The risks behind cybersecurity
Often, firms struggle to manage their inherited risks with in-house resources. “In a law firm with 20 attorneys, it would be unusual to have an IT staff of more than one or two full-time employees,” Lee said.” A firm of that size may not be able to afford practitioners that are adept at both IT operations and information security, especially in the past decade’s shortages of available cybersecurity talent,” Lee said. “I think small to mid-sized businesses assume that IT practitioners have all manner of technology skills, but the fact is that operations and security are markedly different skill sets, each requiring years of study and experience.” These market realities force many businesses to seek outside cybersecurity solutions.
But these realities also require a careful approach. If a business chooses to co-source or outsource its cybersecurity to a third party, that business must ensure that the third party addresses unique risks in a meaningful way. As Lee put it, “We learned this over 30 years ago. If you outsource a broken process, it merely breaks faster and in ways that are more occult to the organization.”
Your cybersecurity provider must be a true partner, where the relationship is grounded in both cost considerations and risk management — especially data privacy and security risk management. If your provider does not understand your obligations and the risks you inherit from your clients, it cannot help you manage those obligations and risks. “With cybersecurity in particular, it’s imperative to think both proactively and reactively. Your provider should articulate how it employs best practices for information security proactively and how it handles reactive incident response,” Lee said. Depending on the data you store, you might also need a provider with demonstrable capabilities in regulatory compliance, fiduciary obligations, industry trends and other areas.
For example, the Department of Labor recently clarified its cybersecurity expectations for benefit plan providers and administrators. “Such clarifications often precede enforcement actions,” Lee said. Lee recently spoke to a plan provider that was reviewing its cybersecurity program in light of the new guidance. “If we’d only involved technology resources, we would have missed the mark. We needed to respond with practitioners who understand fiduciary responsibilities of this kind, as well as the statutory regime in which these responsibilities arise,” Lee said. “So, on that call, we had practitioners from our tax practice with long histories of working with and for the Department of Labor. These practitioners, along with our forensic expertise, provided a grounded functional and technical perspective that homed in on what the Department really wants to know.” This multi-disciplinary approach yields the best and most durable approach — especially when the team combines cybersecurity services with industry and regulatory expertise.