How much should law firms spend to ensure that their computer systems aren’t hacked, and that they maintain the confidentiality of their clients’ information?
A recent survey of AmLaw 200 firms suggests that they spend a little less than 2 percent of their revenues on cybersecurity. This estimate is likely to overestimate their actual expenditures. If the 2 percent figure were accurate, it would be in the same ballpark as what large law firms spend on their annual market efforts.
The 2% figure comes from a survey that was conducted by a consulting firm, Chase Cost Management, in connection with a conference attended by Chief Information Officers of large law firms and others from the world of law tech. The survey was completed by a third of conference participants. As such, it isn’t a random sample, and the survey results aren’t scientific.
Nonetheless, the survey does raise two particularly interesting strategic issues for leaders of law firms. First, the survey results suggest that clients are pressuring law firms to spend more on cybersecurity. Thus, if your firm represents institutional clients, you should be prepared to face some questions from clients about your cybersecurity plans and infrastructure. Likewise, firms that handle especially sensitive data, such as client credit cards numbers or personal medical information, may need to be extra vigilant. Second, 75% of survey respondents indicated that that they had purchased some kind of cyber insurance. In my experience, mid-sized and boutique law firms are less likely to have paid for such insurance. Moreover, insurance is only one part of an effective cybersecurity plan. Given that many cyberattacks take advantage of human error, training of law firm personnel is also critical.
Too often lawyers tend to bury IT issues and leave it to their IT departments or outsourced tech person to figure out. Here, it would be a mistake to bury the budget for cybersecurity within the IT budget. Cybersecurity raises issues that go to the heart of a law firm’s professional responsibilities to its clients. The risks of malpractice and bad publicity are manifest.
Law firms should therefore take steps to ensure that adequate attention is paid to cybersecurity issues. And that means shining an organizational light on the subject. From a strategic planning perspective, law firms should create a separate line item on the operating budgets to report expenditures for cybersecurity. And that line item should include projected expenditures for insurance and training.
Different law firms face different risks. But it isn’t hard to foresee that even small and mid-sized firms will become targets. That is why law firms should take steps now to make cybersecurity a regular and specific part of their operating budgets.