Share this article on:
Lawyers and other professional advisers don’t normally think about themselves as part of a business’s “supply chain”. As professionals, we traditionally put ourselves in a little box off to the side. We are brought in when strategically necessary, bringing our specialist expertise and like to think of ourselves as “trusted advisers” but not part of the fabric of the client’s business.
We don’t, after all, provide inputs to manufacturing processes, handle outsourced elements of your business or sell widgets.
However, in the wake of several major law firm breaches in Australia and internationally just in the last three weeks, not to mention many more breaches of financial services firms and other advisers in recent history, not only will lawyers and other professional firms need to rethink their role in the supply chain — but so will their clients.
In the world of cyber security, law firms and other professional advisers are very much part of the “supply chain” that can be used to attack a target business. Threat actors don’t see “advisers” any differently to “suppliers”. They see a source of highly valuable information, sitting outside the business’s secure corporate network, and therefore easier pickings.
Pause for a minute and think about the information your lawyer, accountant, financial adviser, or procurement adviser holds about your business.
For commercial and corporate law firms, they hold information about IP yet to be registered and protected, projects to develop and launch a new industry-changing product, plans to acquire another business or sell off part of the company, and bids for major tenders, with key financial information that could give a competitive edge to another bidder. Much of this same information is shared with other professional advisers, also extending the list to detailed financial information, sensitive commercial details, strategic plans etc.
This is just a small sample of what external advisers hold. What’s more, they usually hold it on their systems (outside your corporate network and control). They may also be more likely to be smaller organisations, potentially without the high-level security afforded by the big firms (not that being a big firm makes you immune to breaches — it doesn’t).
The upshot of this for professional advisory firms is that their assessment of who might be targeting their business, and how, needs to consider not just traditional threat actors but also anyone who might seek to expose or gain information about one of its clients or see value in the information they hold. While the “business” of a professional advisory firm will always be providing quality advice to clients, partners and boards of these firms need to have the security of the firm high on their agenda, ensuring that the risk management program of the firm includes prompt technology patching, training of staff, and other standard security “hygiene” practices.
Firms are increasingly using technology to support their practices and collaborate with clients — as they should. However, these technology solutions each come with their own set of risks and vulnerabilities. The due diligence system you use to access documents for your client’s takeover bid holds extremely sensitive information and also provides a whole other set of vulnerabilities to your firm’s IT network. For example, the Allens breach in 2021 was a breach of the file-sharing system (Accellion) used by the firm.
As firms start to adopt these technologies you need to be asking about their security as part of your own due diligence.
Security as a foundational business principle
A culture of security must also become part of the culture of every firm and led from the partnership. I have worked with many partners who are proud “technology luddites”, refusing to use unique passwords and actively resisting the implementation of security measures like multifactor authentication because it’s “all too hard”. This attitude then infects the security culture throughout the firm. This might have been excusable in the past, but not in 2023. Interestingly, reports in Lawyers Weekly in mid-April found that the majority of legal professionals have no confidence in their firm’s ability to detect and respond to security breaches.
If the professionals in the firm lack confidence that their systems are secure, their clients should be worried.
What is at stake? To name a few of the consequences, fines for breach of data privacy laws (for the firm and for impacted clients), reputational damage and loss of trust (and likely loss of clients), and increasingly likely, an investigation by the Australian Securities and Investments Commission (ASIC) and consideration of professional misconduct from the relevant profession’s regulatory bodies.
What should firms be doing to uplift the security of their practice and become a “strong” link in their client’s supply chain?
For clients of professional advisers (e.g. most businesses), when examining the security and risk of your supply chain, you must not forget your professional advisers. Given the level of sensitivity of the data they hold, you probably should place them high on your priority list. You should consider:
And if you don’t know where to start — get some help.
Annie Haggar is principal of Cyber GC, a specialist cyber security legal, consulting and board advisory firm.