Big banks are demanding that their law firms do more to protect sensitive information to ensure that they don’t become back doors for hackers.
Once given special status as trusted third parties, lawyers, particularly those who get access to sensitive bank information, now are more likely to get full background checks. The number of compliance checklists for law-firm technology systems and security procedures has ballooned. And law firms big and small increasingly are getting on-site audits to check who has access to documents and office servers.
A spate of cyberattacks has sharpened financial institutions’ focus on security when dealing with outside law firms, said Varun Mehta, a vice president at Clutch Group LLC, a legal and compliance consulting firm that works with global banks. “Every bank has changed from a year ago,” he said.
J.P. Morgan Chase & Co., Morgan Stanley , Bank of America Corp. and UBS AG subjected outside lawyers to greater scrutiny even before financial institutions were victims of cyberattacks this summer, people familiar with the matter said.
The demands come as financial regulators are paying more attention to third-party vendors. Benjamin Lawsky , the superintendent of New York state’s Department of Financial Services, last week sent a letter to dozens of banks requesting information on security risks relating to law firms, accounting firms and other third parties.
Law firms “can have access to a very large volume of sensitive data on a recurring basis and that makes them a point of vulnerability,” Mr. Lawsky said.
A data breach this summer at J.P. Morgan, which compromised contact information for about 76 million households, highlighted financial institutions’ vulnerability to cybersecurity attacks. That incursion isn’t believed to have originated with a third-party vendor, however.
Big law firms with financial-institution clients were already subject to some security requirements, such as limiting access to certain documents or having policies in place to guard against cyberattacks. But like government contractors or retail payment-system providers, law firms increasingly are seen as potential weak links. Clients often entrust them with everything from valuable trade secrets to market-moving details on mergers and acquisitions.
‘It doesn’t take a genius to walk into an unsecured office and walk out with printed information or a laptop.’
—Jim Darsigny, chief information officer, Brown Rudnick
Law firms now are being asked to have their own vendor-security programs, to prevent data from leaking out through third-party contractors the lawyers hire, such as word-processing firms or print shops.
“It’s a lot more than just checking a box,” said Lorey Hoffman, chief information officer at law firm Goodwin Procter LLP. “I walk through our data centers into the [server] cage with examiners” sent by clients. The firm also enlists outside auditors to test its defenses and runs internal checks of system strengths and weaknesses.
Such programs don’t come cheap. Banks generally foot the bill for their on-site audits of law firms. But the firms must invest in technology and software upgrades. Another cost: hiring staff to maintain systems and train lawyers and employees on minimizing risk.
Reliable and consistent data on law-firm data breaches don’t exist, so it is hard to say how frequently hackers target law firms. But 14% of respondents to an American Bar Association technology survey said their firms had experienced some type of security breach or theft this year. Just 1% said it resulted in unauthorized access to sensitive client data.
“Our external-facing Internet sites are probably getting hit 400 to 500 times a week” by third-party bots or denial-of-service attacks, Mr. Hoffman said. “That kind of activity is the new normal and it’s hitting everybody.”
Such attempts are common enough that the CBS television show “The Good Wife” this month included a story line in which a hacker used an email phishing scam to seize control of files at the title character’s law firm.
Some firms instruct attorneys not to open documents sent via email unless they are in a secure environment—in the office, or using a firm laptop on an encrypted line. For particularly sensitive matters, firms might restrict work to stand-alone computers that don’t connect to the Internet, said Mary E. Galligan, a Federal Bureau of Investigation veteran who now is a director of cyberrisk services at consulting and accounting firm Deloitte & Touche LLP.
Mobile devices are a particular focus. Many firms can wipe data from smartphones and laptops that are lost or stolen, and most firms install some level of encryption.
Law firm Davis Polk & Wardwell LLP in recent weeks added a new precaution: Lawyers must have a special application installed on their smartphones to open attachments sent to their firm addresses.
Hedge funds, private-equity funds, technology startups and manufacturers also are asking more questions about security, said Jim Darsigny, chief information officer at law firm Brown Rudnick LLP.
“The skills to hack into a data network are not easy to come by,” Mr. Darsigny said. “But it doesn’t take a genius to walk into an unsecured office and walk out with printed information, or a laptop. There is always a way in.”
Write to Jennifer Smith at email@example.com and Emily Glazer at firstname.lastname@example.org