By Jordan McQuown, CIO
I recently heard of a deal that a law firm was about to lose because they couldn’t respond quickly enough to a client technology audit. The business development team had worked very diligently for nearly 2 years to close this deal. But it was all about to go sideways simply because the law firm was struggling to complete the audit. This happens more frequently than you might realize.
Client technology audits—whether from new or existing clients—have become commonplace in the legal industry. They have become a pervasive litmus test that law firms must pass to qualify to do business.
You should know two things about technology audits. First, most audits have a fairly tight time frame for the initial response—often just 30 days. Second, the number of steps, the level of detail required, and the complexity of the process have all been steadily increasing. This is driven, in large part, by some very public client data hacks and breaches of law firms. Clients are nervous about how law firms are handling their private data and want proof that their legal providers are adhering to best practices.
Client technology audits represent a very real potential roadblock for unprepared law firms during this disruptive period. Alternatively, if your firm is able to pass client technology audits with ease, you might very well beat out firms who are not ready to respond. Here are my best ideas about how to remove a real barrier to your growth—how to get out of your own way and unleash your full business development potential—by being ready to respond to client technology audits quickly and easily.
7 PRACTICES THAT MAKE TECHNOLOGY AUDITS A BREEZE
No two technology audits are quite the same. Many audits ask for similar types of information, but also make unique requests. Similarly, the process for passing technology audits varies between clients and often is not entirely straightforward. Some clients will just ask you to complete forms, while others may require you to pass a penetration test from their provider. Still other companies may require on-site inspections.
If you don’t pass a technology audit on the first round, many companies will then give you between 30 and 60 days to complete additional tasks and remediate your environment to bring it into full compliance. If you fail to fully respond within the required timeframe, the company will likely begin to throttle back their contracts with your firm or drop you as a service provider entirely.
Having helped our clients pass dozens of technology audits, I’ve come to recognize patterns in what companies are looking for. Based on my experience and these patterns, here are 7 practices that will help you respond quickly and efficiently to technology audits:
- Keep your technology ecosystem current.
- Understand what most audits will include so you are ready to respond.
- Prepare documentation in advance of any audits you know are coming.
- Assess your data management strategy, or lack thereof.
- Assess your cyber security stance.
- Look beyond E&O insurance to cyber insurance.
- Align your technology roadmap with your clients’ future needs.
Let’s look at these 7 practices in greater detail.
KEEP YOUR TECHNOLOGY ECOSYSTEM CURRENT
This is 90% of the battle. It may sound simplistic, but in my experience, almost all of the issues that prevent law firms from responding in a timely fashion are matters that should have been addressed along the way—and often long ago—as part of regular maintenance. Routine maintenance, like patching servers, updating firewalls, refreshing desktops, and other relatively simply IT activities, puts you in the best position to easily and efficiently pass technology audits. These are common-sense tasks that should be addressed on a regular basis.
Simply put, given the 30-60 day window in which to respond to audits, you put your firm at risk if you haven’t been keeping your technology ecosystem up to date. Imagine having to complete certain legal activities in 30-60 days that you would otherwise have completed over the course of a year or more.
What if you had to depose in 30 days the same number of people you normally deposed in an entire year? How much stress would that place on you? What would that do to your day-to-day routines? How would that impact your productivity?
The same is true in the IT world. Why force your firm to complete ongoing technology and cyber security related tasks in compressed windows of time to accommodate an audit? If you wait until the last minute, not only will you have made things unnecessarily difficult and stressful, but you are more likely to fail the audit. This will also be far more difficult than if you had just kept up.
So if you want to pass client technology audits with ease, make it a priority to keep your technology ecosystem up to date. It just makes more sense economically and operationally to address these everyday security-and-performance-related tasks on a regular basis.
Keeping your technology ecosystem current is 90% of the battle when it comes to passing client technology audits.
UNDERSTAND WHAT MOST AUDITS WILL INCLUDE SO YOU ARE READY TO RESPOND
You never quite know what to expect with technology audits. Some can be over 100 pages, and some can be quite short. The better you understand what client audits will look for, the more likely it is that you’ll pass the audit with flying colors. Many audit requests will include major sections for at least the following items:
What are your procedures for data handling, data management, employee screening, and other significant functions?
What policies have you instituted for device management, device transfer, encryption, and security policies and exceptions? What type of familiarity with these policies is expected among firm staff?
How do you manage passwords, remote access, access controls by user type, system updates, and software updates?
These usually focus on physical and technical controls such as:
- Physical: How do you manage physical access controls to key areas such as network operation centers as well as access to devices like drives and mobile data devices?
- Technical: Password management, actions attributable to specific users, Wi-Fi security, firewalls, permissions on servers, and ability to review network actions via log files and other tools. When did you last pass a penetration test from a qualified third-party?
When was your records management policy last reviewed and does it include electronic data? Does your firm have a central repository like a DMS or file-sharing sites like Box? How do you backup files, off-site and on-site? What happens after the disposition of a case—does the data get destroyed, returned to the client or handled in some other way?
Do you have a matrix of risk-based approaches? Do you have insurance beyond errors and omissions, possibly including cyber insurance?
Asset and Device Management:
Do you have an asset and device inventory system? Do you actively monitor and track usage and placement of these assets and devices?
Do you use third-party services? What do you use them for? Have these service providers passed penetration tests? What sort of insurance do you require from these providers? Do you require third-party providers to adhere to the same technology standards as your firm and to industry standard practices?
Leadership in the technology space:
Does your firm have a person who is responsible for security? This may or may not be a chief security officer. But clients often want to know who, if anyone, has this role as part of their job description.
These questions are all about the big three: people, process, and technology. Depending on your relationship with the client, you might be probed in greater detail on key points. Also, more than once I have seen clients bring their technical staff on-site to verify practices claimed in audit responses. So don’t just claim something: be prepared to back it up.
Also, note that audits may be ongoing, not just one-and-done. For example, it’s becoming more commonplace these days for clients to re-verify certain technical details at defined intervals, say once or twice a year. So it’s not as if you can pass an audit with a certain type of client and then forget about the audit process—and the claims you made in your response—altogether.
PREPARE DOCUMENATION IN ADVANCE OF ANY AUDITS YOU KNOW ARE COMING
There is an old saying you may have heard before: “Well begun is half done.” Nowhere is this truer than with regard to technology audits. The more you can do to organize your documentation in advance, the easier it will be to respond to any audits that you know are coming.
You can use the above outlined framework as a good starting point. Most audits that are being pressed upon law firms today are annual. But the trends are changing. Some clients are moving toward quarterly audits. What would it mean to your law firm if you had to respond to these audits monthly?
Get prepared now to be ready for changes that are coming and you won’t regret it. The more you are ready to respond to client audits by having your relevant information gathered ahead of time and up-to-date, the greater the likelihood that you’ll pass the audit quickly and prevent a more in-depth and stressful examination.
ASSESS YOUR DATA MANAGEMENT STRATEGY
All sections of a client audit require some degree of response, but the data management component is often the most intrusive. It also typically requires the biggest changes on the part of law firms. This is exactly where many law firms get into trouble, and where expensive and difficult change management programs have to be put in place.
The reality is that if you have been doing things the same way for the last 40-60 years, it may be very painful and difficult to change. If your data management strategies and practices have not progressed with the complexity of the technology systems you use on a day-to-day basis, you are likely well behind the curve.
If that is the case, don’t wait! Start now by looking at the way you actually handle your data compared to your data management policies. Ask yourself whether or not you are ready to pass muster with client expectations. And certainly, if you know you have issues with data management, don’t wait for the audit to try to fix things. That will only make it harder. Take action now and when the audit comes, it will be much easier to pass.
ASSESS YOUR CYBER SECURITY STANCE
Cyber security breaches are the impetus behind many client technology audits. Recent law firm hacks have made big headlines. Our Law Firm Cyber Security Scorecard shows that 100% of law firms in the survey sample were targeted and 40% did not know they had been breached.
If you are thinking that only large law firms are perceived as having client data worth taking, think again. Our cyber security survey included law firms with just a few attorneys all the way up to those with nearly 500 attorneys. One key insight from our research is that ALL of these firms were targeted.
Cyber breaches are non-discriminatory in terms of law firm size. This is why I recommend that you assess your cyber security defenses BEFORE a client audit. Don’t wait for the client audit to show you something that you could have discovered and remediated on your own.
If a qualified third-party has not conducted a penetration test of your firm within the past 12 months, you are overdue. Most businesses are online 24x7 these days, which means your cyber risk is continuous. The threat landscape evolves quickly and constantly. Last year’s threats are yesterday’s news for hackers, and they will be trying things they think you don’t know about yet.
There is another pervasive real-time threat, discussed in a recent article I wrote on how your greatest cyber threat is down the hall. Internal breaches are probably more common than external intrusions. But they are probably also the most preventable with better technology and staff training.
Demonstrating strong cyber security is crucial to winning client confidence, especially with new clients. Most audits will ask you if you have been breached in the last 60 days. If your firm is like the 40% of the firms from our survey who were breached and didn’t know it, then your cyber security stance is due for an upgrade. Again, the more you can do to assess your cyber threats and address them BEFORE an audit, the easier it will be to pass.
LOOK BEYOND ERORRS AND OMISSIONS INSURANCE TO CYBER INSURANCE
Most law firms carry general liability, errors and omissions (E&O), or other types of insurance. But our Law Firm Cyber Security Scorecard report shows that only 23% of law firms carry a cyber insurance policy. This is a huge mistake. These policies are typically far more affordable than you might realize. What’s more, cyber insurance policies protect you specifically from cyber events. This is one kind of insurance you definitely want given today’s cyber landscape.
Most general liability insurance policies have fine print that may or may not cover cyber events. But even if your firm’s policy might cover the event, you probably don’t want to use it. If you do make a claim against your larger general liability policy, your premiums and overall firm insurance costs might go up significantly.
We have not yet seen a situation where cyber insurance was a pre-condition for passing a client technology audit, but we believe this may happen in the not-so-distant future. If you want to pass client technology audits quickly and inspire confidence in clients that you’re ready to do business with them, cyber insurance is a good step.
ALIGN YOUR TECHNOLOGY ROADMAP WITH YOUR CLIENTS’ FUTURE NEEDS
Law firms need a technology roadmap. If you don’t have one, get one.
A technology roadmap, simply put, is a vision for the kind of technology ecosystem your law firm will have in the future. The roadmap outlines where you’re going with technology, what you’re building toward, and what you’re investing in. The roadmap anticipates the kinds of technology systems and enterprise applications you’ll need to support your business goals and clients in the future. A roadmap defines the technologies you’ll buy and the talent you’ll need to optimize those technologies.
There are two key reasons why you need a technology roadmap. First, technology is expensive and you want to make sure that you are investing wisely. You don’t want to waste money on systems that won’t scale as you grow, that have known security holes, or that simply underperform.
Second, technology is crucial to every law firm. No law firm today, to our knowledge, can be successful without good technology. In my opinion, IT budgets should be closely scrutinized by law firm leaders. Why? Because the choices made today about what to invest in will determine how secure, productive, and profitable your firm will be in the future.
Let’s look at how a technology roadmap can help you pass client technology audits with ease. The market for legal services is changing and clients and circumstances are driving the need to keep up. For instance:
- Kia now requires competency testing of outside counsel to see whether or not they can effectively use office productivity tools.
- AI is changing the game. IBM’s Watson was used recently to create a virtual attorney. How might AI be used at your firm, or your competitor’s firm?
- Blockchain systems may have a major effect on many operational areas inside law firms. Smart contracts are the start of blockchain’s impact. Legal research will also be impacted, as well as eDiscovery.
If you don’t have a senior level executive, like a CIO, helping you build a technology vision for the future of your firm, it is very likely that you will always be playing catch up with technology audits. Instead, consider the better way to handle these situations.
Build a technology roadmap that anticipates the kinds of technology that will allow your firm to be a great partner to your clients. Then share your roadmap with them and get their feedback. Invite them into the process. By sharing your vision for the future of your firm and how technology will make that vision a reality, you demonstrate something that clients very much want—an anticipatory partner.
This strategy might very well make you the preferred provider, not the provider who has to be tasked repeatedly with follow-up details to complete. This strategy might also make you the de facto standard, the firm driving the standards that your competitors have to adopt. Wouldn’t that be nice?
A RESOURCE TO HELP
If you’re not sure about how to accomplish the goals and practices outlined in this article, I have a great resource for you. I’ve co-written an eBook called Ten Strategies To Add Ten Million Dollars To Your Law Firm. If you like the ideas in this article, you’ll love the eBook.