Industry Vendors Exploited Via Industry-Wide Cyber Attacks

As is the case for law firms (like any other homogenous industry segment) that depend upon a core profile of infrastructure services. This technical foundation is considered as critical to business as electricity and an Internet connection. When we flick the switch, we expect the lights to come on, and we trust the utility company to deliver a ubiquitous flow of power.

But when you flick a light switch, do you ever consider how the utility provider protects you from external risks? Most likely not. Why? Because we t ake electricity for granted, and we've come to rely on our legal services with the same trust and dependence. Consider document management, billing, or e-discovery services. Once the service is established, it assumes a level of implied trust, and we turn our suspicions and cynicism to new services, like artificial intelligence-based systems.

So why does this matter? Ask DLA Piper, a global law firm that was disrupted by NotPetya. This is less about DLA Piper (that, by the way, was a haphazard victim of the attack) and more about the unwitting accomplice in the attack, called MeDoc. Cyber criminals infiltrated this little known financial software company and weaponized software updates, which they then used to distribute their malware through MeDoc infrastructure.

Subsequent investigations allege that the company's central servers used to distribute software updates relied on outdated FTP (file transfer protocol) with a known vulnerability that was easily exploited with a publicly available tool, ProFTPD Mod_Copy.

This scenario represents an industry-wide risk. Criminals know about economies of scale and leverage the best practices seen in Fortune 500 companies. They improve efficiencies to reduce costs, increase revenue, and improve profits. Criminals are targeting law firms. And what better way to scale than to target a trusted industry vendor using this unwitting accomplice to simultaneously attack multiple law firms en masse? That's what happened with MeDoc.

Industry-specific attacks are not new. Two years ago, hedge funds were targeted by a low-and-slow attack that spread through targeted phishing attacks. Once one fund was compromised, email accounts were used to spread to the next funds, and so on down the line until multiple funds were compromised. While the attack was detected and stopped before any negative consequences occurred (or were discovered), what we came to know as FIN4 shook the Securities Exchange Commission (SEC) with a systemic attack that set the foundation for industry-wide market manipulation.

More recently, the hedge fund Tillage Commodities Fund launched a file suit against a fund administration service called SS&C Technologies, in response to SS&C allegedly transferring almost in $6 million in fraudulent redemptions to cyber criminals.

Did MeDoc clients take security for granted and consider the core service provider a trusted partner in the business? Consider your reliance on established services, such as document management, billing, or e-discovery services. Are you blindly trusting? In the event of a cyber incident, can you answer the following questions?

1. Can you demonstrate that you identified risks associated with your third-party services?
2. Can you demonstrate that you conducted due diligence to ensure the third-party company has established cybersecurity measures that meet your business requirements (not theirs)?
3. Can you demonstrate that you established: a) cybersecurity requirements in the contract; and b) established obligations, coverage and payments in the event of a cybersecurity incident?

Identifying Risks and Conducting Due Diligence

The American Bar Association Cybersecurity Handbook provides guidelines you can use to conduct vendor risk assessments:

• Physical and virtual access controls;
• User privileges;
• Cyber policies and procedures;
• Back-up protocols (i.e., business continuity and disaster recovery); and
• Periodic risk and compliance testing.

The handbook also provides measures to clearly outline vendor responsibilities in the event of a cybersecurity incident. This includes reporting, publication, and making affected parties whole.

You can leverage SSAE certification, which establishes standards for auditing the security policies, procedures and operations of your third-party vendor. These Service Organization Controls (SOC) establish “Trusted Service Principles” used to test and report on controls (Type 1) and report on controls as they relate to security, availability, processing integrity, confidentiality and privacy of a system (Type II).

Establishing Contractual Obligations

There are no industry standards when it comes to contractual obligations as they relate to cybersecurity; however, a contract with a third-party vendor should:

1. Establish fundamental security standards;
2. Set penalties for failure to meet security standards; and
3. Define incident response actions in the event of a breach.

In New York, the Department of Financial Services released the New York Cybersecurity Requirements for Financial Services (referred to as 23 NYCRR 500). Regardless of whether your firm does business with governed New York financial institutions, the NYCRR recommendations provide a reasonable framework for contracts.

The first component covers notification obligations resulting from a third-party cybersecurity event that directly impacts the non-public information or information systems of a law firm. There are two components to consider: What constitutes an event? What are the timing expectations when it comes to reporting an event?

I highly recommend that an event includes any cyber activity that leads to intentional or unintentional violation of a security policy, whether it's unauthorized access to privileged or non-public information. In the event of a breach, almost every state has notification laws that govern reporting and notification to clients or consumers. While there are no standards in legal services for notification timing, several highly regulated industries, such as HIPAA in the healthcare industry, require notification within 72 hours from the initial indication of a cybersecurity event.

The second component covers representations and warranties addressing the third-party service provider's cybersecurity policies and procedures that relate to the security of a law firm's information systems or nonpublic information. In these cases, consider rebates, waived fees, and refunds to cover service fees, but also consider the cost of breach investigation and notification to your clients.

While this is good practice, remember you are indemnifying your firm from incident costs, but in no way protecting your reputation from damage. No amount of warranties or insurance can provide such coverage.

*****
Mark Sangster is a cybersecurity evangelist who has spent significant time researching and speaking to peripheral factors influencing the way that legal firms integrate cybersecurity into their day-to-day operations. In addition to Mark's role as VP and industry security strategist with managed cybersecurity services provider eSentire, he also serves as a member of the LegalSec Council with the International Legal Technology Association (ILTA) and is a member of the Board of Editors of this newsletter. He can be reached at [email protected].