The First 48: Our Firm Is Under Cyber Attack, Now What?
October 27, 2023
In a column for the New York Law Journal, Infinite Global president Zach Olsen and Vice President Jesse Dungan examine communications considerations for law firms in the immediate aftermath of a cybersecurity incident. Published on the 20th anniversary of National Cybersecurity Awareness Month, the article comes amid recent cybersecurity incidents affecting top U.S. law firms. In the article, Zach and Jesse draw on their deep experience to provide law firms with actionable steps to prepare for and respond to what’s unfortunately becoming inevitable.
The First 48: Our Firm Is Under Cyber Attack, Now What?
In this article, Zach Olsen and Jesse Dungan of communications firm Infinite Global raise eight questions to consider when a law firm becomes the victim of a cyber attack.
This summer, the United Kingdom’s National Cyber Security Centre told the legal sector what many law firms around the world have learned the hard way: they are “prime targets” of cyber criminals due to the confidential information they handle related to finance, litigation and other sensitive matters. Meanwhile, around that same time in the United States, it came to light that 3 of the 50 largest firms had been victims of a breach.
On the 20th anniversary of National Cybersecurity Awareness Month, many firms are reflecting on how they would navigate and communicate their response to what is seemingly becoming inevitable. Whether your firm has a full cyber-focused communications plan or is just now starting to prepare, taking a hard look at what your immediate actions will be is critical to safeguarding your reputation and relationships with key stakeholders.
Here are eight questions to help ensure you’re ready:
Who Is On Our Response Team?
Responding to a breach is hard enough, but inside a law firm with hundreds or even thousands of owners, it can be even harder. Partners are used to having all the answers for their clients, but following a breach, they likely won’t find many. Despite their flat organizational structure, law firms need to keep their incident response team small and make sure they’re ready to support external legal, forensics and communications counsel. Without agreement on the makeup of a response team, firms risk widening the circle unnecessarily or causing confusion about individual roles.
Do We Have Cyber Insurance?
Your incident response team should know the firm’s insurer and how to reach your claims professional or broker. It’s also important to be familiar with your policy, which may dictate who is approved to assist after a claim is filed. Using your insurer’s approved list of legal, forensics and communications advisors streamlines the hiring and onboarding process. It also ensures they are vetted and have the requisite experience.
What Do We Say Now, If Anything?
Traditionally, law firms have gotten away with saying little publicly about crises brewing behind their doors. But today, there is greater pressure on firms to respond. As a result, firms have become more comfortable engaging with the press, their clients and employees about their challenges.
But good answers about data security incidents often are not readily available. Months can go by while the forensics investigators mine and analyze information to ascertain whether a firm’s employee or client data was viewed or exfiltrated. A lack of facts upon which to develop a statement creates a communications challenge. For this reason, and to avoid issuing any communications that could make an already difficult situation worse, many firms choose to wait before notifying anyone outside the incident response team that something has happened.
What Is the Actual Business Interruption?
Unfortunately, waiting isn’t always an option. Say, for example, email systems are down, file-sharing applications have failed or other business interruptions are apparent. In these instances, controlling the narrative is key. How do you do that? By positioning the firm as the most authoritative and reliable source of information.
If the immediate impact of the cyberattack forces you to address the matter, keep it short and to the point, discuss remediation efforts, avoid speculation about the incident’s cause or timeline for restoration, and provide a forum to direct questions.
Lastly, be mindful that whatever you communicate outside of the incident response team may end up on social media, in the hands of competitors or the inbox of a local journalist. Ask recipients for their discretion.
Are We Part of a Bigger Story?
When the pressure is on, it’s easy to get tunnel vision and focus only on your firm’s immediate problem and how to solve it. In recent years, we have learned that very large-scale breaches are just that—large. They impact several or even dozens of organizations and are often linked by a file-sharing platform or a common vendor. Having that broader context can be very valuable when deciding how to respond to your firm’s incident because what you say could impact others and vice versa.
Second, being part of a bigger story rather than the sole victim of an attack is almost always preferable from an optics and reputational risk perspective. The more victims, the less likely one organization will be singled out for blame. It may also give your firm an opportunity to avoid—or minimize—press attention if you are strategic about your media relations.
Who Are Our Key Stakeholders?
In data breach comms—and all crisis communications, for that matter—it’s not just about what you say; it’s how, when and in what order you say it. There are myriad ways communications can go off the rails when organizations and their leaders face pressure to say and do things quickly. One way is alienating allies by allowing them to receive information from a secondary source—think the media, a rumor mill or legal industry blog. For this reason, assessing your firm’s key stakeholders and the order in which they should be communicated is critical. Those most affected by the incident—usually employees—should be prioritized for that reason. In addition, disgruntled employees are very good at finding ways to show their frustration on social media and sites like Reddit.
Create a list of people and organizations your firm cares about, including business partners, trade groups, regulators, vendors and the media, and decide if, how and when to communicate with them.
What Communications Platforms Should We Use?
Once you have a plan for who to talk to and when, deciding on which channels to leverage comes next. Consider holding in-person, town hall-type meetings when communicating internally with partners, associates and staff. An in-person forum shows them you care and prevents having to put communications in emails likely to be leaked externally. Similarly, you may want to identify and prioritize certain clients with whom you can share preliminary information over the phone to help preserve your relationships.
No matter which platforms you use, remember to stay consistent. Even if the overall message differs slightly for various audiences, make sure you’re not contradicting something you said previously. And make sure outside counsel has eyes on everything before you move forward.
Have We Engaged the Partners?
Once it’s known that a firm has been the victim of a cyberattack, partners tend to get nervous—and understandably so. Partner-client relationships are rooted in trust, confidentiality and discretion. Clients rely on their firms to keep their information secure, and a breach of that confidence is a serious problem, whether for a litigation boutique or multinational corporate firm.
Engaging with the partnership early in a data security incident is critical in maintaining control over the narrative. If relationship partners believe in firm leadership and trust the incident response team, they can serve as invaluable intermediaries between the firm and its clients, preserving those relationships. To prevent speculation and rumor-mongering, firms should engage with the relationship partners to ensure they can share the most accurate information about the incident with their clients.
The Next 48 and Beyond
Unfortunately, the lifecycle of a cybersecurity incident is out of the victim’s control. An investigation can take many months. But acting immediately and strategically will help a firm avoid time-consuming stumbles, allowing its practitioners to focus on clients and reduce any long-term reputational impact.
While National Cybersecurity Awareness Month will soon be in the rearview, the need for firms to prepare for a cyberattack will continue. Those who understand the nuances of breach response and are ready to mobilize will be best suited to address their next inevitable cyber challenge.
Zach Olsen is president of Infinite Global and Jesse Dungan is a vice president at the communications firm. They have advised dozens of organizations, including law firms, on preparing for and responding to cybersecurity incidents.
Reprinted with permission from the October 27 issue of The New York Law Journal. © 2023 ALM Media Properties, LLC. Further duplication without permission is prohibited. All rights reserved.