Cyber Risk DSI: Legal

This is the fourth in our mini-series of cyber risk department-specific inquiries (DSI). This week we’re taking a closer look at the risk faced by an organisation’s legal department and how these can best be mitigated.

Welcome to another edition of Cyber Security: Beyond the headlines. Each week we’ll be sharing a bite-sized piece of unique, proprietary insight from the data archive behind our high-quality, peer-reviewed, cyber security case studies.

Having access to in-depth information on a large number of cyber attacks enables us to detect some interesting patterns that would otherwise remain obscured. One of these patterns is how prominent the legal team is in the response and reaction to a company’s cyber event.

Considering that most businesses now accept that a cyber attack is a “when” not an “if” scenario it would seem apposite to take a closer look at this department and the unique risks it faces.

Responsible for providing legal services to management and employees across a diverse and complex set of circumstances including litigation, investigations, compliance and mergers and acquisitions the legal team has purview across highly sensitive workstreams. Their assignments often involve:

• working with sensitive company data which can include non-public market moving data
• highly publicised events that require significant interaction with varying external stakeholders
• managing external vendors who conduct legal affairs on behalf of the company and so also handle sensitive company data

If we consider these roles it’s clear to see that they furnish attackers with both the motivation and access points for a number of external cyber attacks.

For instance, as we’ve touched on recently, confidential information that can be used to generate an advantage in financial markets is highly prized by attackers. Add to that the fact that it can be quite clear what the legal team is currently working on and which external stakeholders they’re interacting with and it creates the perfect conditions for spearphishers looking to construct a convincing scam.

In fact our repository contains many examples where legal teams have been targeted directly by a sophisticated spearphishing attack. Security firm FireEye have also highlighted that attackers are “sending spoofed emails, purporting to be from the Security and Exchange Commission, and aiming them at lawyers…” and considering that back in 2015 it was already clear that legal teams were amongst the most likely to fall for a phishing attack it seems a priority that they review their defenses to this attack vector.

Finally, managing external vendors with whom the legal team is exchanging sensitive information requires oversight of those external vendors’ own security policies. But most legal teams lack the skills and experience necessary to perform these checks.

So what should companies do to shore up their defences?

• legal teams are thoroughly versed in the concepts of custodianship and should be acutely involved in the company’s incident response planning and execution
• legal teams should have a role in cyber security planning with a particular focus on possible data retrieval requirements for litigation defence purposes
• legal teams must be involved with implementing a risk-based cyber security program which takes into consideration the company’s insurance coverage, as we wrote about previously, legal teams need to carefully consider exclusions in insurance contracts in light of their company’s operations

In our analysis it’s clear that legal teams have to take steps to become considerably more au fait with cyber security. This should not just be about protecting their companies via an inadvertent click of a targeted attack link but recognising they have a business critical role to play including planning how they will respond to a security breach or cyber attack.

In-house legal teams tend to have a consistent pipeline of legal work. However, when a cyber event occurs that workload can increase exponentially — leading the internal investigation, crafting company statements, handling legal threats, coordinating with law enforcement, government agencies, regulators etc.

Companies that haven’t done so already should construct a number of cyber attack scenarios and determine how the legal team would perform and whether existing resources would cope with the adverse strain placed on them.

Take two relevant examples, the Yahoo breach where members of the legal team were forced to resign for their inaction following the breach and Uber’s 2016 data breach where the legal team were fired for suppressing information about the breach demonstrating the adverse impacts for companies where their legal teams performed wide of the mark.

Clients use us to build plausible scenarios drawing on the real-life events data in our repository. If you’d like us to help then drop us a line on: consulting@cybersecuritycasestudies.com

Found this interesting? Sign up to receive these insights every week directly in your inbox and check out our previous editions at Cyber Security: Beyond the headlines.