Comment: Protecting law firm IT systems in times of significant change – including mergers!
Faced with structural and regulatory upheaval, coupled with the economic downturn, the UK legal sector is emerging from a period of unprecedented turmoil. With casualties abound, the collapse of well-known firms and staff forced into new careers, the shape of the industry has changed forever. But it is unlikely to be the end of the story, as restructuring remains high on many firms’ agendas. According to one recent survey by Fox Williams, some 95% of leading UK law firms predict further consolidation at the top end of the sector, with 45% prepared to consider a merger in the next two years. In parallel, the Solicitors Regulation Authority has witnessed a rise in the number of interventions.
IT teams tasked with bringing together the systems in the wake of such change have a key role to play in maintaining secure operations, yet too often not enough attention is paid to protecting such systems.
When a firm is setting up or closing down offices, or perhaps merging with another, it is vital to identify and address risks to IT systems and data, so that full control of networks and access points can be maintained. Law firms have an ever-increasing dependence on IT and digital connectivity and most rely on uninterrupted access to their case management and time recording solutions.
One of the main challenges facing senior executives during change is to decide who will be responsible for IT infrastructure and the integration of two or more networks. A good understanding of the network, right down to domain and subdomain level, is needed to ensure individual segments are locked down. If a hacker or disgruntled member of staff does gain access to one part of the system, they should not be able to access other parts of the system. This can be a challenge when two firms come together or a new team is hired, who may have different approaches and cultures when it comes to access control. A further issue is that of remote access, with some firms only allowing access to enterprise systems from within their own offices, whereas others enable staff to access systems remotely or using their own devices.
Protect the crown jewels
Key assets are not just limited to client data and work in progress but will often include intellectual property, bespoke tools created for the firm and the knowledge and expertise it has built to run those applications. These are all part of the corporate ‘crown jewels’ which, at the time of change, must be identified and protected by the IT team, particularly during global network updates. Firms need to audit their crown jewels – from data to people – at the earliest stage, that is during due diligence before the change is finalised.
There may be far-reaching implications when partners or staff affected by restructuring move into new positions or leave, taking with them vital knowledge about IT systems and data. While it can be difficult to let the right people know about forthcoming organisational change, where possible, IT heads need to be involved in the due diligence process. Understanding the IT will also inform the valuation of an asset to be acquired or disposed of. A clear understanding of the strategic importance of the ‘evidence landscape’ must include an audit of where individual lawyers store data. This is painstaking and detailed work, which may require specialist support, to ensure it is completed during the timescales of the wider due diligence programme.
The failure to include data and systems as part of this review can be an expensive mistake. In one case, a US-based firm eager to grow its market share, acquired a UK business with a remote office, hundreds of miles away from head office. The employees in the acquired firm’s branch office were very unhappy with the acquisition and obstructed all attempts by the new parent company to get data and information from them. The parent company decided, in the end, to close that branch but, during the notification period, backups went missing, customer databases were copied and technology tools that the company had developed disappeared.
Where to start
There are some specific steps firms can take to strengthen the control of IT systems at times of significant change. The first is to get an understanding of what technology the firm has and what it is acquiring or divesting. Then adopt a risk management strategy that identifies not only the opportunities but also takes a pragmatic approach to asking what could go wrong.
Once the crown jewels have been identified, ask where they are and who has access to them. In the event of a disaster, would it be possible to restore everything quickly? If there were any sort of investigation, would it be possible to provide data going back months or years? Investigate third party relationships – client data is sometimes shared with third parties for analysis. This could be a threat to a firm that joins forces with a peer that relies more heavily on third parties, exposing their own data to new risks not previously considered.
Many law firms use similar technology platforms but even where the same applications may be shared, there is always a large bespoke element. Even simple things, such as timekeeping systems, tend to be unique to each firm. There are several approaches to handling different systems, from running both systems concurrently to attempting to integrate them or starting afresh with an entirely new system. Whatever is decided, it is likely that there will be a transition period with heightened risks to the firm, as two different systems run in parallel and staff create, for example, insecure workarounds to share data or to allow clients to be billed in the way they are used to.
Beyond the structural challenges of the legal sector itself, corporate lawyers play a key role in advising their own clients on restructuring and M&As. There is growing recognition of the importance of the IT infrastructure and associated applications and specialist knowledge in such cases. However, the importance of vigilance and the role of IT in the due diligence process cannot be underestimated. Recently, one buyer got more than they bargained for, following the integration of the two IT networks. It transpired that the IT system of the smaller business contained viruses and malware, which soon affected the enlarged company’s entire IT infrastructure. Previously installed Trojan malware and a phishing attempt shortly afterwards resulted in a significant financial loss for the enlarged enterprise.
It is too easy to make IT a secondary consideration in the heat of restructuring. Yet technology is core to most organisations and law firms are no exception. Inadequate IT infrastructure could affect productivity and client service, while a data loss could have significant financial or reputational impact. As a result, management and governance of the IT infrastructure can no longer be viewed as a secondary issue, when firms contemplate the shape of their own futures.
* Martin Baldock is managing director of Stroz Friedberg, an investigations, intelligence and risk management company. Stroz Friedberg assists in managing critical risk for Fortune 100 companies as well as 80% of the AmLaw 100 and the Top 20 UK law firms.