The Bankers and the Lawmen Should be Cyber Friends

When I read Matthew Goldstein’s February 24, 2015 article “Wall St. and Law Firms Plan Cooperative Body to Bolster Online Security,” in the DealB%k section of The New York Times, I was reminded of the song from Rogers and Hammerstein’s “Oklahoma” about how farmers and cowmen should get along and help one another. This new cooperation is notable because banks and law firms have not typically collaborated on security in the past, as far as I know. Usually communication is through attorney-client relationships.

The NYT article describes meetings between major financial firms and large law firms to examine their working together on cybersecurity. As the article points out, financial services established the highly successful FS-ISAC (Financial Services Information Sharing and Analysis Center), of which I was a co-founder, more than 15 years ago, and financial institutions have been able to share, anonymously where appropriate, information on cyber threats, exploits and incidents. Since that time, each of nearly two dozen U.S. sectors and industries has established an ISAC or is working towards forming one. You can get more details on which entities have ISACs at the National Council of ISACs website at

Historically financial institutions and law firms have viewed information security quite differently. Financial firms are usually public companies and tend to be much larger than law firms. They are highly regulated, whereas law firms are mostly privately-held partnerships without the same level of regulations and oversight, as far as I am aware. Financial institutions primarily deal with money and customer and business-partner information, whereas law firms handle their clients’ confidential information. Since money is easy to quantify accurately and other sensitive information is less easily valued, losses from data breaches are more readily calculated for financial institutions. Such losses tend to be fuzzier for law firms. Financial institutions depend on IT for their very existence. Law firms often embrace technology reluctantly, preferring personal relationships over impersonal transactions. An interesting summary of the legal profession’s cybersecurity status can be found in the Delta Risk Viewpoint paper “Law Firms and Cyber Security: A hacker’s dream and a lawyer’s nightmare” with a link at  (full disclosure: I work with Delta Risk from time to time).

Perhaps the most effective motivator for organizations to beef up their information security capabilities is pressure from peers, customers, and other third parties, and as a result of actual data breaches, whether affecting the organization directly or another entity with which the organization does business or with which it identifies. I have seen how difficult it is to obtain the necessary funding for security projects until and unless a major breach is announced. Then money is no object … up to a point.

Organizations and individuals need to be proactive in ensuring that their confidential information, which includes nonpublic personal, financial and health data, proprietary information, and trade secrets, is protected at an appropriate level. Financial firms frequently use audits and certifications, such as the SSAE-16 (formerly SAS 70), to reassure customers and business partners that they have achieved satisfactory levels of operational controls. They also undergo ISO 27001/27002 certification (formerly ISO/IEC 17799, which was based on BS 7799) and other examinations of their security capabilities. If firms are in the payment card business, then PCI DSS certifications are required. The Santa Fe Group manages a Shared Assessments program, originally developed by BITS, that informs companies about the operational risk of service providers that have undergone such assessments. I don’t believe that law firms, in general, participate in these types of program. Perhaps they should.

Many major data breaches are the result of attacks, not only from within victim organizations, but via third parties that do business with and are connected to the victim. Law firms fall into this latter category. They have financial institutions’ confidential data within their own systems or have direct access to financial firms’ computers and databases, and vice versa. It is entirely appropriate that a partnership be created between financial and law firms to improve the security and data integrity of all parties. I hope that this venture progresses well as it will be to the advantage of everyone … except the bad guys, of course!

Post a Comment

Your email is never published nor shared. Required fields are marked *