Rx for Law Firm Cyberthreats: Planning, Training, and Vendor Due Diligence

We’re all familiar with the adage that, for businesses, the question is not “if” but “when” a data breach or ransomware attack will occur. The odds of a cyberattack aren’t as high as death and taxes but they’re approaching a comparable level of certainty. Or so it seems.

Cyberattacks today are endemic. News publisher Cybersecurity Ventures estimates that a cyberattack occurs every 44 seconds. Over 88% of businesses suffer a cyberattack each year, according to Proofpoint, a cybersecurity services provider.

But businesses and law firms are not helpless in the face of cybersecurity threats. Whether it’s training employees or conducting due diligence with technology vendors, or even purchasing cyberinsurance, there is a lot that can be done to prevent and mitigate harms from bad actors online.

According to the experts, it all begins with planning.

Organizations that currently lack cyber-incident response plans should formulate them as soon as possible. At least once a year, organizations conduct “fire drill” sessions to practice carrying out their response plans.

These legal experts also recommended that organizations make new investments in secure technologies, train employees to spot suspicious activity, and work with key vendors to obtain assurances about the quality of their cybersecurity measures. However, they said, the most important measure an organization can take is to plan for trouble and be ready to carry out the plan when the cyberattack inevitably occurs.

It’s Dangerous Out There

Business email compromise schemes are far and away the most damaging type of cybercrime, racking up over $43 billion in losses from June 2016 to December 2021, according to statistics recently published by the Federal Bureau of Investigation’s Internet Crime Complaint Center. Business email attacks caused 37% of all losses in 2020. For comparison, ransomware attacks amounted to just 1% of cybercrime losses that same year.

Earlier this month, the U.S. Attorney’s Office for the Southern District of New York announced the successful prosecution against perpetrators of a business email compromise scheme that led a hedge fund employee to unwittingly wire $1.7 million to an international fraud ring.

Within the legal profession, rising awareness of cybersecurity issues is being driven by the heightened appreciation that lawyers have an ethical duty to possess technological competence and by cyberinsurance providers who are insisting that law firms and their information technology vendors have their business-critical technologies in order. Forty states now require lawyers to possess a reasonable level of competence regarding the use of technology in their law practices.

As we’ve noted before, law firms are tempting targets for fraudsters. Phishing emails and schemes to intercept payments in real estate transactions are two leading types of cybercrime faced by law firms.

Cheryl M. Burtzel, an attorney with Haynes and Boone in Austin, Texas, remarked that lawyers have received email messages from fraudsters that seek copies of invoices or invite the law firm to participate in fictitious RFPs for legal services.

Lawyers involved in real estate transactions have encountered wire transfer scams that occur when a fraudster successfully compromises a title insurance company’s or lender’s email system. Taking advantage of increasingly virtual real estate transactions, fraudsters pose as legitimate participants in real estate closings, enticing purchasers to misdirect funds to accounts under their control.

Ransomware has become so prevalent even technology illiterates can purchase ransomware off the shelf. According to Dan Menicucci, a top security advisor at Microsoft Corp., it’s possible for anyone to purchase a ransomware toolkit for as little as $66.

Menicucci said that the dangers of ransomware, along with other cybersecurity woes, have increased in the new digital workplace that relies on cloud services, smartphones and remote work arrangements. He surmised that some companies might have “over-pivoted” to digital by shoring up cyber-defenses against outside intruders, but leaving unprotected internal information processes exposed when workers began working remotely.

Prescriptions to Fight Cybercrime

Probably the most important measures that organizations and law firms can adopt are steps – after the incident response plan is considered and drafted – to ensure that the plan is actually carried out when a cyber-incident occurs. As boxer Mike Tyson reportedly said, “Everyone has a plan, until they get punched in the mouth.”

Be Sure to Practice Plan Implementation

All of the ABA panelists urged organizations to practice carrying out their incident response plans. Organizations should conduct exercises that, in effect, pretend that a cyberattack is occurring. Do they know which types of incidents trigger the incidence response plan? Does everyone know what their role is? Do they know who to contact?

“Building muscle memory around resilience is critical,” Menicucci commented. “It’s really important to ingrain that within the organization, so the response comes naturally.”

Train Employees to Escalate Issues

Cybersecurity training involves not only training on how to prevent cyberattacks (e.g., recognizing phishing attacks) but also how to respond to cyberattacks or even to conditions that might lead to cyberattacks in the future.

Jason Esteves, Vice President, Legal at Equifax Inc., said that his company’s incident response plan seeks to create a “security first” culture through annual and quarterly training sessions.

One key issue to pay attention to is escalation of security information from lower-level employees up the chain of command – including members of the board. Esteves said that escalation was a point of emphasis with regulators.

“It’s incredibly important not to sit on information that may ultimately result in a breach,” he said. “Because if you sit on it too long there’s all kinds of issues you can run into from regulators and in litigation. Having that escalation path is incredibly important – as is including the board in the escalation pathway.”

In fact, the Securities and Exchange Commission singled out alleged “deficient disclosure controls” in a 2021 enforcement action against First Financial Corp., a real estate settlement services company. First Financial publicly exposed sensitive customer information due to a security vulnerability. Its board acted promptly when informed of the vulnerability, but board members had been kept in the dark by lower-level employees for several months.

Conduct Thoughtful Due Diligence With Vendors

Information technology is pervasive in modern business operations, which means that technology vendors frequently present cybersecurity risks that must be addressed. For this reason, a vendor’s business survival is often contingent on having information security audits and security certifications. (Esquire is frequently asked to attest to its information security practices and provide evidence of certifications such as the American Institute of Certified Public Accountants’ Service Organization Control (SOC) certification.)

Menicucci said that Microsoft has over 100 certifications in order to meet the demands of its users which are, of course, spread out over numerous industries around the world.

It’s important for organizations to remember that cybersecurity threats are always changing: technology changes and cyberthreats change as well.

Burtzel cautioned organizations to focus on their overarching needs – not on a particular technology or service level demand – when dealing with vendors. Organizations should regularly take inventory of their vendor contracts and seek security assurances and certifications that are commensurate with the importance of the business purpose being advanced by the technology. Organizations should be much more demanding with vendors that handle payments or other sensitive information than they would be with, for example, an office supply company.

Ted Claypoole, a cybersecurity expert and partner at Womble Bond Dickinson, said that when the data handled by a vendor is highly sensitive or mission-critical, he sends a technology expert to the vendor’s premises to make a thorough inquiry.

Show Customers You Care

When a breach occurs, customers and clients want to know that the organization cares about protecting their interests and remediate the problem as efficiently as possible.

Claypoole said the key consideration after a breach occurs is “competence.”

“Your customers know that you can be breached, that any of us can be breached,” Claypoole said. “What they want to know is that you care what happens to their data and that you have the competence to get on top of it, that you message them the right way, and that it’s all covered in the right way.”

Esteves remarked that hiring outside assistance can be part of showing clients and customers that the organization cares about the consequences of a data breach. For small organizations, hiring forensic experts and outside law firms soon after a breach occurs can be effective. “Trying to navigate on your own, with a small team, can prolong the crisis,” he said.