Glenn C. Davis explains what professional service firms need to know about cyber security.

In today's highly digitised world, cyber security has become an important issue for individuals and businesses alike. But despite the evolving technology of firewalls, malware detectors and so on, security breaches still occur every single day.

Even a cursory perusal of the business press will reveal reports of cyber attacks against countless well-established businesses, involving loss of customer data, credentials and credit card information. The financial costs to these firms are vast. And these attacks are just a glimpse of what the future may hold.

Sector-specific risks

Professional services firms, with their massive electronic repositories of confidential client data, are increasingly viewed as high-priority targets. Firms often lack the finances, technology and manpower to implement widespread and efficient cyber-security defences. This, coupled with the inherent vulnerabilities of the emerging technologies and trends within the industry, such as mobile computing and use of the cloud to store data, places further stress on a firm's IT defence strategy. Firms also need to consider the industry's interconnectedness, the risks of working with third-party suppliers and the adequacy of their IT risk-defence practices.

With all these issues potentially leaving a professional services firm open to attack, the importance of a top-level, cyber-security defence strategy is greater than ever.

Understanding the issues

While the sophistication of cyber attacks has increased at an alarming rate, unfortunately the efforts of legal and other professional services firms to mitigate these risks have often fallen short. Managing partners and finance directors are not expected to be IT experts, but they should have a sound understanding of the topic, enabling them to help establish a co-ordinated and robust cyber-incident response plan alongside the firm's IT management.

Managing partners should be at the helm of these strategies. After all, they could be held accountable for the proper governance of the firm's cyber-security defence and incident response strategies.

Don't let your firm become the next victim

By developing, implementing and maintaining robust yet adaptable IT risk-management programmes and performing periodic due diligence reviews of third-party partners and providers, firms can insulate themselves against cyber-security breaches.

Before moving forward with any other IT risk-management efforts, managing partners and finance directors should:

  • make sure a thorough assessment of the firm's current information security capabilities has been performed
  • identify internal vulnerabilities and external threats
  • develop a comprehensive incident response plan that has been stress-tested in case of an actual security breach – this should be tested on an ongoing basis to incorporate new risks
  • ensure that firmwide due diligence includes IT and data risk assessments
  • make sure third-party partners are fully aware of all relevant threats and consistently audit their own security programmes
  • develop programmes around 'high-value' information targets, which should be protected at all costs, and build outward from there – this might include client data and information on potential mergers and acquisitions for example
  • evaluate risk within third-party, cloud service provider systems to prevent the theft of intellectual property and confidential customer data and credentials.

Glenn C. Davis is a partner at CohnReznick LLP in New York, a fellow member firm of Nexia International. He is the former national director of the firm's governance, risk and compliance practice.

We have taken great care to ensure the accuracy of this newsletter. However, the newsletter is written in general terms and you are strongly recommended to seek specific advice before taking any action based on the information it contains. No responsibility can be taken for any loss arising from action taken or refrained from on the basis of this publication. © Smith & Williamson Holdings Limited 2014. code 14/518 expiry 30/11/2014