Ride the Lightning

Corporations Demanding Cyberaudits from Law Firms

June 18, 2013

There is a day of reckoning – and for law firms, that day has come.

After many years of lax information security, clients are increasingly demanding that law firms undergo cyberaudits.

Hat tip to colleague Joan Bullock for reminding me of a Law Technology News story that I meant to blog about when it first came out.

As the story notes, Bank of America Merrill Lynch is auditing the cybersecurity policies at its outside law firms, partly under pressure from government regulators to do so. As one of its representatives observed, Bank of America is "one of the largest targets in the world" for cyberattacks, and law firms are "considered one of the biggest vectors that the hackers, or others, are going to go at to try to get to our information."

Regulators at the Office of the Comptroller of the Currency, which oversees BofA and other financial services companies, are reportedly focusing on law firms and demanding cybersecurity audits, focusing on technology as well as policies and practices. Beyond audits, they also want penetration testing. And forget law firms doing their own auditing – clients want independent audits.

While large law firms are grappling with this more than small law firms which tend to have smaller clients, it is certain to filter down as clients become more concerned about the security of their data.