Since the American Institute of Certified Professional Accountants (AICPA) issued guidance relating to a cybersecurity risk management reporting framework, many service industries have considered adopting this new framework as a key component to their risk management program. More specifically, law firms and other professional services organizations have considered implementing this framework as they look to improve their cybersecurity safeguards and other key controls to combat the increasing threat of data breaches that have plagued society in today’s technological age.
The new System and Organization Controls (SOC) for Cybersecurity guidance provides a common language for organizations to use in describing their cybersecurity risk management program effectiveness. Put simply, it establishes baseline standards for auditors to confirm independently that an organization’s cybersecurity preparedness meets acceptable guidelines. Such attestation represents a new opportunity for gaining assurance about cybersecurity and it is not without cost. So why is it important, and to whom?
Many senior leaders and board members worry about the effectiveness of their law firm’s cybersecurity measures and desire verification to obtain assurance. The potential of significant financial and reputational risks outweighs the effort and cost of achieving greater confidence.
However, external stakeholders will likely drive the majority of initial interest in cybersecurity risk management reporting via the new SOC for Cybersecurity guidance. Those seeking to minimize risk – clients, prospective clients, lenders, investors and analysts, merger and acquisition (M&A) attorneys and advisors, insurance providers and regulators – may see an immediate benefit by obtaining a SOC for Cybersecurity report as part of their due diligence.
With clients now requesting additional assurances related to the overall security of their data, law firms are now in a position of having to respond to these additional requests on a more frequent basis. As a result, this puts an additional burden on IT and other supporting departments needed to fulfill these requests. Large firms may be able to absorb the added resources and costs associated with each client request; however, it’s the small and midsize firms that will suffer the most as they may not have the capacity or time to fulfill these requests completely without allowing other areas and responsibilities to suffer.
The SOC for Cybersecurity report is designed in such a way that allows law firms the ability to distribute an objective and independent report over their firm’s cybersecurity controls and safeguards, while also reducing the cost of compliance and the additional burden on their supporting team members.
Organizations that fail to prepare adequately for cybersecurity breaches expose themselves to substantial risks. Most cybersecurity experts agree that a breach is not a matter of “if,” but a matter of “when.” According to the American Bar Association’s 2017 Legal Technology Survey Report, 35 percent of firms with 10-49 attorneys reported experiencing a security-related breach, and 23 percent of large firms with more than 500 attorneys also reported they had experienced a breach. On the other hand, another figure indicated that 56 percent of overall respondents reported that their firm had not experienced a security-related breach.1 One could argue – quite reasonably, given the months and years it can take to recognize a breach – that the 56 percent simply don’t know it yet.
Broadly speaking, the risk posed by cybersecurity breaches takes on three key forms:
The AICPA’s SOC for Cybersecurity guidance provides an important tool for defining the increasingly valuable role of providing controls assurance for effective cybersecurity. Practically speaking, the guidance helps organizations understand what they should have in place to evaluate their cybersecurity controls.
The guidance lays out nine categories to describe and assess a firm’s cybersecurity framework. These include:
Within each of the nine categories, the final guidance presents 26 related points of focus to help explain relevant aspects of an organization’s cybersecurity risk management program.
There are significant cybersecurity risks that can impact law firms of varying sizes, and the need for clients to be able to safeguard their sensitive and confidential information is paramount. What good is it to use disclosure restrictions on attorney-client documents if your firm experiences a breach? You might as well use the designation “attorneys’ and hackers’ eyes only” instead.
The Mossack Fonseca law firm breach taught us a number of lessons as it pertains to safeguarding your firm’s environment and sensitive client information. The biggest failure made by Mossack Fonseca was due in part by an outdated version of Outlook Web Access (OWA) email and a client access portal that was supported by an obsolete and insecure security protocol (SSL v2 protocol).5 Both OWA email systems and client portals are considered common methods to transmit client information and other sensitive data. It is these exact types of technologies that would be part of any SOC for Cybersecurity examination.
For example, a SOC 2© report can enable firms to report on the security processes designed to protect their client’s data. SOC 2© reports enable clients and other user entities to assess the security of their attorney’s client-facing systems and their ability to mitigate technical risks. SOC for Cybersecurity reporting, on the other hand, addresses enterprise-wide security and its ability to mitigate business risk.
Cybersecurity risk management reporting also strengthens governance approaches as outlined in the Director’s Handbook on Cyber-Risk Oversight by the National Association of Corporate Directors (NACD). The handbook lays out five principles for board-level oversight. These include understanding the risks, recruiting board-level expertise, hiring the right people, investing in solutions and understanding how to mitigate risk. Cybersecurity risk management reporting builds on these NACD principles to give boards and organizational leadership the assurance that the organization delivers on the five principles at a practical level.
Cybersecurity risk management reporting does not provide a cure or panacea. It cannot guarantee that an organization won’t be breached. Instead, it demonstrates that an organization is prepared to effectively and efficiently prevent or detect, respond to and recover from a breach.
The financial, reputational and legal risks outlined above intensify in the context of inadequate preparation. If a breach goes undetected for an extended period of time, involves significant amounts of sensitive data or involves improper, ill-timed or insufficient notifications to affected parties, the associated costs increase dramatically.
Yahoo did not detect its widely publicized 2014 breach for two years. The U.S. Office of Personnel Management left government employees’ data exposed for a full year. In these cases, it wasn’t the breaches that did the damage, it was the time it took to detect, respond and recover.
Cybersecurity risk management reporting gives law firms the objective assurance that the appropriate systems, processes and controls exist to manage a cyberattack.
There are many stakeholders whose interests and decision making depend on accurately assessing cybersecurity preparedness and risk. These parties will be well advised to integrate cybersecurity risk management reporting into their due diligence. They include:
Law firms of all shapes and sizes face cyber risks. As with most things related to cybersecurity, it is not a matter of “if,” but a matter of “when.” Some will seek to transfer these risks to insurance carriers. Others will create ad hoc solutions or simply hope for the best. Those looking to ensure their own security controls and protect their firms’ interests will stay ahead of the curve by making the necessary investments before a devastating breach occurs.
Whether or not a small, midsize or large firm chooses to undergo cybersecurity risk management reporting proactively, stakeholder pressure to prove its cybersecurity risk management capabilities will continue to grow. The universe of possible circumstances and vested third parties demonstrates a clear need for objective cybersecurity reporting. Cybersecurity reporting will strengthen a law firm’s profile and demonstrate that it proactively manages risk.
[1]ABA 2017 Legal Technology Survey Report, American Bar Association, 2018.
[2]2018 Cost of Data Breach Study: United States, IBM and Ponemon Institute, 2018.
[3]“70% of consumers would stop doing business with a company if it experienced a data breach,” Gemalto, 2017.
[4]“Mossack Fonseca law firm to shut down after Panama Papers tax scandal,” The Guardian, 2018.
[5]“The security flaws at the heart of the Panama Papers,” Wired, 2016.
For more information on this topic, or to learn how Baker Tilly professional services specialists can help, contact our team.