I’m sure you remember SIFMA’s Principles for Effective Cybersecurity Regulatory Guidance, issued last October. I mean, you read about them right here. One of the principles was this: Principle 9: Information Sharing is Foundational to Protection, Must Be Limited to Cybersecurity Purposes, and Must Respect Firms’ Confidences. Granted, that language is hard to understand, but what SIFMA was getting at was this: Wall Street firms did not want to share information about how to ward off computer hackers and then turn around and be accused of committing antitrust violations by the Justice Department and the FTC. While the agencies had issued a statement giving financial firms some comfort in this statement, the firms wanted more assurance. Just last month they got it. President Obama’s executive order on February 13th specifically encourages private companies in the same industries to form organizations to better share information about online security and attacks. The executive order may give enough antitrust assurance for large banks and law firms to set up a legal group that would be affiliated with the banking industry’s main forum for cybersecurity information sharing – the Financial Services Information Sharing and Analysis Center. Which they are trying to do. As the New York Times reports:
Law enforcement agencies have long been concerned about the vulnerability of United States law firms to online attacks because they are seen by hackers and nations bent on corporate espionage as a rich repository of company secrets, business strategies and intellectual property. But attacks on law firms often go unreported because the firms are private and not subject to the same kind of data-breach reporting requirements as public companies that handle sensitive consumer information.
The Times is right. Large law firms could be vulnerable to cyberattacks. And in the United States, they’re not publicly held, so they aren’t necessarily obligated to tell anyone in particular about them. The Times article goes on: “The law firm group under consideration would be set up as an organization to share and analyze information and would permit firms to share anonymously information about hackings and threats on computer networks in much the same way that bank and brokerage firms share similar information with the financial services group.” I think this cooperation is a good development for cybersecurity in the U.S. The issue is too complex for organizations to go it alone and figure the problems out in silos.