April 13, 2019
What is the FRB SR 13-19 really, and what do you need to know? We sat down, tore into it, and put together this series to explain exactly what it means for your Legal Department and for your Law Firms.
Not long ago we heard of two foreign hackers who stole about 60GB of data pertaining to the impending mergers of public companies from two major New York Firms. They successfully obtained Inside Information by hacking into a user account, installing malware on the server, and monitoring/exfiltrating targeted email accounts of firm partners who worked on high-profile M&A transactions They subsequently traded on the stolen information and made more than $4 mil in profits before being caught. It turned out that in addition to attacking the two named firms, they had hacked into or were trying to hack into the networks and servers of five other Law Firms using the exact same method.
"The latest gold mine for hackers"
This is not just because of the value of information circulated, but because of the ease of third-party access with growing cases of hackers seeking and accessing client networks through firm networks. Manhattan US Attorney Preet Bharara couldn’t make it clearer:
“This case of cyber meets securities fraud should serve as a wake-up call for law firms around the world: you are and will be targets of cyber hacking, because you have information valuable to would-be criminals.”
In the digital age these stories of needlessly putting clients, vendors, and legal information at risk are increasingly prevalent, but there are some business sectors that have embraced risk management and are blazing the path for better information security. The financial industry is one of the frontier industries in risk management, and in particular managing Outsourcing Risk.
As hackers increasingly target law firms, auditors especially expect Legal Departments to develop Third Party Risk Management programs that provide oversight and controls for their Legal Service Providers and Law Firms.
Let's look into the above data breach example from the client’s perspective (the companies acquiring or being acquired) and see how the SR 13-19 would categorize the kinds of risk they were exposed to in the law firm data breach:
When the services, products, or activities of a service provider fail to comply with applicable U.S. laws and regulations.
Example: Regulators don’t care why it happened, just that it did. You can be sure based on applicable regulations, mandates, membership agreements and other industry-specific requirements, you and your Outside Counsel firm will be facing heavy fines.
When outsourced services or products are provided by a limited number of service providers or are concentrated in limited geographic locations.
Example: Since you also relied on this firm to handle all of your M&A cases (even the ones in Europe!), you’re left scrambling to find new Outside Counsel with little time to conduct the due diligence required to keep this from happening again.
When actions or poor performance of a service provider causes the public to form a negative opinion about a financial institution.
Example: The leak gains publicity and your sock price plummets. The Manhattan Attorney General makes an example out of you. It also becomes a key selling point for competitors who claim to have more stable systems. Customers close their accounts.
When a financial institution engages a foreign-based service provider, exposing the institution to possible economic, social, and political conditions and events from the country where the provider is located.
Example: Let’s imagine for a second that one of the firms breached was headquartered in the UK and not in New York, and that they are involved with all of your M&A transactions. It’s already difficult enough getting in touch across the pond, but now with the confusion over Brexit, their foreign transactions work has been increasingly affected, causing financial and operational issues. Now, just throw a data breach in the mix.
When a service provider exposes a financial institution to losses due to inadequate or failed internal processes or systems or from external events and human error.
Example: You find out that although your firm provided you with internal Security Policies, they were not following/enforcing them in practice, exposing their system (and your information) to this attack.
When a service provider exposes a financial institution to legal expenses and possible lawsuits.
Example: Various interested parties to the breach file lawsuits against your vendor and against your company for damages to reputation and operation, fraud, and relevant costs for damage control.
This list is both compact & comprehensive, although of course, there are always specialized risks that may not fall under one of these umbrella categories. It is are a great place to start when considering the types of services your Legal Service Providers and Law Firms provide and where their systems can be vulnerable.
Ultimately, you know your Law Firms and Outside Counsel best and should tailor your assessments of their risk to their operations. How can you do that? Make sure to keep up with us to learn more about the SR-13-19 in the context of your Legal Department, Legal Vendors, and Outside Counsel by reading our series or reaching out to us here.