What you need to know to survive a cyberaudit.
By Sharon D. Nelson and John W. Simek
Three years ago, there was a collective gasp heard ’round the country
the day the press reported that Bank of America Merrill Lynch was
auditing the cybersecurity policies at its outside law firms, partly
under pressure from government regulators. Then-Assistant General
Counsel Richard M. Borden stated that Bank of America is “one of the
largest targets in the world” for cyberattacks, that law firms are
“considered one of the biggest vectors that the hackers, or others, are
going to go at to try to get to our information,” and regulators are
paying close attention.
The prophecy that law firms would be forced to confront their data security shortcomings has come true. Clients, along with regulators, want assurances that law firm data is being adequately protected. Information security audits, more politely termed “assessments,” are regular occurrences at many law firms. The requests for the evaluations come not only from clients, but also from insurance companies—they want to know what they are getting into first.
Pay Now or Pay Later
This move was inevitable. We are hoarse from explaining that either law firms get serious about guarding their client data and spend the money to do so or they will pay later when a data breach causes them to hire digital forensics experts to investigate the situation, incur the costs of remediating the vulnerabilities, and work with an outside lawyer to advise them of their legal responsibilities, including complying with state data breach notification laws (47 states have such laws).
Today, clients want to see if security policies and plans are being followed. They want independent third-party audits, sometimes including penetration testing, which involves an attempt to exploit a system’s vulnerabilities in order to identify them. As clients wake up to the potential cybersecurity risks facing law firms, they are demanding more—and it is clear that clients are leaving firms that don’t meet their security expectations. According to Am Law 200, in 2015, firms reported spending an average of 1.9 percent of gross revenues on cybersecurity, which can amount to as much as $7 million a year. That is an extraordinary change, to say the least.
Surviving a Cyberaudit
So how do you survive a cybersecurity audit? Here are some tips:
1. Be prepared for everything (and to tell the truth).
2. Review your ethical responsibilities (better now than when you are before a disciplinary board).
3. Make sure you have a diagram showing where all your data is.
4. Be especially careful about third parties holding your data—you may need to audit them! At the very least, you need to understand their security precautions and procedures.
5. Do an annual review of all policies and plans that impact data security and update them as needed, such as business continuity, disaster recovery, and physical security plans and password, encryption, and data access policies.
6. Get an independent third-party security company to provide you with a full-blown assessment, which carries more weight. Do this annually. As a bonus, you may get a discount from your insurer on your premiums.
7. Consider whether you need penetration testing—actual attempts by experts to breach your network. This may be overkill for a small firm but certainly not for a large one.
8. Be prepared—make sure you have cyberinsurance that will protect you fully in the event of a data breach. Most policies will not and require a specific rider.
9. Stop kowtowing to the demands of lawyers who favor a BYOD (bring your own device) or BYON (bring your own network) policy. Law firm business should be conducted only on devices issued by the law firm—and no personal business should be allowed on those devices. This will be a key measure valued by clients and regulators.
10. Make sure lawyers use encryption where needed. If a cloud provider has a master decrypt key, encrypt before depositing any sensitive data there (e.g. Dropbox).
11. Install hardware and software that does real time intrusion detection. If you are a smaller firm that can’t afford this, make sure you enable logging so there will be a trail to follow.
12. Conduct mandatory security training to keep employees advised of new security threats and to underscore the need for vigilance, including being watchful for suspicious emails, texts, hyperlinks, and social-engineering ploys. Do this twice a year.
13. Document all your security measures so you can produce it as part of an audit.
14. Don’t self-audit, even if you are allowed to. The human tendency is to cut corners or say, “I think so,” which translates to “yes” in the audit when you are not really sure that’s the full or correct answer.
15. Ensure your audit committee—if your firm is large enough to have one—is made up of players from IT, compliance, management, and security. It is important to get buy-in across the board.
The time to get started on all this is yesterday.TBJ
SHARON D. NELSON and JOHN W. SIMEK are the president and vice president at Sensei Enterprises Inc., a legal technology, information security, and digital forensics firm based in Fairfax, Virginia. They can be reached at (703) 359-0700 or email@example.com.