The Oklahoma Bar Journal December 2024

L aw P ractice T ips

What Is Your Cybersecurity Defense Plan for 2025? By Jim Calloway

T HE OKLAHOMA RULES of Professional Conduct offer guidance and rules for lawyers confronting ethical challenges. Technological advances often progress more quickly than leg islative or regulatory responses to these developments. So where technology is involved, some of our ethical obligations tend to change and evolve before any new rules can be written. For almost every lawyer read ing this, the possibility of a major digital attack is a potential threat to your law firm’s operations. Imagine showing up to work and finding that every computer in the office has had its data encrypted – and even though the provider said it wouldn’t, it also took out the office VoIP phone system. We, as a profession, must now always consider cybersecurity to protect our clients’ confiden tial data as well as our business operations, which benefit both the law firm and the clients. As one calendar year ends and another begins, take this opportunity to examine and increase your safe guards against cybercrime. THE IMPORTANT INITIAL DECISION ABOUT YOUR CYBERDEFENSE STRATEGY In the Nov. 13 issue of Courts & More , I posted “Does Game Freak’s Lack of Response to Malware

Attack Hold Lessons for Lawyers?” 1 I encourage you to read it. Game Freak was hacked and apparently did not pay the ransom. Kavi Sivasothy, a Canadian lawyer, analyzed why this large company with mostly digital assets might have behaved that way and con cluded that they planned on not paying a future ransom. Mr. Sivasothy wrote: “Now, not every organization can just say ‘no’ to a ransom demand. A hos pital has to consider very different factors than a dry-cleaner. But regardless of what business they are in, there are core steps every organization should be proactive in taking to maximize their oppor tunity to say ‘no’ when being extorted by a hacker.” 2 That is your most important business decision going forward. If your law firm is hit with a cyberat tack that shuts down your systems, are you going to pay the ransom? Our concerns are closer to the hospital than the dry cleaner, but every business wants to return to operations after an interruption as soon as possible. Today, ransomware demands are rarely in the four-figure range – they are more likely five or six fig ures. In the early days of this type of crime, the people running the ops were – to use an inappropriate term – more professional, and there was a decent chance your data

would be restored. That is less true today. Suppose payment of the ran som is accepted, and you receive several digital keys to decrypt your data. Does anyone in your firm have the expertise, plus the nerve, to handle that? Therefore, the firm will be paying more for additional external support. If you believe the ransom amount may influence your decision to pay and your firm possesses the necessary assets or credit lines to cover a ransomware attack, it would be prudent to consider obtaining a cyber insur ance policy that includes coverage for damage remediation. I have little information about the insur ance market. I know this coverage is expensive, and the application process may require upgrading parts of your systems, which is most likely a good thing. But we all appreciate that an insurance policy that provides both funds and expertise to repair your network is the best way to avoid paying the ransom, and it is also more likely to restore law firm operations more quickly. As with many risks in life, insurance is the best answer if you can afford it. Realistically, these premiums are not afford able for all law firms. For some, the decision is that the firm can’t afford cyber insurance, or paying for it would significantly impair

52 | DECEMBER 2024

THE OKLAHOMA BAR JOURNAL