By Jennifer Smith And Emily Glazer
Big banks are demanding that their law firms do more to protect
sensitive information to ensure that they don't become back doors
for hackers.
Once given special status as trusted third parties, lawyers,
particularly those who get access to sensitive bank information,
now are more likely to get full background checks. The number of
compliance checklists for law-firm technology systems and security
procedures has ballooned. And law firms big and small increasingly
are getting on-site audits to check who has access to documents and
office servers.
A spate of cyberattacks has sharpened financial institutions'
focus on security when dealing with outside law firms, said Varun
Mehta, a vice president at Clutch Group LLC, a legal and compliance
consulting firm that works with global banks. "Every bank has
changed from a year ago," he said.
J.P. Morgan Chase & Co., Morgan Stanley, Bank of America
Corp. and UBS AG subjected outside lawyers to greater scrutiny even
before financial institutions were victims of cyberattacks this
summer, people familiar with the matter said.
The demands come as financial regulators are paying more
attention to third-party vendors. Benjamin Lawsky, the
superintendent of New York state's Department of Financial
Services, last week sent a letter to dozens of banks requesting
information on security risks relating to law firms, accounting
firms and other third parties.
Law firms "can have access to a very large volume of sensitive
data on a recurring basis and that makes them a point of
vulnerability," Mr. Lawsky said.
A data breach this summer at J.P. Morgan, which compromised
contact information for about 76 million households, highlighted
financial institutions' vulnerability to cybersecurity attacks.
That incursion isn't believed to have originated with a third-party
vendor, however.
Big law firms with financial-institution clients were already
subject to some security requirements, such as limiting access to
certain documents or having policies in place to guard against
cyberattacks. But like government contractors or retail
payment-system providers, law firms increasingly are seen as
potential weak links. Clients often entrust them with everything
from valuable trade secrets to market-moving details on mergers and
acquisitions.
Law firms now are being asked to have their own vendor-security
programs, to prevent data from leaking out through third-party
contractors the lawyers hire, such as word-processing firms or
print shops.
"It's a lot more than just checking a box," said Lorey Hoffman,
chief information officer at law firm Goodwin Procter LLP. "I walk
through our data centers into the [server] cage with examiners"
sent by clients. The firm also enlists outside auditors to test its
defenses and runs internal checks of system strengths and
weaknesses.
Such programs don't come cheap. Banks generally foot the bill
for their on-site audits of law firms. But the firms must invest in
technology and software upgrades. Another cost: hiring staff to
maintain systems and train lawyers and employees on minimizing
risk.
Reliable and consistent data on law-firm data breaches don't
exist, so it is hard to say how frequently hackers target law
firms. But 14% of respondents to an American Bar Association
technology survey said their firms had experienced some type of
security breach or theft this year. Just 1% said it resulted in
unauthorized access to sensitive client data.
"Our external-facing Internet sites are probably getting hit 400
to 500 times a week" by third-party bots or denial-of-service
attacks, Mr. Hoffman said. "That kind of activity is the new normal
and it's hitting everybody."
Such attempts are common enough that the CBS television show
"The Good Wife" this month included a story line in which a hacker
used an email phishing scam to seize control of files at the title
character's law firm.
Some firms instruct attorneys not to open documents sent via
email unless they are in a secure environment in the office, or
using a firm laptop on an encrypted line. For particularly
sensitive matters, firms might restrict work to stand-alone
computers that don't connect to the Internet, said Mary E.
Galligan, a Federal Bureau of Investigation veteran who now is a
director of cyberrisk services at consulting and accounting firm
Deloitte & Touche LLP.
Mobile devices are a particular focus. Many firms can wipe data
from smartphones and laptops that are lost or stolen, and most
firms install some level of encryption.
Law firm Davis Polk & Wardwell LLP in recent weeks added a
new precaution: Lawyers must have a special application installed
on their smartphones to open attachments sent to their firm
addresses.
Hedge funds, private-equity funds, technology startups and
manufacturers also are asking more questions about security, said
Jim Darsigny, chief information officer at law firm Brown Rudnick
LLP.
"The skills to hack into a data network are not easy to come
by," Mr. Darsigny said. "But it doesn't take a genius to walk into
an unsecured office and walk out with printed information, or a
laptop. There is always a way in."
Write to Jennifer Smith at jennifer.smith@wsj.com and Emily
Glazer at emily.glazer@wsj.com
Subscribe to WSJ: http://online.wsj.com?mod=djnwires