Corporate legal department supply chains are under attack

BY TOM KELLERMANN, ALVAREZ & MARSAL

As readers of the Advisory well know, corporate legal departments enlist the services of outside counsel for advice, contracts, protection and many other functions―not only on routine business and legal matters but in times of crisis as well.  Communication between the corporation and its outside counsel and other legal service providers often includes privileged and sensitive information.

What readers may not realize is that the disparity between corporate and outside law firm cyber protection capabilities can be vast.  Any vulnerability in a law firm’s data protection systems and protocols can put the corporation at risk.

An increase in the frequency and severity in cyber attacks against legal teams and law firms that house highly sensitive information has prompted both the FBI and the UK’s MI5 to issue warnings urging the legal community to face the truth:  its information security falls short of the mark. Unfortunately, most legal organizations do not realize they are still vulnerable despite the systems they have set in place to protect against rising threats―- so the threats persist.

Traditional approaches in cyber protection include a combination of firewalls, virus scanners and encryption; however, these “perimeter” defenses are being bypassed by targeted attacks and automated attack toolkits.   A forward-leaning cybersecurity strategy coupled with modern security controls is imperative.

What do Cyber Thieves Target at Corporations?

The international law enforcement organization Interpol has reported a 10 percent decrease in street crime globally in 2012 due to the migration of criminals to cyberspace.  Intellectual property is now the primary commodity of the underground economy.

Since 85 percent of assets are now intangible, reputational and operational risk is exacerbated by the dependence on information technology and the Internet to deliver services.

Lessons Learned from Virtual Bank Heists

Today 98 percent of bank heists occur in cyberspace (United States Secret Service, 2013).  In addition to this stark reality, 95 percent of capital is now digital U.S. Bank 2013).  Cyber criminals are financially motivated and have been targeting the financial sector for more than a decade.  The elite hackers of the world are hunting the financial credentials and payment systems of financial institutions.  The Cyber Arms Race is on.

In 2013 the financial sector began to develop a proactive stance against organized cybercrime.  The sector’s widespread levels of information sharing coupled with the implementation of new cybersecurity technologies and proactive cyber strategies should be applauded.  Aggressively targeted by hackers, nation states and now organized crime, financial institutions have begun to mature their defenses accordingly.

In-house counsel and law firms would be well advised to ask themselves five critical questions:

1. Have you and your firms created a role and identified an individual to lead a cybersecurity strategy?
2. Have your company and your outside law firms developed a proactive two-year strategy and integrated it with the business process?
3. Has a holistic security assessment of the networks at your company and those at your outside firms taken place?
4. Do your company and your outside counsel have holistic incident response plans in place to react to inevitable cyber intrusion?
5. Have all third-party service providers―- those who serve your company as well as those who serve your outside counsel―been assessed and their incident response plans reviewed?

Addressing these questions and implementing a sound strategy will better position law firms and the corporations that hire them to protect the intangible assets which represent their intellectual property and privileged and confidential information.

Tom Kellermann is a managing director with Alvarez & Marsal’s Global Forensic and Dispute Services in Washington, D.C.  A strategic information security specialist with more than 17 years of experience, he focuses on emerging cyber threats, financial-sector risk management, cyber strategy development and incident response.  Before joining A&M, Kellermann was senior vice president of cyber security for Trend Micro Inc., where he led the cyber-threat intelligence practice and coordinated all long-term cyber investigations with international law enforcement.  Kellermann served as a commissioner on the Commission on Cybersecurity for the 44th Presidency and is currently an adviser to the International Cyber Security Protection Alliance and the National Board of Information Security Examiners Panel for Penetration Testing.  Kellermann is former senior data risk management specialist for the World Bank treasury security team. He is a professor at American University's School of International Service and Kogod School of Business and a Certified Information Security Manager.  For more information on Alvarez & Marsal’s services in this area, go to:  http://www.alvarezandmarsal.com/gfd-cyber-protection.