Containing Cyber-Costs: The Legal Industry Needs a Cybersecurity Audit Template

Topics: Client Relations, Cybersecurity, Data Analytics, Government, Law Firms, Leadership

PMI Q3

Cybersecurity is both a blessing and a curse. At Quarles & Brady, we have teams of lawyers experienced with this critical issue that help our clients when their data is breached, which results in revenue for the firm. On the other hand, we spend a tremendous amount of money ourselves making sure that our data and the data of our clients is secure.

Our firm maintains detailed information security policies and incident response programs. Because of the highly sensitive nature of the data, clients are also auditing our security systems to make sure their data is secure. Over the last two years, we have participated in more than 50 security audits and assessments, of which no two have been alike. In fact, we have responded to audits from the same client where the format has completely changed from year to year. In response, there are initiatives like those provided by Shared Assessments that provide uniform templates for the financial services industry, for example—however, most companies are not using these templates, and are instead creating their own.

From our side, it would be terrific if the major industries requiring security audits could agree upon best practices and develop a standard template—we devote a tremendous amount of resources to responding to these audits, including tying up our technology department for weeks providing the information. We understand their importance, but the legal industry needs a more efficient response to client concerns. All these security initiatives increase the cost of our business operations and directly impact the cost of services. We strive to partner with our clients to help them in a variety of ways, including supporting their charitable initiatives, offering continuing legal education (CLE) courses, and structuring our fees in a more predictable manner; in this area, we hope they can partner with us, helping us save time and costs by developing a standard audit template.


With the increase in audit requests, it will be more difficult for small- and mid-size firms to represent larger companies as these security measures become cost-prohibitive.


There are other methods of providing evidence for security controls—certifications like ISO 27002, SSAE 16, or HITRUST—but even those utilize different frameworks, parts of which may not be applicable to the legal industry or don’t satisfy the needs of certain clients. Perhaps now is the time for clients to develop a standard security questionnaire response form specifically for the legal industry that includes only the portions of those frameworks that apply, but still ensures that the proper security controls are in place to protect their data.

With the increase in audit requests, it will be more difficult for small- and mid-size firms to represent larger companies as these security measures become cost-prohibitive.  Most recently, we’ve been asked to restrict access to social media sites and personal email accounts in the workplace. Clients want us to utilize data loss prevention tools (DLP) to detect and prevent users from copying or sending sensitive or confidential data outside of our environment. They are requiring different personnel to handle different aspects of our IT to create checks and balances, which in smaller firms can be difficult due to the number of available staff.

These increased security measures are certainly justified from the client’s perspective, but they can also become a conflict for a full-service law firm that practices in other areas.  Removing access to services like personal email sites may be necessary in the eyes of a large financial services client, but that change may severely impact the communications with an individual client looking for estate planning. Do you change your customer service experience for the benefit of one client when it may negatively impact all the rest? Evaluating that impact and weighing the associated risks would be an easier task if everyone was speaking the same language.

(This blog post was co-written by Rich Raether, Quarles & Brady’s Director of Security & Network Services.)