Lawyers and other professional advisers don’t normally think about themselves as part of a business’s “supply chain”. As professionals, we traditionally put ourselves in a little box off to the side. We are brought in when strategically necessary, bringing our specialist expertise and like to think of ourselves as “trusted advisers” but not part of the fabric of the client’s business.
We don’t, after all, provide inputs to manufacturing processes, handle outsourced elements of your business or sell widgets.
However, in the wake of several major law firm breaches in Australia and internationally just in the last three weeks, not to mention many more breaches of financial services firms and other advisers in recent history, not only will lawyers and other professional firms need to rethink their role in the supply chain — but so will their clients.
In the world of cyber security, law firms and other professional advisers are very much part of the “supply chain” that can be used to attack a target business. Threat actors don’t see “advisers” any differently to “suppliers”. They see a source of highly valuable information, sitting outside the business’s secure corporate network, and therefore easier pickings.
Pause for a minute and think about the information your lawyer, accountant, financial adviser, or procurement adviser holds about your business.
For commercial and corporate law firms, they hold information about IP yet to be registered and protected, projects to develop and launch a new industry-changing product, plans to acquire another business or sell off part of the company, and bids for major tenders, with key financial information that could give a competitive edge to another bidder. Much of this same information is shared with other professional advisers, also extending the list to detailed financial information, sensitive commercial details, strategic plans etc.
This is just a small sample of what external advisers hold. What’s more, they usually hold it on their systems (outside your corporate network and control). They may also be more likely to be smaller organisations, potentially without the high-level security afforded by the big firms (not that being a big firm makes you immune to breaches — it doesn’t).
The upshot of this for professional advisory firms is that their assessment of who might be targeting their business, and how, needs to consider not just traditional threat actors but also anyone who might seek to expose or gain information about one of its clients or see value in the information they hold. While the “business” of a professional advisory firm will always be providing quality advice to clients, partners and boards of these firms need to have the security of the firm high on their agenda, ensuring that the risk management program of the firm includes prompt technology patching, training of staff, and other standard security “hygiene” practices.
Firms are increasingly using technology to support their practices and collaborate with clients — as they should. However, these technology solutions each come with their own set of risks and vulnerabilities. The due diligence system you use to access documents for your client’s takeover bid holds extremely sensitive information and also provides a whole other set of vulnerabilities to your firm’s IT network. For example, the Allens breach in 2021 was a breach of the file-sharing system (Accellion) used by the firm.
As firms start to adopt these technologies you need to be asking about their security as part of your own due diligence.
Security As a Foundational Business Principle
A culture of security must also become part of the culture of every firm and led from the partnership. I have worked with many partners who are proud “technology luddites”, refusing to use unique passwords and actively resisting the implementation of security measures like multifactor authentication because it’s “all too hard”. This attitude then infects the security culture throughout the firm. This might have been excusable in the past, but not in 2023. Interestingly, reports in Lawyers Weekly in mid-April found that the majority of legal professionals have no confidence in their firm’s ability to detect and respond to security breaches.
If the professionals in the firm lack confidence that their systems are secure, their clients should be worried.
What is at stake? To name a few of the consequences, fines for breach of data privacy laws (for the firm and for impacted clients), reputational damage and loss of trust (and likely loss of clients), and increasingly likely, an investigation by the Australian Securities and Investments Commission (ASIC) and consideration of professional misconduct from the relevant profession’s regulatory bodies.
What should firms be doing to uplift the security of their practice and become a “strong” link in their client’s supply chain?
- Understand what data your firm holds, where it’s held and how it’s protected. You can’t protect what you don’t know you have, or where it is. Is there a culture of saving documents to your laptop’s desktop? Or USBs? In small firms, is it all on a server in a cupboard that hasn’t been patched in recent memory?
- Set security policies for your firm and enforce them when they’re not followed (including where a partner is doing the wrong thing). E.g. multifactor authentication on everything, unique passwords, no portable media (e.g. USB drives) unless encrypted, no family use of work devices, and no BYOD.
- Get good IT support, and line up specialist incident response support on retainer for when your firm suffers a breach. You want to know who to call — not be googling who might be able to help once the breach happens.
- Train your people. Your people, from your admin staff to your executive, are some of your weakest links. It doesn’t matter if you’re fully protected on the technical side if your teams can’t spot phishing attacks.
- Practise your incident response plan. Like your fire drill, you should be practising your cyber emergency plan regularly. Your IR plan is more likely to be put into practice than your fire plan.
For clients of professional advisers (e.g. most businesses), when examining the security and risk of your supply chain, you must not forget your professional advisers. Given the level of sensitivity of the data they hold, you probably should place them high on your priority list. You should consider:
- Requiring your advisers to have in place, and to demonstrate, compliance with fundamental security principles and controls (at a minimum, the ACSC’s Essential Eight). These controls should be considered depending on the nature of the information your advisers will hold and access;
- Getting your advisers to work on your network — give them a laptop and secure login. It’s a small investment that can greatly reduce your risk, especially for longer-term engagements;
- Practice security due diligence on any external systems you are using with your advisers — e.g. due diligence, deal or other platforms;
- Ensure you have a list of what matters and what data is with your advisers. If they suffer a breach, you want to know exactly what they’ve had access to.
- Put in place, and enforce, data return or deletion practices. Firms shouldn’t be keeping large amounts of client data for long periods, especially after deals are complete. Where possible, data should be returned to you or they should confirm it’s been securely deleted from their systems;
- Consider your broader procurement life cycle — what do your procurement templates, engagement contracts etc., say about security? If you start your procurements with “security by design”, then the security of your supply chain will follow.
And if you don’t know where to start — get some help.