Cybersecurity and data threats are making headlines daily, particularly in the financial and professional services space. Law firms are responsible for handling a tremendous amount of private information for their clients. Ensuring your firm has a strong cybersecurity architecture is critical to mitigate risk and minimize disruption.
In the final episode of this series Scott Duda, Leader of Cherry Bekaert’s Professional Services Industry practice is joined by Dan Hulen, a former Director and Business Applications Leader in the Firm’s Digital Advisory practice, and Dan Sembler, a Director in our Risk & Accounting Advisory practice, who share their insights into the biggest IT security threats law firms are facing, and what you can do to protect your business.
Discussion includes:
- Major risks impacting law firms when it comes to data protection and preventative measures from security breaches and disclosure of sensitive information
- Data management, retention, and other data “infrastructure” considerations
- How law firms can identify and evaluate reputational risks
- Utilizing Business Process Automation (or Robotic Process Automation) to reduce risk
Cyber threats are at the forefront of concerns for many in professional services, but there are tools and resources available to protect your business. If you have any questions specific to your business needs, Cherry Bekaert’s Digital Advisory team is available to discuss your situation with you.
If you haven’t already, catch up on our series:
- Digital Transformation in Law Firms: Part I – Understand Your Customer
- Digital Transformation in Law Firms: Part II – Optimize Your Operations
- Digital Transformation in Law Firms: Part III – Innovate for Growth
- Digital Transformation in Law Firms: Part IV – Enable Your Workforce
View All Professional Services Podcasts
SCOTT DUDA: Good morning. I'm Scott Duda, and thank you for joining us for our Law Firm Digital Transformation, the last in this series on protecting your business. I'm an audit partner with Cherry Bekaert, and I also lead our professional services industry group.
SCOTT DUDA: With me today are two Dans, Dan Sembler and Dan Hulen, both directors in our digital advisory and risk assurance practices. Dan Hulen, can you start by introducing yourself?
DAN HULEN: Sure. Thanks, Scott. I'm Dan Hulen, a director in our digital advisory services. I have decades of experience across the IT space in global IT and software infrastructure, security, and analytics.
DAN HULEN: Today I help organizations define what digital transformation means for the business and how it can be leveraged for insights, growth initiatives, and operational effectiveness.
SCOTT DUDA: Thanks. Dan Sembler?
DAN SEMBLER: Hey, Scott. Thanks for having me. I'm Dan Sembler, a director in our risk assurance and advisory practice, specifically in information assurance and cybersecurity. I've been with the firm for over 12 years and now specialize in helping middle-market, rapidly growing technology companies prepare for cybersecurity standards, third-party attestations, and vendor requirements.
SCOTT DUDA: Excellent. We see and hear things about cybersecurity, hacks, lost data, and ransomware in the news every day. When we see those things, it's often financial services or professional services. I think our clients expect a higher level of data integrity and security from us than from some others.
SCOTT DUDA: For both of you, and we'll start with Dan Sembler, what are some of the major risks that law firms are seeing today as they relate to protecting their data?
DAN SEMBLER: We see this question all the time. For context, there's an annual survey from Marsh, specifically the 2021 edition, the Annual Legal Business Risk Survey. Respondents identify where they are worried and what impacts from a cyber or technological breach could have a significant effect on their organization.
DAN SEMBLER: Top responses focus on IT security breaches and losing or inadvertently disclosing commercially sensitive data. Respondents also note significant risks related to workforce availability, which is being seen across the board beyond professional services.
DAN SEMBLER: There are specific concerns about data privacy and complying with vendor or contractual requirements regarding data destruction and retention periods. Financial system integrity is another concern, as compromises there can lead to direct financial loss or hinder growth.
DAN SEMBLER: Lastly, reputational damage is a top concern—how to protect the firm from association with unsavory or unethical clients or client activity that could negatively impact the business.
DAN HULEN: I want to add that probability matters. IT security breaches don't happen every day, but other things do. In the IT context, we talk about risk management and planning for a serious attack, but more probable events include power outages in a data center.
DAN HULEN: From a legal context, procedural oversights are common: failing to complete a key step in a process, missing filing dates, lost documents, wrong attachments, typographical errors, or failing to warn a client of potential risks and costs associated with a course of action. These day-to-day operational failures can lead to negligence claims.
SCOTT DUDA: Let's start with the five impacts that we talked about, and then we can dig into negligence situations. What can firms do to prevent security breaches?
DAN SEMBLER: A common question. The top impacts identified in the Marsh survey include ransomware and phishing. The first line of defense in any cyber risk management program is your employees—the human element. They transact with clients and data and send information, so it's vital to have a standardized, robust information security program.
DAN SEMBLER: That program should include training protocols at hire and annually thereafter, or more frequently if contractual requirements demand it. For access to particularly sensitive data like ePHI, consider quarterly or semi-annual training and special tools or protocols for exchanging and storing data.
DAN SEMBLER: On top of training, have a strong incident response policy documented before an incident occurs. Documented plans should include decision trees, recovery steps, response procedures, and detection processes.
DAN SEMBLER: Also ensure strong encryption and authentication controls around critical infrastructure and wherever confidential data resides. Consider encryption of data at rest and in transit, and evaluate third parties' encryption practices. Implement multi-factor authentication, encryption of service account passwords, and a password management or key management system.
SCOTT DUDA: The human element—you mentioned they're the weak link. That's why I get all those test phishing emails from our IT group. What about data privacy and data destruction? What advice would you give legal practice clients?
DAN HULEN: This has many dimensions. First, right-size data management for the organization. The needs of a 10-person law firm differ from a 500-person international firm.
DAN HULEN: Privacy laws have become much more complex. Law firms should identify their "golden eggs"—the key parts of the business that must be protected—and know how to respond in case of a breach.
DAN HULEN: Know where you collect personal information and where the data lives. Client data may reside in HubSpot, Constant Contact, CRM solutions, practice management systems, on-premises file systems, or cloud-based file systems. Knowing where data is located is critical.
DAN HULEN: Ensure policies are published and processes are in place for opt-outs and for handling customer requests under the California Consumer Privacy Act and other state laws, as well as GDPR.
DAN HULEN: Data management and destruction involve infrastructure considerations: identity and access management, multi-factor authentication, and role-based security within practice management systems and cloud solutions. Maintain an information architecture that outlines where data lives to onboard new employees into appropriate groups with correct access.
DAN HULEN: Implement data retention practices so information is tagged and backend systems can remove it from your environment—whether files, emails, or chats. Use data labeling and tagging for matter- or client-related documents to better protect information.
DAN HULEN: Leverage data labeling to implement data loss prevention tools so that tagged sensitive documents don't leave via general email but instead are shared via encrypted links or virtual mailboxes. Portals are useful for secure exchange.
DAN HULEN: Ensure encryption on endpoints, including PCs and mobile devices, and maintain robust backup and recovery practices. A common issue is a lack of an air gap between production systems and backups; attackers that gain administrator credentials can access and delete backups if separate authentication and protections are not in place.
SCOTT DUDA: One of my clients experienced that backup security issue firsthand. Earlier we discussed reputational risk. What can firms do to mitigate or protect against reputational damage?
DAN SEMBLER: Start with a robust process to identify new risks or reevaluate previously identified risks, executed at least annually. Think of it as enterprise risk management or an overarching risk assessment. If expertise is lacking internally, external providers can assist.
DAN SEMBLER: In the ESG realm, evaluate incoming clients and whether their values align with the firm's values. Public examples show clashes between service providers and clients based on differing values, and firms need processes to evaluate those relationships and potential reputational fallout.
DAN SEMBLER: After identifying a population of risks, evaluate existing controls designed to mitigate those risks. Assess the ongoing effectiveness of those controls in reducing residual risk.
DAN SEMBLER: Then decide whether residual risk is acceptable or whether new policies, processes, controls, or vendors are needed. Consider whether to accept risk, mitigate further, or transfer some risk via insurance or third parties.
DAN HULEN: In addition, key operational processes—conflict-of-interest inquiries, Know Your Customer procedures, and anti-money laundering requirements—are critical. Software-based solutions can automate and enhance those processes for greater reliability.
SCOTT DUDA: Let's talk about business process automation. How does that reduce risk?
DAN HULEN: This is an important area. Procedural oversights—failures to diarize time-critical steps, internal process failures, typographical errors, or failures to warn clients—are common. Firms can reduce risk by applying process standardization and automation.
DAN HULEN: There are two types to distinguish: business process automation, which routes forms and approvals, and robotic process automation (RPA), which brings greater quality and capability to reduce waste and errors.
DAN HULEN: Examples for law firms include scheduling appointments with auto-scheduling, digital signature capabilities, contract management automation for identifying contracts requiring review, and accepting or rejecting contract changes based on predefined non-negotiables.
DAN HULEN: Document generation can harvest data from government websites or practice management systems, automatically filling templates. RPA bots can log in with credentials to collect information and populate documents.
DAN HULEN: Other uses include creating digests for changes in law or regulatory compliance for internal use or client publication, handling privacy requests and GDPR requests, managing export controls and H-1B visa processes, and enabling self-service NDAs.
DAN HULEN: These applications reduce errors, lower negligence claims, eliminate waste, improve accuracy, enhance customer satisfaction, and increase margins through productization. For example, using RPA for H-1B visa applications can improve accuracy and reduce back-and-forth iterations.
SCOTT DUDA: So what other practices should firms be thinking about to reduce risk and protect the business? Anything else we should be considering?
