IT Security: A hygiene factor or differentiator?

Law firm IT security has never been as high on the client radar thanks to a growing awareness of the prevailing rise in cybercrime, GDPR, and yes, DLA Piper being hit by that not Petya virus.

Within the financial services and banking sector, already weighty questionnaires and on-site law firm audits are getting heavier and more frequent but perhaps most interestingly, a number of major corporates that to date have not put their law firm information security under the microscope, tell us that going forward they will do so.

With law firms already struggling under the weight of requests and with no real legal sector benchmark to help lighten the load, we asked clients outside of financial services, to what extent is law firm IT security a hygiene factor or a differentiator?

Infosec ON the agenda

It is easy to assume that just because within the financial services and banking sector 200-page security questions and onsite audits are the norm to be eligible for instruction, the same applies elsewhere. It really doesn’t, at least, not to date.

At Telefonica UK (O2), outgoing deputy general counsel Kent Dreadon tells us:

“In terms of our law firms I expect them to look after the information they have about us and expect them all to take the right steps. It’s something we take for granted and something I expect them to get right.”

Dreadon and the team typically instruct three or four firms in phases across a transaction and he adds: “We don’t ask about their security arrangements. We do competitor pitches for pretty much all work but it’s quite an informal and quick process with firms we know well.”

Dreadon is far from alone. In June 2016, Dixons Carphone Warehouse general counsel Nigel Paterson selected 11 law firms to his panel and he recalls:

“When we did the procurement for our current panel we didn’t have IT security as one of the metrics we checked against and the reason is that the assumption is that law firms understand the need for client confidentiality and understand the need to be security conscious.”

Paterson adds: “I can only think of once where I’ve specifically been discussing with a law firm how good its security is and that’s when a law firm was setting up a data room with sensitive corporate information. I put our IT team in touch with the law firm to check whether they had adequate protection. That’s the only time and the reason for that is that you work under the assumption that a well-managed law firm takes its security seriously.

“With our other major suppliers, IT security is a due diligence question but with law firms, we have taken comfort that it’s a business model that must be grounded in the fact of confidentiality and an added level of trust.”

Talking to Paterson and other GCs that have visibility across the industry, this looks set to change, and change imminently. Paterson says: “If we were to go into a procurement exercise after the coming into force of the GDPR this issue would be further up the agenda and we would have to do due diligence on our suppliers as they would be holding sensitive company data and we would probably also have to do a check that the law firm had adequate IT security.

“It’s not just the fact that a law firm was attacked but everyone is more generally aware of cyber risk because so many organisations are being hacked and it destroys customer trust.”

And speaking for many in the industry, Vodafone’s respected group GC and company secretary Rosemary Martin told us:

“The DLA Piper hacking incident brought home to all of us the vulnerability (and desirability as targets) of law firms so even if IT security wasn’t previously on inhouse legal teams’ “Must Have” lists for the law firms they instruct, it will be now. With the General Data Protection Regulations tightening up responsibilities for data privacy up and down the supply chain, and the daily news of hacking and IT security incidents, technology security is crucial for companies and those who work with them.”

Infosec UP the agenda

Of course, there are many corporates outside of the financial services sector that already did require firms to undertake IT security assessments.

Pharma is notorious for closely guarding its data and at biopharmaceutical FTSE 100 giant Shire, director of legal strategy and chief of staff to the general counsel, Claire Debney says: “We’re very lucky at Shire, we have an IT partner for the legal team and we partner with the cybersecurity team. If we’re giving data to anyone it has to follow company protocol to the letter.”

This is echoed at the FT, where the preferred law firm is Pinsent Masons. Here, general counsel Dan Guildford is in charge of law firm appointments but procurement run the background selection process.

Guildford says: “Procurement run it and they apply the same standards we have for any of our suppliers. I still run the process of choosing the law firm but to get on board law firms have to pass.”

All the signs are that these assessments already have or will become more arduous, with the weight being attached to them is visibly growing. At VMware Aine Lyons, vice president and deputy general counsel, worldwide legal operations, told Legal IT Insider:

“As part of our selection and on-boarding process, we require all our outside counsel to sign up to GDPR compliance and to have appropriate information security controls in place. They have to fill out a privacy and security assessment with procurement and sign up to our data privacy protection terms.

“As part of our RFPs, protection of data is getting a higher weighting than it used to and could be a differentiating factor. Firms that are lagging behind will be prohibited from working with us and even getting to the minimum standard, which has been raised by GDPR and other regulatory requirements, is a challenge.”

Security as a differentiator?

One of the major issues facing law firms is how much security is enough, with no meaningful industry standard to benchmark themselves against, although in the US, the Association of Corporate Counsel this year issued basic Model Information Protection and Security Controls for Outside Counsel Possessing Company Confidential Information, which includes recommendations that outside counsel have achieved – or are requested to achieve – ISO27001 certification and have minimum cyber insurance coverage of $10,000,000.

This absence of benchmark could be one reason why law firms appear not to be competing for corporate work on the basis of their security, as Paterson tells us:

“Law firms are not marketing to us – or I haven’t seen it – to say, ‘one of the differentiators we have as a law firm is fantastic security.’ Like many organisations, nobody likes to say they have wonderful IT security because they worry that they will become a target. When the GDPR comes in and we have to do more due diligence, our teams procuring panels will have to be more rigorous and law firms will no doubt respond by being more proactive.”

But as IT security goes up the corporate agenda and becomes more onerous, as Lyons touched on above, by necessity it is already starting to become a differentiator. Lyons adds: “For any vendor who is going to have any confidential and/ or personally identifiable information, security is absolutely a differentiator and could prohibit them from working with us.”

And Guildford says: “It would be a differentiator, yes, because firms wouldn’t get through our procurement process and we wouldn’t instruct them.”

As an interesting and relevant aside, the issue of whether a law firm hosts its data in the cloud made little difference to many in-house teams we spoke to and Debney says: “We have a few systems in the cloud and for me personally I don’t think it’s an issue as long as firms have the proper safeguards and highest levels of security.”

Ultimately, it doesn’t take a genius to work out that, if (and when) other law firms are affected by a major cyberattack, security will become a selling point for law firms.

Debney says: “Will IT security be a differentiator? I think it will be but we’re a way off. It takes a few people to get knocked down to put up a pelican crossing and it will take more people to become getting affected before it’s a given.

“Law firm selection still often comes down to who you know and standard cyber is expected. But to know whether a law firm is best in class and maybe have the CTO coming to pitch on that basis – that would be good to see. That’s not happening yet but it’s a matter of time.”

This article first appeared in the September Orange Rag. Read it and sign up for your free monthly newsletter here: