Why Managing Partners “Own” Law Firm Cyber Security and Three Steps to Take Control Now

A great Leadership Conference. The MPIEs always excel.

Stanford J. Smith, Jr., Esq.

Martin Pringle – Wichita, KS

I look forward to this Conference every year. It really helps me to be a more effective firm leader.

Jason P. Waguespack, Esq.

Galloway Johnsonh – New Orleans, LA

A very organized and well-run conference. Great food. Great hospitality.

G. Wayne Hillis, Esq.

Parker Hudson Rainer & Dobbs – Atlanta, GA

Thank you for allowing me to participate. Your team is masterful at making all feel valued at your event and I dare say helping attendees see the value in attending.

Gerry Riskin

Edge International – Anguilla, BWI

Thank you for the invite to speak on the Managing Partner panel. Even though I have now attended 7 MPFs, I always bring back substantive and helpful information for my partners.

Marc D. Chapman, Esq

Dean Mead – Orlando, FL

Hands down the best leadership conference for managing partners I've ever attended.

Robert A. Young, Esq.

English Lucas Priest Owsley – Bowling Green, KY

I highly recommend the MPF Leadership Conference. I've participated many times, as have several of my partners. We leave with new ideas and fresh perspectives every time.

Thomas C. Grella, Esq.

McGuire Wood & Bissette, PA – Asheville, NC

I thoroughly enjoyed participating in this year's Conference. Thank you for your enthusiasm and leadership.

Richard N. Sherrill, Esq.

Clark Partington – Pensacola, FL

Thank you for what you do for our industry. I go to a lot of conferences, and your event is the one I look forward to and gain the most from each year.

Charles B. Jimerson, Esq.

Jimerson & Cobb, PA – Jacksonville, FL

Thank you for putting on another outstanding MPF Conference. I came away, once again, feeling reassured and encouraged.

Christine A. Gimber, Esq.

Weld Riley – Eau Claire, WI

Why Managing Partners “Own” Law Firm Cyber Security and Three Steps to Take Control Now

by Judy Selby & Deena Coffman

If a country is attacked, the president is called upon to respond on behalf of the nation. If a crime wave breaks out in a city, the city’s mayor is on the hot seat. The secretary of defense and police chief will dutifully stand behind the chief executive at every press conference, but the buck stops with the person in charge. The same dynamic applies when it comes to law firms and the oversight of cybersecurity. As the leader who sets the firm’s priorities and controls spending and hiring, the Managing Partner should take the helm as the true “owner” of a firm’s cybersecurity.

Why is Cybersecurity Not an IT Problem?

Moreover, even state-of-the-art network technologies are insufficient to address today’s multi-faceted cyber threats on their own. Perimeter defenses can be challenged by today’s sophisticated cyber criminals as well as by the demands of mobile attorneys who expect constant remote access to the firm’s network from a variety of devices. One click on a phishing email or an attorney’s use of airport WIFI can neutralize even well-designed, properly implemented technology defenses. Further, a perimeter defense provides no protection against misappropriated passwords, non-compliant and malicious employees, and the failure to implement effective training programs. To use an analogy, a strong lock on the front door might prevent a break-in, but it can’t protect the building if the thief is already inside or can trick someone into opening the door. The lock is not abandoned, but it cannot be viewed as the only measure necessary to secure the building.

Law firms are facing an ever-evolving variety of cyber risks, requiring a broad-based approach that exceeds the reach and capabilities of the IT department. These firm-wide cyber risks demand firm-wide solutions that can be implemented only by top management.

Why is Cybersecurity a Managing Partner Problem?

The Managing Partner also has the “power of the purse” and can direct sufficient resources to fund reasonable security measures based on the firm’s unique cyber-risk profile. Unlike any individual department head, the Managing Partner has the authority to establish firm-wide policies and procedures, and to mandate compliance. The Managing Partner also is uniquely empowered to hire appropriate security-related personnel, assist in the procurement of cyber-insurance and oversee incident response planning. And most certainly, in the wake of a cybersecurity incident, the angry calls from clients, the press, law enforcement and regulators will be directed to the Managing Partner, and not to the “IT guy.”

Recommended First Steps

The following are initial steps a Managing Partner can take to begin to prioritize cybersecurity and implement reasonable solutions:

Commission a Third-Party Assessment
A neutral party can benchmark the firm against industry standards and practices and provide a prioritized list of recommended actions. The recommendations can then be evaluated against the firm’s risk profile and budget to develop the action plan for the next six and 12 months.

Develop a Security Event Response Plan
A data breach can occur in any department across the firm, and the early warning signs can be spotted by any employee. An incident response plan contained solely within the IT group misses the rest of the firm. But a plan that engages the firm as a whole and considers all exposure points, even those outside of the IT department, is far more effective in preventing, identifying, reporting and containing a security event. A firm that does not have a current, recently tested incident response plan needs one immediately. Developing or updating this plan can provide a useful mechanism for the various department heads to collaborate with each other and the Managing Partner.

Review Security and Privacy Training
New threats constantly emerge, and standards for prevention and detection should mature accordingly. As this occurs, training materials should be refreshed so that employees can properly protect the firm’s information and use the most secure workflows. The Managing Partner will also want to review the training program to ensure it is not an online, “click-through-the-slides-once-a-year-and-check-the-box-that-you-met-the-requirements” type of training. Effective cyber-training is delivered point-in-time, periodically throughout the year, and is tailored to the job function of the employee receiving the information.

Final Thoughts

Although the IT department has an important role to play in protecting data within the control of the law firm, an active and engaged Managing Partner is vital to tackling a law firm’s cybersecurity issues in this environment. By setting the right tone and making smart investments, the Managing Partner can ensure that cybersecurity is recognized as a key firm priority and integral to success in today’s legal marketplace.

# # #

About the Authors

Judy Selby is a Managing Director in BDO Consulting’s Technology Advisory Services practice, having more than 20 years of experience in insurance and technology. Known as “one of the premier voices in legal technology” by Legaltech News, she consults with clients on cyber insurance, cybersecurity, information governance, data privacy and complex insurance matters. Judy can be reached at jselby@bdo.com.

Deena Coffman is a Managing Director in BDO Consulting’s Technology Advisory Services practice. She has more than 20 years of experience in information security, operations, strategic planning and risk management. Deena has held technology leadership roles involving technology infrastructure, cybersecurity, data privacy, compliance and eDiscovery. Deena can be reached at dcoffman@bdo.com.