1. Knowledge Base
  2. Cybersecurity
  3. Lex Mundi Core Standards and Recommended Practices

Cybersecurity Core Standards and Recommended Practices

Membership Obligation:

The Lex Mundi Board of Directors continues to believe that the threat of cyber attacks on law firms of all sizes is real, increasing in sophistication, constantly mutating, and poses an existential threat to member firms.  It is important that member firms have leadership at the highest level taking a firm-wide, multi-disciplinary approach because it is much more than a “technology” issue.

Lex Mundi Board of Directors approved a new Obligation of Membership that requires member firms to meet Lex Mundi Cybersecurity Core Standards and use their best efforts to implement certain Recommended Practices. 

To help member firms improve their cybersecurity, Lex Mundi continues to make available a set of Cybersecurity Resources:

Each Lex Mundi member firm acknowledges and agrees that, as a condition of its membership, it is obligated to comply with the Lex Mundi Core Cybersecurity Standards and use its best efforts to implement the Cybersecurity Recommended Practices.

Note: A firm that is ISO/IEC 27001:2013 certified has met the core standards.

Core Standards:

Governance

  • One or more members of the firm's governing body or senior leadership group have been identified as accountable for the firm's cybersecurity.

Policies

  • The firm has an electronic-data security policy that addresses cybersecurity issues of the firm's digital information based on access rights that follow the principle of least privilege and includes the roles and responsibilities of lawyers, staff, contractors and third parties who handle confidential or legislatively restricted firm and client information.
  • The firm has a physical-data security policy.

Plans

The firm has the following annually-reviewed plans:

  • Cybersecurity risk assessment and mitigation
  • Incident response
  • Back-up and restoration
  • Business continuity
  • Vendor / third-party access management

User Awareness

  • All personnel having access to the firm’s systems have annual cybersecurity awareness training.
  • User awareness and understanding is tested using simulated phishing attempts periodically based on
    the risk for key target groups (at least annually for all users).

Passwords / lock-out

  • All devices with access to confidential information are password protected.
  • All devices with access to confidential information lock after a period of user inactivity (for example, no longer than 15 minutes).

Encryption

  • The firm is able to encrypt critical data in accordance with applicable regulatory or client requirements.
  • All encryption is a minimum of AES 256-bit.

Information access control

  • Data access controls are in place, including the categorization of data with the assignment (and revocation) of access rights.

Patching / updates

  • Patch management is in place so that all servers, workstations, databases, applications and websites are patched on a regular basis, taking into account the criticality of the update.
  • Anti-malware software is in place and updated regularly (hourly if possible).
  • Anti-virus software is in place and updated regularly (hourly if possible).

Business continuity, backup and restoration

  • Appropriate data is backed-up regularly and held securely in a physically-separate location.

Technology

  • Firewalls with restrictive settings are in place for critical systems.
  • The firm’s public wireless network is segregated from the firm’s own wireless network.
  • Firewalls run a locked down configuration with only required ports opened. Ports should only be opened if there is a clear need.

Recommended Practices: 

These recommended practices provide guidance as to recommended steps to take beyond the Lex Mundi Cybersecurity Core Standards.

Note: all the following practices are under consideration for future inclusion in Lex Mundi’s Cybersecurity Core Standards.

Plans

  • The firm has a data loss prevention plan which is reviewed annually.
  • There is an annual review and testing of the firm’s back-up and restoration plan.

User Awareness

  • Users who act appropriately in response to a cybersecurity threat (either real or as part of a test) are recognized and / or rewarded.

Passwords / lock-out

  • Passwords (memorized secret authenticators) are of such length, complexity, duration and/or other attributes (set and controlled by the firm) to be reasonably expected to secure access to data.
  • All devices with access to confidential information:
    • Lock after a period of user inactivity (no longer than 15 minutes)
    • A limited number of unsuccessful login attempts

Encryption

  • Encrypt any device or databases with confidential data.
  • Encrypt data in-transit including email (except where recipient systems do not permit or clients direct otherwise).
  • Mail gateways automatically use transport layer security (TLS) where the remote gateway supports such functionality.

Information access control

  • The firm uses role-based access control for all confidential information.
  • Information that is no longer required to be retained by law, regulation, client request, or business use is regularly and securely deleted.
  • There is an annual audit of administrator accounts which have access to confidential information.

Patching / updates

  • All servers, workstations, databases, applications and websites are patched using automation.
  • Anti-virus software is in place and updated hourly.
  • Anti-malware software is in place and updated hourly.

Business continuity, backup and restoration

  • Backup data sets containing confidential information are encrypted, off-line and held at a separate location.

Vendor / contractors management

  • There will be an annual request of information, from vendors and contractors who have access to confidential data, regarding their cybersecurity capabilities and the privacy / security training they provide their staff and contractors.

Assessment and testing

  • Ongoing vulnerability assessment - likely quarterly and after a significant change or upgrade
  • Annual penetration testing; more frequently based on an assessment of the firm's risk (e.g. significant externally facing infrastructure).

Insurance

  • The firm has cyber / data breach insurance to cover costs for notifying clients, interruption to business, investigation(s) of the breach, and to cover any penalties which might be assessed.

Multi-factor authentication

  • Multi-factor authentication (MFA) to be used for remote or off-premise access to the corporate environment and shared virtual resources (e.g. virtual data rooms) via VPN or other similar mechanism.
  • MFA should be used whenever feasible (especially to secure confidential / sensitive data). If a user logs in within the firm’s firewall, a second level password is sufficient.

Browser cookies

Should be:

  • Tagged to be accessible only on secure (HTTPS) sessions
  • Accessible to the minimum practical set of hostnames and paths
  • Tagged to be inaccessible via JavaScript (HTTP Only)
  • Tagged to expire at, or soon after, the session’s validity period

Background checks

  • A background check is conducted on all individuals with access to confidential information who are hired as IT / cybersecurity staff or as independent contractors.