Even Lawyers Have to Worry About Cybersecurity: Best Practices from PLI Program
I recently participated in a PLI Program on Cybersecurity Best Practices for Legal Service Providers 2018. While the program was aimed at educating attorneys and professionals working in law firms, it highlighted an important area for all asset managers, broker-dealers and NFA registrants to start focusing on: the cyber security of their law firms.
Do not assume that the firm your lawyer works for has dotted their i’s or crossed their t’s when it comes to cybersecurity. Often times, their focus has generally been on issues of attorney-client privilege and not on the nature of the data that they may have access to – or the weaknesses of their own systems in protecting client information.
Recent breaches at big firms like Cravath and Weil Gotshal have highlighted the fact that the same steps outside counsel may be directing a financial services firm to make are not being taken by the firms themselves.
Moreover, while lawyers are notorious for working 24/7, some circumvent the protected systems that their firms may have for the ease of emailing themselves documents to work on at home or even on vacation, via personal and less protected email accounts like gmail or yahoo.
We recommend that as part of your on-going vendor management, you go through the answers to the following questions with your law firm.
1. What is the nature of the firm’s cyber protections?
2. How often does the firm update its operating system?
3. What’s encrypted and how? This is a big deal – many firms assume that their systems are protected and are not aware that they need to take special measures to ensure that an email is encrypted when it leaves their office.
4. Do they use a password manager to set strong passwords – and how frequently are they changed?
5. Is there regular mandatory education about information security?
6. Are there protocols about working in public spaces like airports? A lawyer working on your business at an airport, may be using public WiFi – which is not a secure connection – to connect to the Internet.
7. Do they have cybersecurity insurance coverage – and if so, with whom, what does it cover and how much is the coverage? It’s actually a lot cheaper than most firms think – and at a minimum, it can be a safeguard if information is subject to random.
8. What is the firm’s disaster recovery and incident response plan? In this day and age, everyone needs a BCP (business continuity plan) for what happens when the worst case scenario occurs. And law firms, like other vendors should be required to pro-actively and immediately tell their clients when a breach has occurred.
There are many, many more questions you could and should add to your vendor management due diligence. The important thing is that you start asking these questions of your key service providers to help decrease your cybersecurity risk.