Law firms to form Cybersecurity alliance
By Christine Simmons and Nell Gluckman, The Am Law Daily
As pressure to strengthen defenses against security breaches increases, at least five Am Law 100 and Magic Circle firms are working to form an alliance that would allow them to ultimately share information with each other about cyber threats and vulnerability.
The group includes Sullivan & Cromwell, Debevoise & Plimpton, Paul Weiss Rifkind Wharton & Garrison, Allen & Overy and Linklaters. It will be affiliated with the financial industry’s forum for cyber threat discussions, called the Financial Services Information Sharing and Analysis Center (FS-ISAC), according to Bill Nelson, CEO of FS-ISAC.
The goal of the law firm group linked to FS-ISAC, which was first reported by The New York Times, is to have a more focused method to share intelligence about cyber threats with other law firms and also to receive information from major financial institutions about possible threats.
“We strongly endorse the cooperation of law firms and financial institutions to promote better cybersecurity and recognize this is an important issue for the [financial and legal] industry,” says John Evangelakos, a partner at Sullivan & Cromwell who is co-head of the firm’s intellectual property group and also leads the firm’s internal data security group. Joining him in the effort is Peter Kaomea, Sullivan & Cromwell’s chief information officer.
A number of financial institutions have been working with law firms to make sure their sensitive information is protected. Bank clients pointed firms to FS-ISAC as a best practices in information sharing, and 12 law firms came to an FS-ISAC conference last year with an interest in joining, Nelson says.
Although Nelson notes that law firms are not eligible to be members of FS-ISAC, the new legal offshoot will be affiliated with it. FS-ISAC will provide firms in the group with resources and technical infrastructure to help them get off the ground. The firms will also be privy to some, but not all, of the information that is shared among financial services members of the FS-ISAC, Nelson says.
“It will be segregated data, but a lot of the data will be the same,” he says.
Once the group is fully operational, law firms can choose to share information anonymously, according to Nelson. They will receive and ultimately share technical details of cyber threats, such as a particular vulnerability in technical infrastructure or a phishing attempt, with the ultimate goal to anticipate and defend against cyberattacks.
“We’re looking at this as a framework for accessing actionable intelligence about the threats and vulnerabilities,” says Andreas Antoniou, chief information officer for Paul Weiss.
No information will be shared that could compromise client confidentiality, firm representatives insist. “We wouldn’t be doing anything that would jeopardize or create any risk to client confidentiality,” Evangelakos says.
The law firm group, which is expected to operational in about 60 to 70 days, will be composed initially of about six to 12 law firms, but probably dozens will join shortly after, Nelson predicts. Annual membership fees for a firm will be less than $10,000 a year, he says, adding there could be a tiered price structure for smaller firms later on.
The firms in the group are working in collaboration with LegalSEC, a cyber-security focused component of the International Legal Technology Association. Most of the same law firms leading the effort in conjunction with FS-ISAC are part of LegalSEC.
Nelson says security breaches at law firms are not uncommon, with information on mergers and acquisitions, intellectual property and other sensitive privileged information vulnerable to attacks. “There’s a lot of corporate espionage going on,” where secrets are given to competitors for their economic advantage, he says.
In one example of a data breach, McKenna Long & Aldridge in February 2014 informed current and former employees of suspicious activity on servers belonging to one of its vendors. The firm said there was “malicious and unauthorized access” to names, addresses, wages, taxes and Social Security numbers, dates of birth and ages obtained through the user identification and password of an account administrator. The firm has since reset all passwords.
Martin Metz, chief information officer of Pillsbury Winthrop Shaw Pittman, acknowledged the difficulties in staying on top of security threats. “We already have sophisticated protections in place,” he said in a statement, “but because the risks and challenges keep changing, we have to continually adapt and respond. This will be on ongoing reality for all law firms.”
Indeed, as banks and financial services companies step up their coordination to guard against cyberattacks, state-sponsored hackers will naturally look for “back doors” and may find them through unwary law firms, observes Jim Walden, former co-chair of the white-collar practice at Gibson Dunn & Crutcher and now a partner at Walden Macht & Haran.
“It is not terribly difficult to identify the law firms who regularly represent these large institutions,” Walden says. “If law firms are not equipped and in an advanced state of readiness, their systems will be compromised and clients’ confidential and proprietary information will be stolen. Firms must fortify their systems or be prepared for the legal and reputational consequences of being that weak link.”
Shane McGee, chief privacy officer of the cybersecurity company FireEye, says his company has responded to dozens of law firm attacks and compromises.
“The law firms are a weak link that lead into the financial industry,” McGee says. “If you have a hardened environment, then attackers will go in through your affiliates.”
McGee, a lawyer who started his career at large law firms before becoming general counsel at cybersecurity firm Mandiant, which was acquired by FireEye in late 2013, says law firms face larger cultural barriers to investing in protections against cyber threats than their clients.
“Getting budget for these types of things is more difficult because you’re taking money directly out of the pockets of the partners,” he says.
Banks, on the other hand, have a more direct interest in protecting themselves against attacks, not only because they are subject to government scrutiny but because a breach can prove to be extremely costly and embarrassing.
Last summer, a computer breach at JP Morgan Chase resulted in compromised information for 76 million households and 7 million small businesses, making it the largest breach of an American bank to date, according to The New York Times. This happened despite the fact that JP Morgan spends $250 million a year to guard against security threats.
As for law firms, they should not blow off the risk of cybersecurity warnings from clients, says Lisa Sotto, a cybersecurity expert and managing partner of Hunton & William’s New York office. “I do not think there’s an iota of exaggeration in the threat,” she says.
That’s not to say that up until now, law firms have been completely complacent when it comes to cybersecurity. Even before there was an organized effort to form a group to share information, firms had been informally exchanging cybersecurity tips for years. For instance, information security professionals from about 30 law firms, mostly in the Am Law 100, have been sharing digital security information since 2010 through an email distribution list, according to two law firm cyber security officials. Smaller groups for regional law firms also share information.
Nonetheless, Boris Segalis, the U.S. co-chair of Norton Rose Fulbright’s data protection and privacy practice, provides a word of caution about law firm information sharing. He says the benefits of a law firm sharing group would have to be weighed against the resources that would have to be devoted to keep an information sharing center secure.
He adds that the benefits of a law firm joining an information sharing group for the legal industry are not clear and wonders whether firms can gain that same information from existing resources such as data protection vendors, FBI reports and academic feeds.
“I’m not sure the potential benefit is worth the potential risk to confidentiality and privilege,” Segalis says.
For more on this story go to: http://www.americanlawyer.com/id=1202719660496/Law-Firms-to-Form-Cybersecurity-Alliance#ixzz3TWCBfOTv