The legal community has been slow to recognize its role in advising clients about the potential cybersecurity risks of acquiring or merging with another company, said former Department of Homeland Security Under Secretary Suzanne Spaulding, who described lawyers as both active advisers in managing risks and potential targets of cyber attacks.
“Increasingly, lawyers and law firms are aware of the risks they face,” Spaulding said in an interview with Inside Cybersecurity during which she previewed her talk later this week before the American Bar Association.
Spaulding noted that law firms are increasingly a target for cyber attacks because as other systems “become harder targets, cyber sleuths begin to realize and start targeting law firms for their intellectual property” and the sensitive data they handle regarding their clients.
Law firms play an important role in advising clients about their legal liabilities in managing cyber risks, but there's an equally important and often overlooked role lawyers play in advising clients about acquisitions and mergers that can pose major cybersecurity vulnerabilities, according to Spaulding.
“There's another role that's slightly different from the technically legal role in advising about liabilities, and that is in their role in transactions,” Spaulding said, adding: “They were relatively slow to recognize the importance of including cybersecurity in that due diligence.”
Performing that due diligence can involve an audit of an organization's cyber practices and vulnerabilities, Spaulding said, and “it may affect the purchase price” of a merger or acquisition and should be part of any discussion regarding a “joint venture” by companies.
Spaudling said she's “long been talking to her legal colleagues” about this issue, and has often heard corporate executives say: “Gosh, I wish I heard you six months ago, before we entered into this company merger, and we merged all of our systems, and we suddenly bought all their infections.”
Spaulding urged lawyers to advise clients that “It's important to understand the cyber hygiene and cyber posture of the company you're going to be merging your systems with.”
“It's just like managing any other risk,” Spaulding said, in emphasizing the role that cybersecurity considerations should play when purchasing or merging with another company.
When asked if the legal community agrees with that assessment, Spaulding responded: “I would say they're getting there,” adding: “They have picked up that baton and are moving out with it.”
Spaulding praised the recent establishment of the Legal Services Information Sharing and Analysis Organization, or LS-ISAO, as “a good first step” in mitigating cyber threats to the legal community.
“Not sure how much traction they've gotten,” Spaudling said, while adding she was encouraged by the decision to create the info-sharing group under an executive order issued by former President Obama in 2015.
Spaulding led the National Protection and Programs Directorate at DHS, which includes the government's Automated Indicator Sharing system, which extends liability protections to industry for inadvertently sharing sensitive, personal information with the government under the Cybersecurity Act of 2015.
Spaulding said the LS-ISAO as well as other info-sharing groups can play an important role in serving as a buffer for groups and entities that are hesitant to share information with the government.
Groups “will turn to their outside counsel” who will tell them “what are the potential risks” of sharing cyber-threat indicators, and might prefer going through an ISAO so no one knows where the information came from, Spaulding said.
“That's okay, that's how the system was set up,” Spaulding added.
Spaulding will be speaking on Aug. 12 at the ABA's annual meeting in New York on a panel organized by the ABA's Cybersecurity Legal Task Force. Other speakers will be Harriet Pearson of the law firm Hogan Lovells and James Lewis of the Center for Strategic and International Studies. The discussion will be moderated by task force co-chair Harvey Rishikof, who leads the ABA's Standing Committee on Law and National Security. -- Rick Weber (rweber@iwpnews.com)