Pressure continues to mount on law firms to pay more attention to cybersecurity issues, for their own sake and for the sake of their clients. An additional level of pressure was levied by the American Bar Association when, on August 8, the ABA’s House of Delegates approved three new resolutions that squarely puts law firms on notice to do more to protect their information and technology systems. With the passage of Resolutions 608, 609, and 610, the ABA clearly articulated its desire for member law firms to devote more time, effort, and resources to assessing and addressing technology risks and threat mitigation.
Resolutions and Their Focus
While all three resolutions aim to increase efforts to improve cybersecurity practices, Resolution 609 is focused on law firms and how lawyers can more effectively protect their own firms as well as their clients. Resolutions 608 and 610 address lobbying activities and law school curriculum, respectively. These are critical steps toward making society a more secure place to live our digital lives, to be certain. However, these resolutions are a level of abstraction away from the day-to-day responsibilities of most lawyers. Resolution 608, on the other hand, goes directly to the heart of what all lawyers need to think more diligently about, according to the ABA.
Key Areas of Improvement
For anyone who has been fighting cybercrime and addressing threat actors over the past decade, Resolution 608 doesn’t cover any new ground. However, for an industry that has historically been slow to react to the growing cyber threat, the resolution does make a very clear call to action for law firms. The ABA succinctly points out six areas where it feels that lawyers can do better to fight the scourge of cyberattacks. Specifically, lawyers are urged to:
- Stay Informed about Emerging Technologies: Keep informed about new and emerging technologies and protect digital products, systems, and data (including Artificial Intelligence and Machine Learning) from unauthorized access, use, and modification.
- Enhance Cybersecurity and Protect Client Information: Enhance their cybersecurity and infrastructure to protect confidential client information and keep clients informed.
- Conduct Cybersecurity Due Diligence: Conduct cybersecurity due diligence regarding third-party and vendor products and services.
- Advise Clients on Cybersecurity: Advise clients on their legal duty to raise the level of their cybersecurity measures.
- Integrate Cybersecurity in Education and Training: Incorporate cybersecurity and emerging technologies into their education and training programs.
- Cultivate a Diverse and Technologically Competent Workforce: Enhance cybersecurity through a diverse and technologically competent workforce.
The Growing Threat Landscape
The ABA took the step of formally recognizing these important actions because it felt that current cybercrime statistics don’t capture the full extent of attacks against law firms, and more notably, ABA leadership felt that “most lawyers in larger firms remain unaware of the daily cyberattacks that threaten to undermine the data security measures intended to protect client and firm information.” Attacks against law firms have been rising steadily as threat actors have begun to realize the wealth of sensitive data that has been consolidated within law firms. The ABA noted that “The obvious conclusions are that law firms present attractive targets, many lawyers are unaware of the daily threats to their practice and their clients, and the sophistication and harm from these attacks are ever increasing.”
The Role of Leadership and Strategy
With the threat landscape continuing to evolve, the threat actors becoming more creative in their attack methodologies, and more information becoming digitized and stored online, the stakes have never been higher for law firms and lawyers to stand up to the threat. As was posted in previous blogs, It is important for the leadership of law firms to recognize the risks and pull in the right resources to identify strategies and mitigations that can properly protect firm assets and client confidentiality.
Cybersecurity Strategy Matters
Many people want to focus on tools first, assuming that buying technology will eliminate the threats. However, they miss the most important step to systemic improvement of cybersecurity hygiene – an effective cybersecurity strategy. While the ABA resolutions lay out what to do to improve overall information risk management, it misses the key points around how to best drive this change. That is where leadership and strategy must come into focus.
Consulting and Implementation
If the law firm does not have sufficient and competent leadership in the area of information and technology risk management, it must be willing to look outside the firm for help. In fact, the ABA encourages its members to bring in competent consultants or advisors when necessary. Once this leadership is identified, whether internal or external, the firm should take the following steps to meet the urging of the ABA:
- Select a Control Framework: Select a control framework that best fits the company’s objectives (e.g. NIST, CIS18, HITRUST, PCI-DSS, etc.).
- Risk Assessment: Perform a risk assessment against that control framework.
- Prioritize and Remediate: Prioritize the gaps and determine proper remediation steps.
- Budget and Implementation: Set a budget (typically 10-20% of IT spend) and fit the remediation roadmap within the budget.
Showing leadership in the area of information and technology risk, and then following the guidance of the ABA’s Resolution 609, will position law firms to better protect themselves and allow them to better meet the obligations that they have to their clients. Additionally, these steps will also improve the digital landscape overall, as we all work together to make life more difficult and less lucrative for the adversary. Kudos to the ABA for doing their part in leading the way. Now it’s up to the law firms to carry on the fight.