The Wall Street Journal recently reported two Am Law 100 firms, Cravath and Weil Gotshal, were victims of a data breach last summer. These two prestigious firms serve clients from Wall Street banks to Fortune 500 companies, and contain hyper-sensitive data such as merger negotiations and lawsuits. While investigations are still underway and only limited information is now public, the hackers’ intent behind the data breach is believed to have been for insider trading.
This is not another case of a ransomware attack, where files are encrypted and held hostage for payment. Those types of data breaches are much more common, and also less damaging because the hackers priority is the payout, not the actual data. In this case, the sophistication of the end objective has moved up significantly. Cyber criminals intentionally plotted for specific information and it appears they were at least partially successful. This is not the first time data has been (believed to have been) stolen for insider trading, but it certainly has raised the stakes and questioned the potency of status quo security controls at law firms.
When a data breach occurs at this level of sophistication and for purposes as unlawful as insider trading, like you, it makes me uneasy because often times, the data breach can be prevented. To be fair, I do not have any knowledge of the security controls that were in place during the time of the attacks, but it’s no surprise that the legal industry is behind as a whole when it comes to information security. Legal has not adopted the same levels of security controls as many of the industries that they serve, such as financial services. I’m intimately familiar with the rigid security controls in the financial space because I served 10 years at Bank of America auditing and evaluating the effectiveness of the control environment. While banks are using mature GRC platforms such as Archer to document their control environment, many law firms are still using tools such as Excel and Evernote.
Just this past year in the ILTA Technology Purchasing Survey, security management finally ranked number one as the top challenge among legal IT professionals; until then, email management held the top position. LegalSEC is only three years old, and this security-focused conference draws in just a few hundred attendees – a very small percentage of the security-focused professionals in the legal ecosystem. Security is not just the responsibility of IT; the onus falls on various departments, such as Finance and Human Resources, who also interact with sensitive data. Matthew Karlyn, Partner in the Technology Transactions and Outsourcing Practice at Foley & Lardner, recently addressed this very issue during a CIO Perspectives keynote where he shed light on the need for security to be everyone’s business, not just IT’s.
Legal is headed in the right direction when it comes to security but I would argue it’s moving there WAY too slowly. When I discuss new GRC platforms being leveraged in other industries with legal IT professionals the interest is high but the available budget is low. This has to change. Firms have to see the big picture and not look at people, processes and systems aligned to risk management activities as an expense but rather as an investment. The cost of deploying these assets will look very small compared to the cost associated with ending up in the Wall Street Journal.
What are your thoughts? Do you agree? Disagree? Aside from lack of budget, what other challenges have prevented your firm from implementing proper and effective security controls?