Ricci Dipshan, Legaltech News
The financial industry has pulled
legal into its cybersecurity orbit, but what does it mean for the future of
legal services for financial institutions?
Since the
dawn of the new millennium, technology has been expanding the reach and ability
of criminals at breakneck speeds. Regulators have constantly found themselves
running behind a new era of cyberthreats and dangers, struggling to respond to
accidents while fortifying the road ahead.
But with limited resources and time, their effort is
one of triage. Secure the vital pillars of society first, and the rest will
follow. This plan especially rings true when securing arguably the most
important pillar: the one buttressing the economy. Jeremy Estabrooks, senior
legal editor of Thomson Reuters Practical Law, notes that the financial
industry is considered a critical infrastructure industry by the federal
government. "There is definitely more emphasis on making sure they have
robust cybersecurity in place," he says.
For financial institutions, the presence of governing
regulations, of which cybersecurity is now part, have always been an intrinsic
part of the industry. "Because banks are a creation of a regulatory
culture, they really live and breathe policies and procedures, and I think the
management and directors are well aware of their responsibility and the need to
meet regulatory expectations," Estabrooks says.
But building out in-house cybersecurity is a lot like
putting up a firewall up to protect a network. The protection it affords only
works if the network is kept centralized and does not extend to unsecure and
easily targeted endpoints. Yet, for modern day financial instructions, an
expanding network—from both an IT and a business perspective—is a necessity.
And no outside vendor is as consequential to a financial institution's security
as its outside counsel.
But with law firms by their side and immersed in their
data, how do financial institutions protect their flanks? And how can law firms
meet security responsibilities to shield their financial clients from exposure
and risk?
Joseph Abrenio, vice president of commercial services
at Delta Risk and president of the Midwest Cybersecurity Alliance, has found
that law firms "keep the secrets, good and bad, of all of their
clients." He adds, "Even if a financial institution is safe behind
their own walls, they will still have weak spots with the third parties they share
information with. As the saying goes, you're only as strong as your weakest
link."
The
Laws of the Land
Data security in the financial and legal industries is
a tale of two sectors. While the financial industry is heavily regulated and
constantly watched by federal agencies, law has at times operated in an almost
laissez-faire environment, more ruled by a culture of confidentiality and
secrecy than hard regulatory rules.
For financial institutions, there is never a lack of
oversight, says David Ray, director of information governance at Consilio. But
what's interesting about financial services is the diverse nature of the
agencies to which companies are beholden: "Some of it comes from the
Federal Trade Commission (FTC), some of it is the Consumer Financial Protection
Bureau (CFPB), some of it is the Federal Deposit Insurance Corporation
(FDIC)—acronyms abound as far as who is responsible. Financial intuitions tend
to be a bit of a Swiss cheese as far as enforcement goes."
Such regulatory power can be traced back to 1950, with
the passage of the Federal Deposit Insurance Act. Abrenio notes that the the
safety and soundness provision of 12 U.S.C. Section 1831p-1 of the act applies
to the cybersecurity practices of federally insured financial institutions. He
adds that the section requires several of the federal banking regulators to
develop regulations and guidelines to ensure the security of covered financial
institutions.
The act, however, left it open for regulators to
interpret what security means. "The benchmark of keeping financial firms
'safe and sound' is intentionally vague. As such, there is no uniformity in the
industry as what qualifies as 'safe and sound,'" Abrenio explains.
Over 40 years later, regulators were given more power
over financial institutions under the Gramm–Leach–Bliley Act of 1999 (GLBA).
But while the act created the modern foundation for industry-wide cybersecurity
enforcement, it was primarily focused on the protection of consumers. The law,
explains Thomson Reuters' Estabrooks, "imposes the responsibility to
protect customers' privacy and confidentiality—their personal information—so
that results in requirements for having an information security program in
place to protect data."
And like the Federal Deposit Insurance Act, the GLBA
was also kept intentionally vague. The GLBA only "imposes the general
requirements of maintaining or having information security in place," so
regulators have consistently used "guidance in the form of booklets and
papers on information security" to implement broader standards, Estabrooks
says.
Though there are exceptions, such as the Federal
Deposit Insurance Act of 2003 that regulated consumer data disposal to combat
identity theft, financial cybersecurity has mainly progressed through a
hodgepodge of agency guidance. "There's no certain specific comprehensive
regulatory regime that spells out what the cybersecurity requirements are for a
financial institutions. It's an evolving process; in this case, they have
elected to rely on booklets and other guidance," Estabrooks says.
Legal's
Liberal Laws
While financial institutions must heed an
ever-advancing set of regulations, the situation is far different in the legal
world. Through his work with the Midwest Cybersecurity Alliance, Abrenio has
found that law firms "are much less regulated, especially given the
quality and quantity of confidential information they hold. They are generally
obligated to maintain their clients' information under the umbrella of a
reasonable standard of care."
But this standard is less than definitive, and
certainly not all-encompassing, Abrenio adds. He notes that while there have
been some cases discussing what is "reasonable" in the digital age,
there are currently no enforceable industry standards "other than a common
law legal obligation to act reasonably to protect information, and legal
ethical standards arising from Rule 1.6 of the American Bar Association's model
rules."
And for the most part, financial regulators historically
have not been concerned with outside counsel, adds Consilio's Ray. A lot of the
financial regulations "tend to be about the protection of end users, and
there aren't necessarily prescribed standards as, say, HIPAA [the Health
Insurance Portability and Accountability Act]. ... I think there was a sense
because of the Swiss cheese of rules and regulations applied to financial
services companies, it's very hard to rely on [regulations] alone to pressure
law firms to do certain things."
But that, however, has been changing recently. Given
the growing awareness of enterprise risk and vulnerabilities, many in the
regulatory and financial worlds are moving to more clearly define the
responsibilities of third parties.
In 2015, for example, the Federal Financial Institutions
Examination Council (FFIEC), which is comprised of federal regulators and
financial organizations, updated its guidelines "to elaborate on managing
third party risks and mention also cybersecurity risks of using third party
vendors," Estabrooks notes.
Spurred by the recent public breaches of law firms and
others, regulation guidance "now requires these financial institutions to
vet any third party vendor," says Judy Selby, a former lawyer and current
managing director at BDO Consulting. "I know law firms don't like to think
of themselves as vendors, but in this situation, they certainly are a vendor of
the financial institution."
The
Cyber Differentiator
Holding law firms to the same security standards as
other third party vendors did not at first receive a welcome reception by many
in the legal world, who heralded their industry as one established on trust and
confidentiality. "It's been interesting for law firms, because for a long
time they've really dealt with things from a confidentiality perspective,"
Ray says. "Those client communications, privileged communications, are
treated as confidential. It is sort of an ethical gentlemen's agreement with
law firms, but unfortunately a hacker couldn't care less about confidentiality
and the agreement."
Financial institutions played a part too in holding
outside counsel to a different set of standards. Until recently, Ray explains,
"most law firms didn't have to go through a formal [vendor] procurement
process and were therefore exempt from going through these same types of
[cybersecurity] questions and contractual limitations." He adds, "The
challenge with laws is that they were all based on a reasonableness standard
for the most part, and reasonableness is a moving target."
Given the limited language of financial regulations,
financial institutions have taken it upon themselves to specifically define
what cybersecurity protections they expect from their outside counsel. Many do
so through contractual agreements, Ray says, which set up the preferred security
minimums, the company's audit rights, and specific security standards.
While specific cybersecurity assessments will vary
from company to company, Selby notes in her law firm experience, they usually
go beyond just what technical infrastructure a firm has in place. "They
want to see you have good cybersecurity practices. They want to see if you have
an updated and practiced incident response plan, [if you are] training your
employees, things of that nature. They'll ask about your history with regards to
cyber incidents; they want to see you are prepared to detect, remediate, and
recover from an incident. And the recovery is more than just the forensic
recovery, the technical fix—they want firms that can recover [their reputation]
as well."
Building up robust cybersecurity practices is a
complex and difficult task, but it is one that firms have recently dived into
head-on. "What I can say has changed over the past few years is initially,
there was a lot of pushback in some firms against changing their practices or
having to fill out a lot of these assessments and audit reports," Ray
notes. "What I have seen, especially since a lot of these breaches, is a
change in attitude."
But then again, firms have had little choice but to
adapt. Robust cybersecurity, after all, is now the modern day cost of doing
business. "It's become a real corporate differentiator," Selby
explains. "Firms that can't demonstrate that they have good cybersecurity
practices are at a real disadvantage not only with financial institutions but
also with other potential clients."
Financial institutions, for example, may withhold
certain types of work from law firms if they deem the less secure firm to be a
risk to the organization. They will tier law firms out based on the type of
work they get, Ray says, and "if they are getting very sensitive pre-deal
M&A information or the type of thing that is high value to hackers, they
will choose the law firm that not only meets the contractual requirements, but
goes above and beyond."
Certification
and Collaboration
There are a few wise places for firms aiming to serve
financial clients to start when looking at building a robust cybersecurity
apparatus. Some certifications, for example, can offer law firms a structured
approach to data protection while ensuring their clients are aware of just what
that protection entails. For financial services, Selby notes that the two most
important are the International Organization for Standardization (ISO) 27001
certification and the National Institute of Standards and Technology (NIST)
framework certification.
Yet while there is a movement in the industry toward
such standards, implementation of relevant certifications still remains
nascent. "I find a lot of law firms are going after their ISO 27001
standards or related standards, [but] very few have achieved them yet, or they
are brand new off the vine, so there's only so quickly you can move," Ray
says. "And for a lot of these firms, they had to hire chief information
officers (CIOs) or security managers and set up road maps. So they've had a lot
of catching up to do."
Beyond certifications, there have also been efforts to
push the legal industry towards a more open and collaborative threat prevention
culture, similar to the one in the financial industry. "Financial services
are very good about sharing threats. ... It will very quickly go from the
information security team in one financial services organization to
another—that helps them be proactive," Ray explains.
But on the other hand, he adds, "law firms tend to
be very reticent to share when they've had breaches, and certainly it's because
they are quite often in litigation representing clients on opposite sides of
the table. There is a culture not to share information."
Recently, however, the passage of the Cybersecurity
Information Sharing Act in 2015, and a subsequent executive order from the
Obama administration, has helped bridge this divide. The law was instrumental
in creating the Financial Services Information Sharing and Analysis Center
(FS-ISAC), which in August 2015 launched the Legal Services Information Sharing
& Analysis Organization (LS-ISAO) for law firms.
The organizations allow closer intra-industry
collaboration, as well collaboration between financial institutions, law firms
and federal agencies on current cyber risks and best practices. Its foundation
highlights just how intertwined cybersecurity and data protection is for those
in two different, but closely connected industries, where information is vital,
and protection and confidentiality a cornerstone of their daily operations and
success.
No comments:
Post a Comment