Managing Partners Forum

I look forward to this Conference every year. It really helps me to be a more effective firm leader.

Jason P. Waguespack, Esq.
Galloway Johnson Tompkins Burr & Smith - New Orleans, LA

Leadership

Contact Us

Why Managing Partners
“Own” Law Firm Cyber Security
and Three Steps to Take Control Now 

Judy Selby & Deena Coffman

 

If a country is attacked, the president is called upon to respond on behalf of the nation. If a crime wave breaks out in a city, the city’s mayor is on the hot seat. The secretary of defense and police chief will dutifully stand behind the chief executive at every press conference, but the buck stops with the person in charge. The same dynamic applies when it comes to law firms and the oversight of cybersecurity. As the leader who sets the firm’s priorities and controls spending and hiring, the Managing Partner should take the helm as the true “owner” of a firm’s cybersecurity.


Why is Cybersecurity Not an IT Problem?

Unfortunately, too many Managing Partners think of cybersecurity as an IT issue. That might have been true 20 years ago, when implementing anti-virus and firewall protections may have constituted reasonable information security. But reasonable security today demands a firm-wide approach, a shift in firm priorities and new expenditures to address the continually evolving cyber threat.

Moreover, even state-of-the-art network technologies are insufficient to address today’s multi-faceted cyber threats on their own. Perimeter defenses can be challenged by today’s sophisticated cyber criminals as well as by the demands of mobile attorneys who expect constant remote access to the firm’s network from a variety of devices. One click on a phishing email or an attorney’s use of airport WIFI can neutralize even well-designed, properly implemented technology defenses. Further, a perimeter defense provides no protection against misappropriated passwords, non-compliant and malicious employees, and the failure to implement effective training programs. To use an analogy, a strong lock on the front door might prevent a break-in, but it can’t protect the building if the thief is already inside or can trick someone into opening the door. The lock is not abandoned, but it cannot be viewed as the only measure necessary to secure the building.

Law firms are facing an ever-evolving variety of cyber risks, requiring a broad-based approach that exceeds the reach and capabilities of the IT department. These firm-wide cyber risks demand firm-wide solutions that can be implemented only by top management.


Why is Cybersecurity a Managing Partner Problem?

Like all other issues affecting the management of the law firm as a whole, responsibility for cybersecurity should fall squarely within the purview of the Managing Partner. The Managing Partner is in the best position to set the tone for the firm and demand that cybersecurity become a priority for all firm employees — including those hard-to-manage senior partners.

The Managing Partner also has the “power of the purse” and can direct sufficient resources to fund reasonable security measures based on the firm’s unique cyber-risk profile. Unlike any individual department head, the Managing Partner has the authority to establish firm-wide policies and procedures, and to mandate compliance. The Managing Partner also is uniquely empowered to hire appropriate security-related personnel, assist in the procurement of cyber-insurance and oversee incident response planning. And most certainly, in the wake of a cybersecurity incident, the angry calls from clients, the press, law enforcement and regulators will be directed to the Managing Partner, and not to the “IT guy.”


Recommended First Steps

The following are initial steps a Managing Partner can take to begin to prioritize cybersecurity and implement reasonable solutions:

Commission a Third-Party Assessment
A neutral party can benchmark the firm against industry standards and practices and provide a prioritized list of recommended actions. The recommendations can then be evaluated against the firm’s risk profile and budget to develop the action plan for the next six and 12 months.

Develop a Security Event Response Plan
A data breach can occur in any department across the firm, and the early warning signs can be spotted by any employee. An incident response plan contained solely within the IT group misses the rest of the firm. But a plan that engages the firm as a whole and considers all exposure points, even those outside of the IT department, is far more effective in preventing, identifying, reporting and containing a security event. A firm that does not have a current, recently tested incident response plan needs one immediately. Developing or updating this plan can provide a useful mechanism for the various department heads to collaborate with each other and the Managing Partner.

Review Security and Privacy Training
New threats constantly emerge, and standards for prevention and detection should mature accordingly. As this occurs, training materials should be refreshed so that employees can properly protect the firm’s information and use the most secure workflows. The Managing Partner will also want to review the training program to ensure it is not an online, “click-through-the-slides-once-a-year-and-check-the-box-that-you-met-the-requirements” type of training. Effective cyber-training is delivered point-in-time, periodically throughout the year, and is tailored to the job function of the employee receiving the information.


Final Thoughts

Although the IT department has an important role to play in protecting data within the control of the law firm, an active and engaged Managing Partner is vital to tackling a law firm’s cybersecurity issues in this environment. By setting the right tone and making smart investments, the Managing Partner can ensure that cybersecurity is recognized as a key firm priority and integral to success in today’s legal marketplace.



                                                              # # #


About the Authors
 

Judy Selby is a Managing Director in BDO Consulting’s Technology Advisory Services practice, having more than 20 years of experience in insurance and technology. Known as “one of the premier voices in legal technology” by Legaltech News, she consults with clients on cyber insurance, cybersecurity, information governance, data privacy and complex insurance matters. Judy can be reached at jselby@bdo.com.


Deena Coffman is a Managing Director in BDO Consulting’s Technology Advisory Services practice. She has more than 20 years of experience in information security, operations, strategic planning and risk management. Deena has held technology leadership roles involving technology infrastructure, cybersecurity, data privacy, compliance and eDiscovery.  Deena can be reached at dcoffman@bdo.com.