From: Connecticut Law Tribune
By Catherine Dunn
Bank of America Merrill Lynch is auditing the cybersecurity policies at its outside law firms, partly under pressure from government regulators to do so, according to the bank’s assistant general counsel Richard Borden.
Borden, a panelist at Corporate Counsel’s 25th Annual General Counsel Conference on Wednesday, said that Bank of America is “one of the largest targets in the world” for cyber attacks, and that law firms are “considered one of the biggest vectors that the hackers, or others, are going to go at to try to get to our information.” Bank of America is the second-largest U.S. bank by assets.
Regulators at the Office of the Comptroller of the Currency, which oversees BofA and other financial services companies, “have focused on law firms,” Borden said. “They are coming down on us about security at law firms. So we have no choice but to check the information security and to audit—to actually audit—the information security of our law firms that have confidential information. We spend a lot of money and use a lot of law firms, so this is casting a very wide net.”
As cyber attacks directed at U.S. business have grown more prevalent, the Federal Bureau of Investigation and others have flagged concerns over cybersecurity at law firms—given the value of their corporate clients’ information to potential attackers, and law firms’ often slow adaptation to new technologies.
For a major financial services company like Bank of America, being considered part of the U.S.’s critical infrastructure—the subject of an executive order issued earlier this year—presents additional pressure to examine their contractors and supply chain, including law firms.
“It’s been really interesting dealing with the law firms, because they’re not ready,” said Borden, who is the bank’s in-house cybersecurity lawyer and is assisting the group that’s reviewing BofA’s outside counsel. “Some of them are, I should say, but there are many that aren’t. And it actually does pose a threat.”
CorpCounsel.com asked Borden what the company is looking for law firms to demonstrate in the audit of their information security policies and practices. “One, we’re looking for them to have an information security plan,” he said.
Next, Borden said, BofA wants to see that the firms “actually follow” that plan. For example, he asked, “How are they dealing with mobile devices? Is our information going onto mobile devices in an encrypted way?”
And the bank isn’t simply relying on the law firms’ own audits of their information security practices. “We’re really looking at their whole structure and focus on information security, and we test it. We send in people to test it,” Borden said.
Amid efforts to bolster the bank’s own cybersecurity defenses, BofA is currently focused on training employees about the dangers of “social hacking,” such as so-called spear-phishing techniques that entice employees with official-looking messages that contain malicious links.
Borden reviews and approves the company’s training on the topic. “I can’t tell you how much focus we’re putting on just that,” he said, adding that the company has already “hardened” other defenses. “We’ve survived [distributed denial-of-service] attacks that should have taken down the whole Internet. We’ve done that. But we’re still getting hit with people opening links on emails or websites that they just shouldn’t open. That is huge.”
Yet despite the scale of threats across industries, members of the panel continued to sound the alarm that corporate America isn’t prepared to handle today’s cyber attacks—or tomorrow’s.
“There are a lot of companies, public and private, that are really not ready for what’s coming,” said Craig Newman, a partner at Richards Kibbe & Orbe.
While Borden spends most of his time as assistant general counsel on information security, he estimated that he is one of “very few” in-house lawyers to do so at U.S. companies.
“You probably have people involved in privacy, but you probably don’t have people involved in the information security,” he told the audience of attorneys at the GC East event.
But legal issues in the cybersecurity arena abound. For starters, Borden recommended that in-house attorneys understand which type of nationally or internationally accepted standard the company’s information security policy is based on.
“Understand how that works at your company and how you are able to respond to your customers when they start asking, ‘What’s your policy? How do you protect information?’ ” he said.
Two recent actions by regulators should also be getting in-house counsel’s attention. A lawsuit filed by Federal Trade Commission against Wydham Worldwide stems from a hacking incident at the hotelier. And just last week, New York Governor Andrew Cuomo requested information on the cybersecurity practices of large insurance companies regulated by his state.
Borden called Cuomo’s move “astounding”: “No state regulator, I don’t think any federal regulator, has done anything at that level,” he said.
Which is part of yet another cybersecurity challenge for in-house counsel right now. “Regulations are in their infancy,” said Borden, adding, “Yet all of these different regulators are looking at us to make sure we’re doing things exactly the right way.”
Intellectual property law is a crucial area of business law that’s essential for protecting your ideas and innovations. When I need help with law issues, I always turn to https://federal-lawyer.com/texas/brownsville-federal-defense/ for their expertise and guidance. With years of experience and a deep understanding of this complex area of law, these attorneys are the best in the business when it comes to protecting your intellectual property rights.