Augustin Cal and David Sankar, both in product management at Wolters Kluwer’s ELM Solutions, have spent a good deal of time recently thinking about collaboration. And not just the kind that they bring to their workplace (and to this interview). It’s the kind that law firms and law departments need to learn – separately and together – if they hope to create a cybersecure environment in which to work. As it happens, in September, Cal and Sankar’s company introduced a new application that’s designed to assist them in this effort. The interview has been edited for length and style.

We see almost constant news stories about cybersecurity attacks and breaches. Why are law firms particularly vulnerable to attack and data breaches?

Augustin Cal: Many law firms are lagging behind when it comes to technology. At the same time they are in possession of very sensitive data. This makes law firms a high-risk target for cyberattack. Many law firms don’t take adequate security measures to safeguard confidential client data. Too often we hear about very basic steps that are not being taken: for example, maintaining current patch levels on software or encrypting data. Given all this, it has become increasingly important for companies to implement cybersecurity assessment programs geared specifically toward law firms. The assessment is intended to let the clients know where each of their law firms stand in keeping their data safe.

How are law departments handling the cybersecurity risks inherent in their law firm relationships?

David Sankar: There’s greater recognition among legal departments, more than ever before, that law firm cybersecurity risk is critically important to the legal function, and it’s more than an IT-only responsibility. Historically, cybersecurity risk management was identified as solely an IT task, but there is no doubt today that it requires a legal and IT partnership. Our experience at Wolters Kluwer’s ELM Solutions is that there are varied approaches to how legal departments manage cybersecurity risk.

Understanding that cybersecurity is an urgently emerging risk for the legal function, the default response to managing it is and continues to be through spreadsheets and email. It’s kind of a first reaction: When there’s a need, you go to what’s familiar. And for many people, emails to law firms and managing data in spreadsheets are familiar. And that’s OK as long as there is a plan simultaneously being formalized to implement a law firm–specific cybersecurity assessment program.

Emails and spreadsheets are not a viable long-term substitute for purpose-built software. When you look at more mature cybersecurity risk management approaches, you see a full partnership between the law department and information technology and security departments. In addition, purpose-built software is being used to create and manage assessments, to track and analyze the results of the assessments, and to create and take actions on remediation plans. We’ve also seen in some of these more mature programs that companies will partner with third-party consultants in order to execute on these assessments.

Cal: Also, a law department will tailor a program based on risk level. They may judge that some firms require something different than others. Let’s say, for example, there is a mergers and acquisitions firm working on a sensitive M&A project. That firm should not be surprised if they are asked to answer more questions for that client than some of the other firms.