How to make your law firm SOC 2 compliant with minimal headaches
By Andrew Edstrom, Chief Information Security Officer
For mid-sized law firms seeking to achieve compliance with the SOC 2, NIST, or ISO 27000 controls and other standards can surface some serious pain points. This is largely due to the lack of available tools that can display the state of a firm’s compliance at any given moment. Unfortunately, more often than not, compliance is driven by someone working on a spreadsheet. There simply aren’t a whole lot of tools that can automate compliance without requiring an expert or consultant to come in and work their magic.
A Law Firm’s Pain Points
Controls and Subcontrols
But the absence of tools isn’t the only problem. There are always interpretation issues when it comes to compliance. Two people at a law firm could have two totally different takes about what a control or subcontrol specifically states.That presents a pain point because it can affect your overall compliance. One individual might believe their firm complies with a standard because they utilize wireless security controls. But another person could read the same regulation and say, “Well, we do have wireless security in place, but it’s not set up in the way the control reads.” If someone interprets a control more loosely than it actually is, that creates a misalignment of your compliance.
The Experience Issue
There’s still a big lack of cyber security and compliance personnel in the industry who are experienced and well-versed in this area as well. However, there is a rash of people rushing into the compliance space to get jobs because those positions are in the highest demand right now. And that presents another pain point: hiring the right talent — finding people who are seasoned, have the experience to deal with auditors, and who are ready to react if you have a breach.
Incident Response and Reporting a Breach
One element of your framework is having an incident response plan in place. And once you have an incident, do you report it because it’s a full-on breach of data? Or do you report it because you don’t know the effectiveness of your compliance program or don’t understand the tools that can help you prevent a breach in the first place?
When you report a breach, you’re basically putting your name out there and letting everyone know your reputation is about to be damaged. Then, you’re going to have legal costs, and you’ll likely have to engage a PR firm. Plus, you’ll probably have to make a cyber security insurance claim to cover some of your costs. And even after all of that, you’ll still have to go back and do what you should have done to achieve compliance in the first place.
So given those issues, what’s a good approach for mid-sized law firms to achieve compliance?
The first step is to think about leadership. Having the appropriate security and compliance personnel on your team is key. But sadly, a lot of law firms aren’t willing the spend the money to hire a qualified professional. The firm might appoint a member of their staff who has dabbled in compliance, which presents a big risk. And, even worse, some law firms take a reactionary approach and don’t even think twice about compliance until an issue arises. What you need to do is get in front of any problems, instead of waiting until it’s too late.
The next thing law firms can do — and this may seem very basic — is to document their plan and communicate it to the entire organization. They need to create a roadmap that outlines what policies you have and how you plan to meet the standards outlined in your compliance framework.
Then, that road map needs to be reviewed by a compliance expert to audit the approach your organization has taken. This is a safety net to make sure your program is covering you the way you intended.
The Insurance Catch
I deal with business people all the time who tell me they have cyber security insurance. I always ask to see their policy, because I want to make sure they understand what their coverage provides. I translate it for them so that in the case of an event, they know what to expect. They’re often surprised that many cyber security insurance policies don’t cover insider threats. So if a firm has an internal employee that poses a threat, the law firm will have to pay for the recovery if it’s not specifically written in the policy.
Fortunately, Coretelligent helps law firms specifically overcome these issues. We have experience with multiple frameworks in multiple industries, so we’re exposed to a lot of scenarios most people never see. We encounter compliance issues that don’t just affect law firms but affect all sorts of industries. Our ability to take our experiences across multiple industries is the core of the value we deliver. We bring tools to the table that can simplify your compliance framework and your compliance journey in general.And we help take the confusion out of compliance by explaining it in a way any organization can consume it and make it a part of their natural culture.
Centralized Compliance Platform
Coretelligent uses a centralized compliance platform to manage your compliance journey. This software makes it easy to successfully implement security frameworks and achieve compliance with any compliance standards your organization is working to meet. Essentially, this online dashboard allows users view their compliance status in real time. You can do compliance budgeting against it and share access with auditors or third parties to review what gaps you may be covering. It’s a pretty remarkable program, and the interface is easy enough for any organization to use.
When it comes to compliance, each industry is unique, and each framework has its own nuances. Yet our approach remains constant.By understanding how to read frameworks and knowing exactly what the requirements call for, it makes meeting those requirements an easier undertaking. It’s all about understanding how to get from Point A to Point B, and that’s our specialty at Coretelligent.