Canadian law firms have been closely watching the cybersecurity collaboration developments between the financial industry and law firms happening south of the border. The push for law firms to provide greater levels of cybersecurity assurances to financial institutions has been driven to a large degree by the US Treasury Department, which has identified law firms for specific scrutiny. These developments have led Canadian financial institutions and the Office of the Superintendent of Financial Institutions (OSFI) to closely follow what is happening in the US and begin making similar moves regarding cybersecurity in Canada.
Collaboration amongst Bay Street law firms in Canada already occurs today, in large part through regular informal meetings that CIOs and security leads hold in order to discuss various topics, including cybersecurity. Currently, however, there is no formal cybersecurity information sharing or collaboration, although discussions about setting up this type of organization have been ongoing.
Cooperation and information sharing on cybersecurity also was enhanced when, in June 2013, the US-based International Legal Technology Association held its first ever LegalSEC summit in the Chicago area, in recognition of the growing need for law firm IT departments to respond to and collaborate on cybersecurity. The summit was an entire day and McCarthy Tetrault was one of the only Canadian firms represented.
In 2014 the summit expanded to two days and a number of CIOs and security leads from major Canadian firms attended to learn what security challenges their US colleagues were facing and how they were addressing them. The Canadian firms also used time at the summit to have their own informal meetings on cybersecurity. LegalSEC will again take place this year on June 8th and 9th in Baltimore, MD and the initiative amongst Canadian law firms is expected to develop further
Canadian law firms are exploring ways in which they can provide their financial institution clients and other clients enhanced cybersecurity assurance by adopting common industry standard information security best practices, including IT and cyber risks in firm risk management, and by developing more formal information security governance with regular briefings to firms’ management teams and boards of partners.
An example of one such standard that could be used to achieve a reasonable level of cybersecurity is the Critical Security Controls for Effective Cyber Defense, a prioritized list of Top 20 controls developed by industry and the US Government. The Top 20 is notably only a subset of the International Standards Organization 27002:2013 set of controls, or the recently published NIST Cybersecurity Framework that was initiated by Executive Order of the US President; however, even the application of this subset has the potential to improve the security posture of a firm and reduce risk, while being compatible with these larger standard or frameworks should a firm wish to pursue them at a future date.
Implementing these security measures will better position Canadian firms to collaborate on cybersecurity, both among themselves and with financial institutions, and allow them to action the intelligence that would come from such a partnership.