor security infrastructure, the survey found that many firms are moving to limit liability exposure, with 60% placing risk-shifting provisions into their third-party vendors' contracts. Kovalan believes that this may be due to lawyers' instinct “to focus on liability.” But, he added, “shifting liability doesn't ensure security.”

Beyond potentially unsafe vendors, other security risks of respondent law firms included implementing bring-your-own-device (BYOD) policies, which 81% of respondents noted their law firms had, despite only 65% believing such policies provide sufficient security.

*****
Ricci Dipshan writes for Legaltech News, an ALM sibling publication of this newsletter in which this article also appeared.

Law firms are increasingly confident in their cybersecurity capabilities, despite many falling short of adequate breach response preparation. This finding is according to ALM Intelligence's “Cybersecurity and Law Firms: Defeating Hackers, Winning Clients” report, a survey of 210 law firm respondents holding a variety of roles, including internal legal counsel, managing partner, chief technology officer and chief privacy officer.

The survey found that cybersecurity pressures are being acutely felt across the legal industry — 90% of respondents felt attacks against the industry were increasing, while 73% noted receiving pressure from their clients to shore up their cybersecurity defenses.

But far from being cowed by such responsibilities, 75% of respondents expressed confidence in their firms' abilities to withstand a security incident, an increase of 10% from 2015.

Response Plans

Given law firms' management of their incident response plans, it's not difficult to see why respondents are confident. Almost all (96%) of respondents said their firms train employees in response plan policies and procedures, while 80% said their firms' plans involve identifying regulatory bodies to notify should a breach occur. In addition, 75% said their firms partnered with data forensics experts to aid in their cybersecurity capabilities.

Still Unprepared?

Yet despite robust breach incident plans, firms' confidence in their cybersecurity abilities still belie evidence of breach unpreparedness and vulnerability. Only two-thirds of firms surveyed actually had an incident response plan in place, a 7% decrease from 2015. In addition, less than half of respondents said they tested their incident response plans, while only 6% of firms regularly audited third-party vendors' security protections. Fifty-four percent said they do not audit any vendors at all.

Steven Kovalan, senior legal analyst at ALM Intelligence and co-author of the report, noted that law firms' “confidence is misplaced. When considering the danger as a hypothetical, they respond with confidence. This is due to the fact that there is a greater understanding and awareness of threat.

“Firms have taken some concrete steps in the right direction. Unfortunately — though I'm generalizing here — that's all they've done,” he added. “They've moved a little in the right direction, but as the results of our survey and research indicate, they still have a long way to go before they can be considered having implemented comprehensive security measures.”
In lieu of uncovering and managing vendor security infrastructure, the survey found that many firms are moving to limit liability exposure, with 60% placing risk-shifting provisions into their third-party vendors' contracts. Kovalan believes that this may be due to lawyers' instinct “to focus on liability.” But, he added, “shifting liability doesn't ensure security.”

Beyond potentially unsafe vendors, other security risks of respondent law firms included implementing bring-your-own-device (BYOD) policies, which 81% of respondents noted their law firms had, despite only 65% believing such policies provide sufficient security.

*****
Ricci Dipshan writes for Legaltech News, an ALM sibling publication of this newsletter in which this article also appeared.