Is cybersecurity risk an existential threat for Big Law? This was the topic of a panel discussion hosted by Mimesis Law.
In this discussion, the Global Co-Chairman of DLA Piper stated cybersecurity was not an existential threat to law firms, but definitely constituted a reputational threat. A partner at Troutman Sanders followed up that point by stating that 31 of the AmLaw 100 firms were ISO 27001 certified (and the number has grown since the statement was made).
7 Tips for Implementing Law Firm Cybersecurity Standards
Pivot Point Security has worked with 12 of the AmLaw 100, 13 of the Global 100 and 15 of the AmLaw 200 on ISO 27001 certification projects in order to mitigate the risk of security breaches. Based on our experience within the legal industry, here are some questions to ask around implementing an information security management system for ISO 27001 certification at your law firm:
- Context: Identify what information you need to secure to protect your law firm’s reputation. Is it just client information in the practice support systems (e.g., eDiscovery, extranets, file transfer systems, systems for IP matters and email)? Is it attorney work product in the DMS or mobile devices? Is it internal firm information for billing, human resources and talent management?
- Leadership: Ensure that firm leadership (e.g. managing partner, general counsel, management committee, etc.) establish a vision for cybersecurity. What commitments will they make to ensure the information that needs to be secured to protect the firm’s reputation will be managed accordingly? Is the vision for cybersecurity outlined in a formal policy? Has the firm leadership assigned roles and responsibilities to manage security compliance and report back to them on data security performance?
- Planning: Establish a plan to implement the firm leadership’s vision for cybersecurity. What are the information security risks and opportunities, e.g. preventing a security breach of client and firm data or increasing productivity with secure mobile and remote access? What are the leadership’s objectives for addressing risks and opportunities to protect the law firm’s reputation and create value? What security controls need to be implemented to achieve those objectives, e.g. penetration testing of Internet-facing practice support systems, closed security model for the DMS, mobile device encryption and asset management, endpoint security solutions, etc.?
- Support: Ensure the necessary resources, competencies, awareness, communication and documentation will be in place to support the information security plan. Does your firm have the necessary budget, people (e.g. staff, contractors, service providers, etc.), technology, time, training, security awareness among attorneys and staff, communication plan for partners and other stakeholders, and document management to implement the security controls required by leadership’s vision?
- Operation: Establish a project management process and control the execution of the plan by internal and external resources. What unanticipated changes are significant enough that require the security risks to be assessed and treated to ensure the plan stays on track?
- Performance evaluation: Establish metrics, an internal audit program and management review meetings to determine whether the information security controls were implemented and managed in line with leadership’s vision. What metrics are needed to measure the achievement of security objectives? Who should perform the internal audit of law firm cybersecurity? Do they have experience with law firms and legal technology? How often should leadership meet to review the management of the information security program?
- Improvement: Establish a corrective action and continual improvement process to address issues and findings identified by the information security metrics, internal audit and management review. These corrective actions and continual improvements should be added to the Firm’s technology roadmap.
To speak with experts who have a wide range of experience in the legal vertical about your law firm’s cybersecurity concerns and goals, contact Pivot Point Security.
For anyone attending ILTA LegalSEC next week, we look forward to seeing you there!