Issue link: http://dsnews.uberflip.com/i/1149365
» VISIT US ONLINE @ DSNEWS.COM 73 only recognize cyber risks, but also to assist in providing the appropriate measures law firms need to take to help mitigate a cyber loss. According to the ABA, the first line of defense includes controlling access by way of authentication measures. ese include basic processes such as the routine updating of passwords, as well as more complex systems such as fingerprint readers and facial recognition. e universal consensus acknowledges that, no matter if the device is a smartphone or laptop, all devices used by attorneys should incorporate some form of basic authentication. In addition to strong passwords, the ABA further recommends that firms also maintain a level of encryption. In basic terms, encryption allows data to be protected until it is decrypted by using a specified password or other measure. is form of access control protects data in storage and transmitted data. Data can include information housed on devices or servers and information exchanged through email or another messaging form. ere is an additional concern with the popularity of remote access as web-based applications, as well as virtual private networks (VPNs). ankfully, most platforms already utilize some level of basic encryption. Finally, there are other types of security measures the ABA recommends, including anti-spyware, firewalls, antivirus programs for devices, and intrusion detection. Firms that believe they could be especially prone to a cyberattack can hire third-party companies to perform a network penetration test, and then remediate any findings accordingly. While the ABA's suggestions are valuable to all firms, foreclosure firms have an extra layer of responsibility both in terms of protecting their clients' information but also in terms of shielding confidential borrower information. If there is a "fortunate" component to compliance requirements, it comes in the form of the technology audit. While client mandates pose a staggering cost to default firms, both in terms of physical security and cybersecurity, they do outline requirements that make default firms more protected than most. In fact, the ABA's recommendations and most servicer requirements share many similarities. Both include multi-factor authentication measures, disaster-recovery and business continuity plans, as well as the need for encrypted remote access. ALL IS NOT LOST e increased creativity employed by cybercriminals makes it difficult to thwart every potential threat. While recognizing the risk is the obvious key to prevention, knowing what to do in the event of a loss can help mitigate further damage. A data breach involves myriad complexities, making cybercrimes much more difficult to track than any traditional form of theft. Often, a hacker can spend an indefinite amount of time monitoring a firm's network before he or she decides to cause damage. Once a cyberattack occurs, the first step is to identify the problem and understand the root of the issue. is next step may not be as apparent, but there is a crisis-management component firms will need to employ to prevent reputational discreditation. Vivian Hood, the CEO of Jaffee Partners, outlines a step-by-step guide in her 2018 piece for e National Law Review, entitled "Law Firms and Cyber Attacks—What's a Law Firm to Do?" In her article, Hood argues that perhaps the single most important response was for firms to alert relevant parties before a breach became public. Hood notes, "Now more than ever, transparency is necessary—even though it may seem like the least desirable approach to take." Hood makes the argument that sharing the news of a data breach before its leaked by someone else allows a firm to prevent further reputational damage. is decision is a small component of a firm's overall crisis communications plan, which should be shared with clients, staff, attorneys, and even vendors. A standard plan should have an outlined process for what information is to be communicated (and by whom), as well as a timeline identifying the breach, including information pertaining to what the firm is doing to lessen the damage. ENSURING YOUR TECH FUTURE While controlling the narrative is important to maintaining reputational integrity, there is undoubtedly a monetary component to consider as well. Cyber-insurance is a relatively new coverage type that came into existence approximately 15 years ago as a standalone policy with individual limits and sub-limits. In its basic form, cyber-insurance protects firms in the event they have a data breach and a resulting loss. Types of covered losses could be direct, such as an intercepted wire transfer, or indirect, such as the loss of revenue during network downtime. Other coverage provisions include limits for computer and legal experts, betterment, data restoration, and public relations. For law firms of all sizes and practice demographics, cyber-insurance is a relatively inexpensive layer of protection considering the exorbitant expense associated with a cyber-incident. For the foreseeable future, cyberthreats will remain a global danger to all companies. While lawyers and IT specialists alike have improved the network security of their respective firms, the ongoing creativity of hackers makes it difficult to outstep this ever-changing peril. It is important that all employees remain cognizant of cyber- fraud and continuously monitor any potential danger. While cybercrime certainly won't be eliminated, it can be appropriately managed so law firms can lessen their risk of a loss. Once a cyberattack occurs, the first step is to identify the problem and understand the root of the issue. is next step may not be as apparent, but there is a crisis-management component firms will need to employ to prevent reputational discreditation.