Advertisement

SKIP ADVERTISEMENT

Wall St. and Law Firms Plan Cooperative Body to Bolster Online Security

President Obama spoke at the center for national cybersecurity in Arlington, Va., in January.Credit...Larry Downing/Reuters

The threat of ever-larger online attacks is bringing together Wall Street banks and the big law firms that do work for them in an alliance that could result in some sharing of basic information about digital security issues.

For nearly a year, banks and law firms have discussed setting up a legal group that would be affiliated with the banking industry’s main forum for sharing information about threats from hackers, online criminals and even nation states — the Financial Services Information Sharing and Analysis Center. Several people briefed on those discussions said those talks would most likely lead to the establishment of such a group by the end of the year, a recognition that hackers are increasingly focusing on big law firms to glean information about their corporate clients.

Federal authorities, including President Obama, are pressing companies to share information about hackings with one another and law enforcement as way to deter the theft of information about consumers and employees.

Law enforcement agencies have long been concerned about the vulnerability of United States law firms to online attacks because they are seen by hackers and nations bent on corporate espionage as a rich repository of company secrets, business strategies and intellectual property. But attacks on law firms often go unreported because the firms are private and not subject to the same kind of data-breach reporting requirements as public companies that handle sensitive consumer information.

Over the last several months, Mandiant, the security firm that is a division of FireEye, has been advising a half-dozen law firms that were the subject of a breach, said a person briefed on the matter who spoke on the condition of anonymity. Mandiant, during a recent presentation at a legal conference, said many of the bigger hackings of law firms had ties to the Chinese government, which was seeking information on patent applications, trade secrets, military weapons systems and contract negotiations.

The law firm group under consideration would be set up as an organization to share and analyze information and would permit firms to share anonymously information about hackings and threats on computer networks in much the same way that bank and brokerage firms share similar information with the financial services group. And while the two groups would not necessarily share information with each other, the law firms would have access to some of the resources of the financial center, which has existed since 1999 and is one of the better-funded industry threat-sharing organizations.

“The F.S.-I.S.A.C. was designed to facilitate the sharing of threat information with each other, and there is value in involving law firms,” said Anish Bhimani, the financial group’s chairman and a JPMorgan Chase managing director. “A lot of this started because the banks were individually talking to the law firms about security information and someone said, ‘This is ludicrous, let’s do it together.’ ”

An executive order signed by Mr. Obama on Feb. 13 specifically encourages private companies in the same industries to form organizations to better share information about online security and attacks. But the discussions between the banks and law firms began months before the executive order, said the people briefed on the negotiations.

The conversations between the banks and law firms began with a working group of about a dozen Wall Street banks — including JPMorgan Chase, Bank of America, Goldman Sachs and Morgan Stanley — meeting periodically to discuss cybersecurity issues with representatives of big law firms like Sullivan & Cromwell; Cravath, Swaine & Moore; and Cleary Gottlieb Steen & Hamilton. More recently, the talks have included representatives of the International Legal Technology Association, an association of about 2,000 law firms.

The conversations between the banks and law firms were underway before last summer’s attack on JPMorgan that compromised mainly email addresses, phone numbers and mailing addresses for 83 million households and small-business customers.

Bill Nelson, the president and chief executive of the financial group, said the plan was for his organization to anonymously provide the legal group with some of the security threat information that banks have seen on their networks. He said there would be a “loose affiliation” with the legal group.

The law firms might also be able to participate in security conferences sponsored by the financial services group, which takes in over $7.5 million a year in grants and membership fees.

The membership in the legal group would be voluntary, but it is expected that most large law firms and those that do regular business for a financial services firm would join, said the people briefed on the matter.

Over the last year, big banks have required more documentation from law firms about online security measures as a condition for retaining a firm for a job. Some banks, for instance, are increasingly demanding that law firms do no work for a bank on computers that can be reached by a public network.

Officials with law firms declined to talk publicly about the legal group, but several said privately that it would be a good idea. However, they said the threat of a breach was often overstated by banks, security consulting firms and law enforcement.

A version of this article appears in print on  , Section B, Page 7 of the New York edition with the headline: Wall St. and Law Firms Plan Cooperative Body to Bolster Online Security. Order Reprints | Today’s Paper | Subscribe

Advertisement

SKIP ADVERTISEMENT