A few years ago, law firms faced a wake-up call. More and more, their networks were being infiltrated, their staff exposed to a new threat called ransomware. They saw the crosshairs on their backs, understood the risks of their coveted position as holders of clients' sensitive information.

But they didn't come to this realization entirely on their own. Clients in heavily regulated industries, like finance, demanded protections for crucial sensitive data. And slowly, through client security audits and questionnaires, a high of standard cybersecurity awareness at law firms became the norm.

But that was a few years ago, before ransomware attacks like WannaCry and Petya spread throughout the world, infiltrating some of the biggest enterprises in the global market including the U.K.'s National Health Service, Boeing and DLA Piper. And that was also before those affected by breaches, such as those at Equifax and the Republican National Committee, were measured in the hundreds of millions, not the thousands.

Suffice it to say, the threat landscape hasn't gotten better. Rather, it has evolved to be even more pervasive, malicious, and inescapable than ever before.

But in response, law firm cybersecurity requirements have evolved, too. There are now more in-depth cybersecurity assessments, more expectations around transparency, and more engagement between client and law firm.

Still, while clients are becoming more hands-on with law firms' security, cybersecurity review remains fragmented, and some say outdated. For as much as clients are honing their management of third-party security, law firms are crying out for even more comprehensive changes. For many, the hope is that the change already taking hold is only just the beginning.

Fundamentals 2.0

Cybersecurity questionnaires and audits have been, and still remain, the foundation of law firm cybersecurity assessments. Now, though, they are performed far more rigorously than they were in the past. For one thing, the time between audits is shrinking. “Typically, audits used to be once every three years, then they became once every two years. Now, with big clients, they increasingly tend to be every year,” says Paul Greenwood, chief information officer at Clifford Chance.

Clients have also become more demanding, seeing cybersecurity reviews as more of a collaborative and custom process than a simple matter of housekeeping. “It's more of an engagement than a point-in-time audit,” says Robert Kerr, chief information officer at Cooley. “It used to be a check-the-box type of exercise; now it's an interactive exercise where they seek clarifications.”

And often, these audits will get into the weeds. Brett Don, chief information officer at Stradley Ronon, says that from his experience working with information security prior to entering the law firm world, corporations have “gotten more granular, they've gotten more specific in terms of the information they are trying to glean from their business partners, including law firms.”

The details that clients usually ask from a law firm will vary, but oftentimes will focus around the technical minutiae of their data security. “The client security questionnaires will ask how we protect their data, and our protocol is to share the results of our ongoing penetration tests and vulnerability scans with them,” says Andrea Markstrom, chief information officer at Blank Rome.

This means that, at a minimum, modern law firms need to hold “routine and regular scans of vulnerabilities in their systems,” Don adds.

But demanding and detailed audits, even yearly, may not be enough in today's cyberthreat world. “The other thing that I think we're seeing more of is these one-off, what I call 'diligence inquiries' around high risk vulnerabilities,” Don says, pointing to “Spectre” and “Meltdown” microprocessor vulnerabilities that were disclosed in January 2018 as examples.

Such inquiries come “outside the questionnaire process,” he explains, and may encompass several questions about the firm's susceptibility to the vulnerability. In some cases, he says, clients ask the firm directly to certify that they've addressed a particular vulnerability.

Tech for Transparency

Many corporate clients, however, do not solely rely on their own audits and questionnaires to get a sense of their law firms' data security. Increasingly, they also look for assurances from services that externally scan law firms' networks and assign security scores based on what they find.

“Our clients are beginning to pay attention to, and ask us about, our security rating, which is very similar to a credit rating,” Markstrom says. She adds that services that offer scoring include companies like BitSight and SecurityScorecard.

But how, exactly, do these scores work? Alex Heid, chief research officer at SecurityScorecard, says his service is “looking at networks the way hackers or other attackers are looking at the networks” in order to flag clients' potential vulnerabilities, whether they be law firms or enterprises.

Services like SecurityScorecard can identify what vulnerabilities are associated with certain clients through scanning IP addresses associated with their online IT assets. “We will look at any exposed administration equipment, firewall routers, any type of device that will be connected to the internet,” Heid adds.

The service, however, doesn't just rely on external scans in its assessment. It also scours the dark web and hacker forums to look for comprised passwords, email addresses and other sensitive information belonging to the assessed law firm or enterprise. SecurityScorecard then merges and analyzes all the data it obtains to assign a “letter grade of A to F, same as the school system, as well as a numerical score that correlates along with the letter grade,” Heid explains.

While many of today's law firms have accepted that such scoring is a part of modern cybersecurity reviews, some worry that these scores may not be completely accurate. Clifford Chance's Greenwood, for instance, says that, because these cybersecurity audit services monitor and assess all IP addresses associated with a law firm, they may be viewing IT assets that are outside of a law firm's protected network.

“So, for example, if you provide general purpose internet connectivity in our conference room, that's for clients to use. It's not part of our network, but we own it all, and it counts toward our score. That can give you a misleading impression, because those are all computers that are not part of our service networks; they are actually computers outside your control,” he says.

To be sure, Clifford Chance has pushed back on some the scores it received from BitSight, and through the service's remediation channels, was able to change them. SecurityScorecard also “has a collaboration and remediation functionality,” Heid says, though he adds that this is not a uniform feature across the industry. Still, he believes the ability to contest scores is vital. “We are not just saying, 'There is your score, live with it, and here are the consequences.'”

Access Denied

Though clients are demanding more visibility into law firms' networks and IT assets, many do not dictate what technology platforms law firms can or cannot use for their work. Instead, clients will usually “say we have certain standards we are going to impart, and we expect you to fulfill them across your spectrum of technologies,” notes Cooley's Kerr.

There are, however, some exceptions. Stradley Ronon's Don seldom sees specific technology restrictions, save for two platforms that clients will prohibit by name: Gmail and Dropbox. Clients worry about these products, he surmises, because of the “publicity that has been out there around” the two's possible lack of security controls.

Yet, while restrictions are not generally common, for law firms with clients in heavily regulated industries like finance, the situation is far different. “One thing that, increasingly, the major banks require is blocking access to exfiltration routes for data out of your organization,” Greenwood says. He notes that in addition to Gmail and Dropbox, other webmail services as well as social media platforms like Facebook may likewise be restricted.

Some clients are also requiring law firms to deploy technology to prevent their information from leaking outside secure channels. Clients are “often asking what data loss protection (DLP) systems you have in place, and that's a new technology that has [arrived] in the last 12 to 18 months,” Greenwood says. He explains that a DLP system is software that “scans outgoing communications, particularly emails, to look for specific things that shouldn't leave the organization.”

But running a DLP system in a law firm can be tricky. While DLP software is great for identifying and flagging certain numerical information, such as credit card or Social Security numbers, legal content poses a challenge. “How do you separate general content in an email from content that is legally privileged and shouldn't leave [the law firm]? It's quite tricky,” Greenwood says.

There are ways, though, around the problem. “There is no off-the-shelf easy answer to that at the moment, but what you can do is look at certain rule-based approaches,” Greenwood says, explaining that the DLP can be set to restrict client emails from ever entering webmail services.

Yet such rule-based approaches take longer to set up and run than just letting the DLP work on its own. “The kind of automated process that identifies things in a financial world or a medical world doesn't sit easily for legal-type work,” he adds.

Will the Future Be Standardized?

As much as clients' cybersecurity requirements and audits have evolved, they haven't changed much in the one way most law firms want: There is still little standardization around cybersecurity reviews.

What the industry needs, Greenwood says, is “clients working together to develop more common questionnaires and audit processes, so that you could be audited by one of them and they could share the results. That way, you don't have to go through audits that are 80 percent the same, 100 times a year.”

To be sure, there are standardized cybersecurity certifications that law firms can acquire to show they meet a certain level of protection. “I think we are going to see wider spread adoption of internationally required security standards frameworks, and ISO 27001 is a big one there,” Don says.

But certifications like ISO 27001 may not be as comprehensive as some would like. “There is variability in how you can get the certification and what systems can be certificated. and you can say you are certified if you certify a single platform, but it doesn't necessarily protect all of the data,” Kerr adds.

What Kerr would like to see are cybersecurity certifications based on certain legislation or regulations, such as the EU's General Data Protection Regulation or the U.S. Health Insurance Portability and Accountability Act). He says, “There hasn't been any standardization that really addressed all these areas.”

Yet there is an upside to cybersecurity reviews being a custom affair. Some clients have begun to see their law firms' security as an extension of their own internal cybersecurity program. Greenwood sees a trend “where some of the larger, more demanding clients are actually trying to develop more of a partnership on the cyber side, and it's welcome.”

Clifford Chance, for instance, “recently had clients ask us to take part in joint cyber exercises,” he says. What's more, “we have had clients offering to share resources in the event of a problem, and similarly we have offered to share resources with other clients.”

Greenwood believes that such one-on-one partnerships should be at the heart of all future cybersecurity reviews. For while standardization is much needed to streamline audits, such audits may not be as fundamental in the future as they are today.

“I suspect other clients would go down the route of ever more detailed checklists, but I'm not sure it is in anybody's interest,” he says. “I don't think it gets to the heart of the matter. Those are measuring old problems, not generally the next generation of cyberthreat.”