The past month has presumably been quite eye-opening for the many, many law firms that have been sleeping on their significant cybersecurity exposure. From an unusual and specific warning by the FBI, to reports of elite law firms being hacked, to the blockbuster "Panama Papers" matter, law firms are now firmly on notice that they are in the crosshairs of hackers worldwide.
To recap, as I noted here, on March 4, 2016, the FBI's Cyber Division issued a Private Industry Notification alerting law firms that "[i]n a recent cyber criminal forum post, a criminal actor posted an advertisement to hire a technically proficient hacker for the purposes of gaining sustained access to the networks of multiple international law firms." The FBI stated that the criminals' motive was to gain access to inside information in law firm networks that could be used for insider trading.
Next, on March 29, 2016, the WSJ reported that hackers had successfully broken into the computer networks at several major law firms, including Cravath Swaine & Moore LLP and Weil Gotshal & Manges LLP. Investigators were probing whether the hackers' motive was, similarly, to obtain confidential information for the purpose of insider trading.
Most recently, in early April 2016, millions of emails, financial spreadsheets and other corporate records were hacked and leaked from the computer network of Panamanian law firm Mossack Fonseca -- a law firm that reportedly helped clients move money into offshore shell companies. According to one recent analysis of the hack, the scheme was quite simple:
So simple, in fact, that a teenager with no hacking knowledge other than basic googling skills could have done it.
Furthermore, the security mistakes Mossack Fonseca made were appallingly common. So common, in fact, that it’s fair to say most of the readers of this article work for organizations that are making at least one of the same mistakes.
What, then, should law firms that now realize that they may be the next firm to land in the headlines over a cyberattack be doing now? Earlier this week, I hosted a webcast on this specific topic called, "Law Firms Under Cyber-Siege — How Law Firms Can Manage Data Breach Risks and Thrive Amid Cybersecurity Solutions." In this webcast, cybersecurity experts Joe Segreti and CW columnist John Reed Stark examine what law firms can do to manage the risk of the inevitable cyber-attack, including identifying cybersecurity vulnerabilities; remediating issues; improving processes and data protection; and properly handling regulatory, governmental and client scrutiny.
Check out the full webcast here: