The Shared Assessments Program - All Rights Reserved 2

Transcription

1 The Significance of Information Security and Privacy Controls on Law Firms as Third Party Service Providers and Collaborative Opportunities for Resolution April 2015

2 Abstract As regulators increase pressure on financial institutions to ensure their third party risk management programs meet new regulations and guidelines, including those for cybersecurity, many banks are more closely scrutinizing third party provider handling of sensitive information to ensure objective and compliant oversight of their vendors. 1 Additional pressure is being placed globally on third party controls as criminals increasingly use malicious intrusions and cyber attacks to target third party service providers as a means of accessing confidential client data. 2 Law firms now find themselves in an environment of increasing scrutiny, with demands from a regulatory viewpoint, that law firms provide the same security controls as any other service provider that has access to confidential information or systems. The traditional framework in which law firms have been treated as trusted third party providers that intrinsically employ attorney client privilege to prevent disclosure of confidential information was developed when protecting privileged information went no further than being discreet in conversations and scrupulously maintaining paper files. Today, protecting confidential client information means developing and maintaining robust IT and cybersecurity controls to prevent unintentional or unauthorized access to data, metadata, and document records. This paper focuses on: (1) the issues law firms are facing as they adapt to providing a secure IT environment that meets increasingly stringent third party risk assessment requirements; and (2) solution building efforts to establish robust industry-wide program recommendations regarding management of IT security, data, resiliency, and privacy risk. Issue Landscape The recent scrutiny of the risks associated with the information and communications technology supply chain was initiated by federal regulators during the mortgage crisis in 2008, with state agencies quickly in tow. This increased level of inspection is evident in the repeated statements since that time by the Office of the Comptroller of the Currency, Federal Financial Institutions Examination Council Chair and Federal Reserve System Board of Governors declaring the importance of addressing information outsourcing security risks because of the threat they pose to the health of the overall financial system, as well as to national security. Additionally, Security and Exchange Commission 2014 roundtable discussions and Federal Trade Commission and Department of Justice policy statements have all focused on cyber threat assessments internally, as well as those in vendor relationships. 3 New York State s Department of Financial Services (DFS) exemplifies the expansion of this effort in answer both to regulatory requirements and ongoing increases in ever more refined cyber attacks. Beginning in 2014, DFS undertook two surveys of a total of 190 financial institutions due diligence processes, including the institutions policies and procedures governing third party relationships and the steps taken to adhere to third party stakeholder concerns as issued in the National Institute of Standards and Technology (NIST) 2014 Framework for Improving Critical Infrastructure Cybersecurity. The DFS May 2015 report states that law firms are sometimes excluded from being considered high-risk third party vendors, as demonstrated through some banking organizations having exemptions from their customary due diligence for individual consultants and professional service providers (e.g., legal counsel). 4 Concerns focus on law firms particularly due to the large volume and recurring access to sensitive data these firms are afforded, making them a unique and under-controlled critical access point for malware incursions for the financial institutions that engage them. 5 Financial institution arrangements with law firms offer ongoing opportunities to access institutional and industry-wide information assets which include: market-moving merger and acquisition details; confidential, intellectual property and sensitive data (CIPS), such as valuable trade secrets and processes; and sensitive customer information and metadata, such as personally identifiable information (PII), credit card data, and protected health information (PHI). This issue extends to the growing concern regarding security of the physical and virtual locations of data, including information stored on mobile devices and the Cloud. 1 Smith, J. & Glazer, E. Banks Demand That Law Firms Harden Cyberattack Defenses: Background Checks, System Audits Are Used to Close Potential Back-Door Breaches. October 26, Wall Street Journal; New York and Federal Regulators Increasingly Focus Attention on Cybersecurity in the Financial Sector. Gibson Dunn Publications. October 27, Gibson, Dunn & Crutcher LLP. 2 Keller, B. Why Law Firms Should be Concerned About Third Party Risk. Prevalent, Inc National Exam Program Risk Alert. Security & Exchange Commission Office of Compliance Inspections & Exams Cybersecurity Initiative. April 15, 2014; DOJ Issue Antitrust Policy Statement on Sharing Cybersecurity Information. Federal Trade Commission Press Release. April 10, 2014; Update on Cyber Security in the Banking Sector. New York State Department of Financial Services. April Report on Cyber Security in the Banking Sector. New York State Department of Financial Services. May 2014; Update on Cyber Security in the Banking Sector. New York State Department of Financial Services. April Smith, J. & Glazer, E. Banks Demand That Law Firms Harden Cyberattack Defenses: Background Checks, System Audits Are Used to Close Potential Back-Door Breaches. October 26, Wall Street Journal. 2

3 Outsourcing institutions are just beginning to demand that their vendors carry the same level of risk management as their own institutional programs require. In the DFS reports, fewer than half the banks reported requiring onsite assessment for their third party vendors. Just 36% require information security requirements to be extended to their vendors. And 30% of those banks surveyed do not require their third party vendors to notify them of a breach or other cybersecurity incident. 6 This indicates that current policies and procedures of outsourcing institutions do not yet adequately emphasize appropriate data privacy and security requirements (DPSR) and the necessary specifics regarding third party IT data security programs and information systems policy and internal/external breach notifications. Developing more appropriate policies is especially critical in the wake of source breaches, distributed denial of service (DDOS) attacks, and third party bots, which are becoming increasingly more prevalent. Therefore, law firms will be required in the very near future to use current bank practices as the norm for their security protections as banks increase their scrutiny of outsourced service providers to better align with risks and regulatory expectations. Issue Size and Scope Risks are significant within the legal provider landscape, where unauthorized access to client data has serious consequences. Firms are coming to the realization that their vulnerability to hackers is of concern in their relationships with outsourcing institutions. 7 At least 80 of the 100 biggest firms (by revenue) in the US have been hacked since 2011, including a firm targeted by hackers in connection with a trade dispute with China. 8 Issues of regulatory compliance and data security become a significant area of concern in law firm settings where breakdowns or even a lack of controls are reported throughout the data path, especially in smaller and midsize law firms, where staff routinely share login accounts, passwords, and physical access to filing cabinets. 9 Oftentimes, these third party firms also have cybersecurity gaps that arise from varying levels of IT capability and maturity, personnel client support role rotation, and outsourced ediscovery functions and shared or managed IT services. These arrangements present unique challenges that can lead to serious security and privacy concerns, many times leaving the law firms susceptible to risk of unauthorized access. The scale of the issue is demonstrated in American Bar Association reports that show 14% of firms surveyed experienced a security breach. While confidentiality, data control and ownership, ethics and vendor reputation all take high rank on concerns by lawyers polled, 22% of firms take no precautionary measures at all trending upward since The ABA studies further report surprise and significant concern over the lack of due diligence in the legal profession surrounding the use of technology and consumer Cloud services. Ninety four percent of firms laptop users and 90% of smartphone users apply only the bare minimum in security. Stronger security, such as drive encryption and asset tagging and management in the event loss or theft, are used just 15% of the time. Less than 60% of firms polled have controls on document/records management and less than half have policies on acceptable computer use, retention, or Internet use. No breach trends were reported by firm size, indicating the vulnerability across the board for firms. However, larger firms are considered an even greater risk for compromise due to the exposure of data and records to more employees, metadata, and technology. 10 In practice, regulatory compliance was shown to be ranked lowest of the factors driving information security spending among law firms. 11 Protection of confidentiality appears to take precedence over the other aspects of data security, such as integrity and availability of data. 12 As a result, in the current environment the following can take place: Unauthorized access to or even removal of sensitive and personally identifiable information by trusted or contracted staff, including maintenance and custodial personnel. Loss of intellectual property through loss of a laptop, USB drive, or other mobile device. Data leakage via insecure systems or through mobile systems that don t containerize or segregate work from personal systems. Call data breach through movement of call centers to a less expensive but less secure venue. Compromise of in house or fourth party document, data, and metadata repositories that are accessed and managed as part of outsourced IT and/or ediscovery processes. 6 Report on Cyber Security in the Banking Sector. New York State Department of Financial Services. May 2014; Update on Cyber Security in the Banking Sector. New York State Department of Financial Services. April Conte, A. Unprepared Law Firms Vulnerable to Hackers. September 13, Trib Total Media. 8 Hansen, S. Cyber Attacks Upend Attorney-Client Privilege: Security experts say law firms are perfect targets for hackers. March 19, Bloomberg Business. 9 ABA 2014 Tech Report. American Bar Association Legal Technology Resource Center Legal Technology Survey Report. Six Volumes. American Bar Association Legal Technology Resource Center Report on Cyber Security in the Banking Sector. New York State Department of Financial Services. May 2014; Update on Cyber Security in the Banking Sector. New York State Department of Financial Services. April ABA Legal Technology Resource Center website

4 In recognition of the scope of this problem, DFS is undertaking a third survey to evaluate the cybersecurity of third party vendors. Further, in light of its findings DFS anticipates strengthening regulations regarding cybersecurity for outsourced vendors serving financial institutions as part of their effort to reduce the risk of backdoor hacker access to bank client data. In this climate, it is increasingly evident that for banks to effectively address both regulatory issues and the issue of criminals targeting third party law firm service providers as a means of accessing confidential financial industry data, that banks industry-wide will increasingly require their law firms to have robust security controls similar to what the financial institutions are being held to for security and compliance. From a privacy perspective, vendors will be held to the provisions contained in Massachusetts 201 CMR one of the most stringent privacy laws in the nation. Recommendations: Identifying & Addressing Gaps To meet the emerging challenges surrounding due diligence, firms can begin to advance their understanding and build best practices for their own risk management programs. This is in keeping with the ABA s Model Rules, as well as contract and regulatory obligations for protecting client data. 13 It has already become more prevalent in the financial industry that any vendor not meeting an outsourcing organization s minimum requirements will no longer be engaged for services. Therefore, it is essential to begin constructing a culture of accountability that includes trust building and onsite verification of documented controls that address the concerns of protection of confidentiality, integrity, availability of data, and industry regulatory compliance requirements. Shared Assessments recommends working collaboratively to convene stakeholders in roundtable discussions that evaluate security postures among industry members and law firm vendors. An examination of the risks associated with the information and communications technology supply chain would include both internal and external vulnerabilities, such as information systems policies and procedures and malicious threats and the implications of each in terms of impact from compromised data. This would supplement the valuable information garnered so far regarding threats, exposure, and cost of improvements in cybersecurity programs and breaches in the third party legal provider environment. Once these stakeholders have identified common issues and concerns as part of the solution building process and gained an understanding that risk management is not a competitive issue, these organizations could work together to develop best practices and processes and implement these on a broad basis. This type of solution building can include the type of peer-driven information sharing organizations that have helped the banking industry to improve IT data, security, privacy and resiliency oversight, or side-by-side work with financial institutions in cross industry associations to develop best practices, tools, and processes. These strategies are currently lacking in the legal profession, which would benefit through increased awareness of newly identified threats. Specifics to which legal service provider risk management controls can respond include risk for detection, prevention, and mitigation resource levels that address fully any problems identified and the repercussions in case of breach. 14 As a form of guidance to begin discussions, the following areas have been identified: Documented reasonable and appropriate administrative and physical safeguards regarding classification and management of data, metadata, and records transfer, archiving, alteration, destruction, automated access testing, and monitoring diagnosis and verification. Evidence of an established risk management program. Clear rules for information sharing. Specifications regarding exactly where business that touches sensitive data takes place, including where data (including Cloud data) is hosted. Lifecycle management regarding capacity to track data throughout its flight, with restriction on use of portable devices/media. Protection (e.g., strong encryption) for stored data at rest, particularly on portable drives. Cyber risk insurance coverage at the vendor level. Criminal, professional, and academic background checks on anyone with authorized or potential access to data. Prior request for intent to move data to new sub-vendors (fourth parties) or specification of no movement allowed. Notification on any breach in a timely manner (within a specified time frame). Information security training, education, and awareness programs for vendor staff. Vendor staff and contractors covered under non-disclosure and confidentiality agreements. Requirements at agreement termination for return of assets or documented purge/delete/destroy. 13 ABA ethics Model Rules 1.1 and 1.6 mandate that attorneys take competent and reasonable measures to safeguard information relating to clients 14 Service Providers: Consumer Financial Protection Bureau Bulletin Consumer Financial Protection Bureau. April 13,

5 Requirements for limiting access to institution related data and case files to only those who need to access the data to perform their job duties (e.g., principle of least privilege), including those conducting compliance audits. Additionally, law firms should understand that they shoulder the responsibility for vetting the IT security, data, and privacy risks associated with their vendors and any fourth party coming in contact with the firm s data. Return on Investment By using a security framework that identifies specific areas for governance process maturity improvements, both law firms and outsourcing institutions can make well-informed, cost-effective decisions and more effectively manage vendor-related risks. Law firms of all sizes are just beginning to recognize the benefits of responding to client demands for security and are doing so, in part, by obtaining onsite audit and penetration testing. While building staff competence and data hosting components is labor and infrastructure intensive, such investment is required for any firm wishing to remain in service to the financial services industry. If robust information security and privacy controls are not already in house, the initial price tag is high for mid-size and smaller firms. Collaboration among industry leaders to establish best practices controls and make recommendations, where applicable, regarding facilities management, basic monitoring, physical and abstract infrastructure security and enterprise integration is expected to create efficiencies and cost savings for law firms that will help offset development costs within a given firm. Some law firms already enlist outside auditors and face examination by client compliance and audit staff. With investments in technology, updates to key infrastructure components, and software upgrades that are coupled with professional development awareness and process training for staff, firms can further minimize risk and improve the reputation of law firms throughout the industry as they set the new standard for appropriate and effective controls. The addition of improved detection, prevention, and mitigation resources will make cybersecurity insurance more cost effective. Firms that cannot or will not meet industry-developed recommendations must closely consider the possible ramifications. With the average cost of data breach reaching $3.5 million per incident there is no sound reason for law firms not to implement and operate security controls over the access and handling of data. 15 A firm needs to be able to demonstrate compliance with regulatory and contractual obligations making the ability to document thoroughly and report on processes paramount. An independent assessment report that holistically reviews a firm s security and privacy posture within a more robust framework will be a valuable tool for negotiations for law firms wishing to engage with banking and other regulated sectors. Conclusion As law firms have become increasingly tempting targets for hacking and similar data theft and regulatory concerns are driving banks specifically to revise their due diligence and monitoring of third party law firm providers, it is essential that sound controls be developed and documented along with provisions for recourse. Working collaboratively to create efficiencies would help build an industry-driven set of controls, procedures, and processes that address all aspects of the emerging regulations and cybersecurity threats to build effective assessment regimes, such as task workflow, security awareness training, onsite assessments of controls and system audits, and authentication and access controls. Once established, this information would help construct a replicable process for evaluating client vendor relationship that employs governance modeling in a framework that contains all the elements critical to a successful program. A high level incentive and return on investment to undertake such security and privacy control improvements lies in the knowledge that firms which adhere to generally accepted security best practices will be those engaged or re-engaged by financial institutions which must adhere to the marketplace demands for appropriate and effective controls. About the Shared Assessments Program The Shared Assessments Program is the trusted source for third party risk management with resources, including tools and best practices, to effectively manage the critical elements of the vendor risk management lifecycle. Members represent a collaborative, global, peer community of information security, privacy, and third party risk management leaders in industries including financial services, insurance, brokerage, healthcare, retail, and telecommunications. The Certified Third Party Risk Professional (CTPRP) certification program, membership, and use of the Shared Assessments Program 15 Ponemon Institute Releases 2014 Cost of Data Breach: Global Analysis. Ponemon Institute. May 5,

6 Tools, ensure organizations stay current with the threat and risk environment, including regulations, industry standards, and guidelines. Shared Assessments provides organizations and their service providers the rigorous controls needed for IT, data security, privacy, and business continuity. The Shared Assessments Program is managed by The Santa Fe Group ( a strategic consulting company based in Santa Fe, New Mexico. On the web at sharedassessments.org. 6