December’s revelation that two of Wall Street’s largest corporate law firms had been hacked by Chinese criminals sent panic waves through Biglaw corner offices around the world. The hackers allegedly used proprietary information stolen from Cravath, Swaine & Moore and Weil, Gotshal & Manges for insider trading, cashing in millions in illicit profits before they were caught. In the aftermath, firms have sprinted to improve cyber defenses, clearly an important step to mitigate the risk of future attacks that will inevitably come.
But for an industry fundamentally premised on confidentiality, installing new software to prepare for the next crisis isn’t enough. Immediate and decisive communications action must be taken to reassure clients in the short term and build back a reputation over the long term, even if it means that firms should be ready to speak publicly about an uncomfortable subject. Just as a spy agency with loose lips isn’t worth its weight in bugged cell phones, if your law firms loses its reputation for keeping secrets secret, your brand risks permanent damage.
In this day and age, hacking is inevitable. Not only are law firms are the latest target du jour, they’re an increasingly tempting one. As Above the Law’s Keith Lee observed, hackers see counsel as “a back door to the valuable data of their corporate clients,” or the “soft underbelly of the financial sector.” Mossack Fonseca in Panama is perhaps the best known in recent years, selected for its expertise in offshore tax liability. But a story that broke last year revealed that almost 50 top law firms had been targeted by a Russian cyber criminal running a hacker gang online. Make no mistake — more of the same is coming.
As firms respond to these inevitable hacks and the onrush of press attention accompanying their public revelation, their focus must be on a central goal: client reassurance and retention. Bad press and online mudslinging will be unavoidable, and clients will be enraged and embarrassed. This will be a fact of life for some time, hard stop. Rebuilding a firm’s brand as a safe, dependable refuge for confidential information will be a long-term proposition requiring a variety of public relations tactics. In the short run, however, firms should first stem the bleeding.
First things first: Hacked firms should move proactively through the crisis by focusing on actionable items. These concrete steps will vary from case to case, but a few should be considered in every situation. Firms must publicly announce immediate upgrades to cutting-edge cyber defenses, and ensure that current (and former) clients are made aware of them as soon as possible through direct, private communications.
Personnel changes should be considered — the firm’s head of IT or chief risk officer must be prepared to take personal responsibility for the technical failure to thwart a successful hack. Regardless of whether an outside cybersecurity vendor is actually at fault, playing the blame game and pointing fingers elsewhere simply won’t help the firm’s cause.
Full cooperation with law enforcement agencies should be publicized vocally and succinctly to clients as soon as possible. Targeted firms should consider hiring their own investigators to seek out the source of the hack, because announcements around their retention and (possible) success would not be subject to the gag orders of a U.S. Justice Department investigation. If charges can be brought by the firm directly against the perpetrators (likely in conjunction with legal actions from law enforcement agencies), all the better. Clients scouring the business press will appreciate it as well.
Yet as valuable as each of these actions is on its own, each can fall victim to the “tree falling in the woods” syndrome — if no one hears about it, it never really happened. Find an authoritative voice from your senior management ranks, provide them with vigorously media training and establish them as a source for regular, newsworthy information on each step of progress. Intentionally seeking out press attention may be uncomfortable for law firms accustomed to avoiding the limelight, especially on matters of client confidentiality. But a major cyber breach demands reputation rebuilding and damage control that go beyond your comfort zone, especially because any lack of communication may be inferred as orchestrated secrecy.
Hacking is an ugly thing for firms and clients, and as cyber defenses get stronger we can all hope that it will become less frequent. Just don’t count on it.
Sam Jefferies is a vice president at Dezenhall Resources, a leading crisis communications firm in Washington.
Morning Consult welcomes op-ed submissions on policy, politics and business strategy in our coverage areas. Submission guidelines can be found here.