Every week seems to bring another story of email theft. The attacks are relentless, striking corporations, government agencies and political groups.
Fortune recently reported that a series of break-ins at top U.S. firms was much wider than originally thought and linked to the Chinese government. According to Fortune, the attackers stole tens of gigabytes of data from one firm alone, possibly amounting to hundreds of thousands of emails. The article added, “The hackers returned repeatedly in search of new information.” No wonder. Law firms, with their troves of confidential client data, make tempting targets for criminals bent on insider trading, blackmail or industrial espionage.
The lesson for firms is clear: If you’re not paying attention to security, you’re not paying attention.
Attorneys Sharon Nelson, David Ries and John Simek are among the alert. Their guide to legal cybsersecurity, “Locked Down: Practical Information Security for Lawyers,” has lessons for RIAs. It details ethical, common law and statutory obligations to protect client information, along with their contractual obligations to protect client data. They acknowledge security is harder and more complicated than it was in the days of paper documents. But as they point out, it’s also more urgent. They cite a report showing that 80% of the 100 largest law firms by revenue were hacked between 2011 and 2015, leaving little doubt that technology buyers need to put security front and center.
The question is how. Vendors don’t always make it easy. Some try to pass off their suppliers’ security practices as their own and, to be fair, those practices are important. Most SaaS vendors rely on cloud service providers such as AWS and Azure for their cloud infrastructure. Buyers need to understand how they manage and protect data. But they also need to realize their data will probably move through the vendor’s own IT infrastructure as well. Confidential information such as contracts, NDAs and emails may be stored on local servers or employee laptops. For this reason, your team needs to evaluate the vendor’s security and compliance policies and procedures.
One simple way to do this is through a questionnaire. A questionnaire can facilitate a conversation between the vendor and the client team about security certifications, data encryption and ongoing risk assessment and how these will be handled once the client data is turned over to the vendor. Some questions to consider:
1. What are the vendor’s policies and procedures on information security? Does the vendor perform security risk assessments to identify and measure risks and, if so, how often?
2. Does the vendor have a dedicated role for information security and compliance?
3. Does the vendor enforce use of strong multifactor authentication (MFA/2FA) for all elevated or privileged administrator accounts?
4. What are the vendor’s practices for third-party auditing, vulnerability scanning and penetration testing?
5. How does the vendor encrypt data at rest and in transit, and what kinds of controls and processes does it have in place for intrusion detection, monitoring, and threat detection?
6. How does the vendor delete client data?
7. How does the vendor respond to security incidents, and how does it work with clients if an incident occurs?
When performing a vendor security assessment, there are a few things you should specifically watch out for. One is whether they maintain a relevant security certification assessed and tested by an independent auditor. Two industry-leading options are a SOC 2 Type II certification or an ISO 27001 certification from an accredited provider. These demonstrate that an independent party has reviewed the security infrastructure and determined it complies with the selected framework. These certifications are voluntary, which means the vendor has opted in and exposed their security practices and procedures to third-party review.
It is also important to determine whether the vendor complies with relevant regulations if you send information that triggers compliance, such as protected health information (PHI) under HIPAA. If you are dealing with PHI, you will need to execute a business associate agreement (BAA) with the vendor. It’s important to obtain their assurance that they comply with the HIPAA Security and Privacy rules.
Also important to consider: Whether they have done a HIPAA self-evaluation or invited a third party to complete a HIPAA compliance evaluation. Keep in mind that there is no certification available recognized by the U.S. Department of Health & Human Services (HHS), whose Office of Civil Rights (OCR) enforces the HIPAA Privacy and Security rules. However, security-savvy vendors will know this and be able to provide assurance regarding their HIPAA-compliant practices.
It may sound like a lot, but the stakes are high, and half-measures won’t get the job done anymore. Luckily, with suitable care and the proper questions, you can fulfill all your obligations for security and confidentiality, stay current with the latest risk-management practices and keep yourself out of the headlines.
— Read What Regulators Are Looking for in Your Firm’s Cybersecurity on ThinkAdvisor.