A large majority of attorneys have not assessed the effect a cyber breach could have on them and more than half of those surveyed by Marsh said their law firms have not insured cyber risk.
Marsh’s 2014 Global Law Firm Cyber Survey found 72 percent of law firms had not figured out how much a data breach would cost them. Forty-one percent said they were not insured for a data breach or business interruption, and 10 percent said they just didn’t know.
Analyzing the cybersecurity of law firms is challenging because they are not required to disclose a hacking event but firms have been in the crosshairs of regulators and government agencies, such as the FBI, for not having enough security to protect the sensitive data they possess. Marsh said the FBI in 2011 met with many law firms in New York to talk about cybersecurity and followed this up with other meetings around the US to educate and train firms.
Law firms say cybersecurity is a top risk–with nearly 80 percent agreeing–but many may be exposed by outsourcing. Marsh said 67 percent of respondents rely on outsourced vendors for IT needs.
“Recent cyber incidents have revealed that exposure to third-party supplier and vendors has been a weak link in a corporation’s cyber defenses, often allowing unauthorized personnel to obtain valuable information,” said Marsh.
“Regardless of whether your clients are the Fortune 500, middle-market companies or small entrepreneurs, an attorneys’ clients–and by extension, the attorney himself or herself–are at risk of losing personally identifiable information, personal health information and/or confidential commercial information,” said Rich Bortnick, senior counsel at Traub Lieberman Straus & Shrewsberry, in a three-part series on cybersecurity at law firms. “In many cases, the effect of a cyber incident could be devastating, if not fatal, to an attorney’s reputation. And, by extension, his or her practice’s economic viability.”