A Strategic Approach to Law Firm Cybersecurity

How much should law firms spend to ensure that their computer systems aren’t hacked, and that they maintain the confidentiality of their clients’ information?

A recent survey of AmLaw 200 firms suggests that they spend a little less than 2 percent of their revenues on cybersecurity.  This estimate is likely to overestimate their actual expenditures. If the 2 percent figure were accurate, it would be in the same ballpark as what large law firms spend on their annual market efforts.

The 2% figure comes from a survey that was conducted by a consulting firm, Chase Cost Management, in connection with a conference attended by Chief Information Officers of large law firms and others from the world of law tech. The survey was completed by a third of conference participants. As such, it isn’t a random sample, and the survey results aren’t scientific.

Nonetheless, the survey does raise two particularly interesting strategic issues for leaders of law firms. First, the survey results suggest that clients are pressuring law firms to spend more on cybersecurity. Thus, if your firm represents institutional clients, you should be prepared to face some questions from clients about your cybersecurity plans and infrastructure. Likewise, firms that handle especially sensitive data, such as client credit cards numbers or personal medical information, may need to be extra vigilant. Second, 75% of survey respondents indicated that that they had purchased some kind of cyber insurance. In my experience, mid-sized and boutique law firms are less likely to have paid for such insurance. Moreover, insurance is only one part of an effective cybersecurity plan.  Given that many cyberattacks take advantage of human error, training of law firm personnel is also critical.

Too often lawyers tend to bury IT issues and leave it to their IT departments or outsourced tech person to figure out.  Here, it would be a mistake to bury the budget for cybersecurity within the IT budget. Cybersecurity raises issues that go to the heart of a law firm’s professional responsibilities to its clients. The risks of malpractice and bad publicity are manifest.

Law firms should therefore take steps to ensure that adequate attention is paid to cybersecurity issues. And that means shining an organizational light on the subject. From a strategic planning perspective, law firms should create a separate line item on the operating budgets to report expenditures for cybersecurity. And that line item should include projected expenditures for insurance and training.

Different law firms face different risks. But it isn’t hard to foresee that even small and mid-sized firms will become targets. That is why law firms should take steps now to make cybersecurity a regular and specific part of their operating budgets.

Train the Heck Out of Your Most Promising Associates

The cover story of the July/August 2015 issue of The Washington Lawyer magazine is entitled, “The Professional Development Imperative.”  It’s a well-written piece that discusses the need for lawyers to undergo comprehensive professional development after they graduate from law school, and various options for obtaining that training.

From the point of view of a law firm client, the article contains eye-opening comments. Consider the article’s opening sentence:  “The secret of law is that no one really comes out prepared to practice law.”  Acknowledging that most of what lawyers know is learned on the job, the article presents a sober picture of the professional development challenges facing new lawyers. These include the following:

  • “For today’s lawyers, the challenge is even greater. New lawyers need to manage the legal bureaucracy and also be well versed in social media.”
  • “The amount of time and energy that people have in firms to devote to skills training has just gone down,” quoting Michelle Richards, A D.C. based executive coach and former attorney.
  • After 2008, clients at big law firms “were no longer interested in paying full freight for associates who were learning on the job.”

As a result of these changes, senior associates and junior partners are described as being less prepared for the nature of work they are required to handle.

“Most senior associates and junior partners have much more difficult assignments than they did before the recession. Many of them have enormous responsibilities and those duties now come to them much sooner than they did in the past. Some are supervising matters that would have been the purview of partners, often running large teams, presiding over budgets, and managing client relationships.”

The focus on the importance of client development is admirable and the editors of The Washington Lawyer deserve credit for paying this issue in the spotlight, as does the article’s author, Sarah Kellogg.

But imagine how some corporate clients might react to the picture painted by this article. It’s deeply at odds with the marketing materials law firms are putting in front of their clients. And more importantly, it’s not sustainable. Corporate clients are not going to pay more than $400 an hour for lawyers that have years of experience, but are nonetheless overmatched by their responsibilities. This is one more sign that the business model underlying many law firms is deeply flawed. You don’t need to be a revolutionary or a conspiracy nut to sense that over the next few years we may see a lot of carnage among the ranks of mid-level associates and junior partners.

So what strategy should law firm leaders adapt to address the training gap described in the article? One underutilized strategy is to identify stars early on and devote more training resources to them. That is what many large corporations do with those that are deemed to have potential to serve as high-level executives. Too many law firms wait six years or more before they begin to assess who has partnership potential. This strategy made more sense when law firms could more easily pass along inefficiencies to their clients. But do you really need to see 72 months of billing to figure out who your best associates are?  A good way to avoid having overwhelmed junior partners is to devote more training resources to your most promising junior and mid-level associates.