Heading 1

You can edit text on your website by double clicking on a text box on your website. Alternatively, when you select a text box a settings menu will appear. Selecting 'Edit Text' from this menu will also allow you to edit the text within this text box. Remember to keep your wording friendly, approachable and easy to understand as if you were talking to your customer

TAG Cyber Law Journal

Is This the Hour of the Wolf?

David Hechler | March 02, 2020

Arctic Wolf Networks was painting a bleak picture. And they didn’t have to look very hard for ammunition. Law firms have been under attack. You don’t have to look farther than the headlines. There was the Panama Papers hack. DLA Piper had its computers frozen for days. Cravath and Weil Gotshal also suffered data breaches.
     More recently, a group of hackers called Maze have hit firms of various sizes with ransomware attacks. To make matters worse, after freezing the firms’ computers, the hackers threaten to release client data if the lawyers don’t pay up. An American Bar Association survey found that more than a quarter of the firms surveyed had experienced a security incident last year.
     Arctic Wolf, a managed security service provider (MSSP), was briefing TAG Cyber analysts and suggesting that firms that try to tackle this themselves are in over their heads. They don’t have the staffing to manage this themselves. It would take eight to 12 fulltime security analysts to monitor security 24/7 for a midsize enterprise.
     What was the solution? Todd Thiemann, Arctic Wolf’s director of product marketing (who was sitting in Sunnyvale, California) and Dan Deeth, head of communications (based in Waterloo, Canada) said that it’s a Security Operations Center (SOC).
     But how can a law firm afford to build, much less staff, one of those?
     Good question. Arctic seems to be betting that many of them can’t, or won’t. And that’s why it offers SOC-as-a-service. Thiemann and Deeth had detailed slides that explained how it works.
     Firms are monitored at all times. Two Arctic employees are assigned to each firm, and they join together to monitor the customer environment and work with clients. Not only are logs monitored, customers can review the telemetry themselves. And the SOC services can work seamlessly with whatever security technology stack the client uses.
     Most important, firms can rest easy knowing that their own clients’ data is protected and their costs are predictable (as opposed to the potential costs of breaches and attacks). One key factor for law firms is that services like Arctic Wolf’s enable them to more easily answer vendor risk management questionnaires.

How Much Will That Cost?
Speaking of costs, we asked Thiemann and Deeth if they would provide the range of fees they charge for these services. They didn’t have these in their slide deck, but they promptly sent us another presentation with the answers.
     The costs were calculated for three years, based on the business size. For small shops (500 end users), the Arctic Wolf Managed Detection and Response range was from $279,000-346,000. For medium (1,000 end users), it ran from $502,000-$551,000. For large (3,000 end users), it cost $1,304,000-$1,563,000.
     For comparison’s sake, Arctic Wolf ran the costs of building and staffing a SOC yourself versus outsourcing the service. A three-year comparison showed that doing it yourself for a small firm was almost nine times as expensive as outsourcing; for a medium firm, it was more than seven times as expensive; and for a large firm, it was almost four times as costly.
     All told, it seemed like a pretty persuasive presentation. Except that the clients they were discussing were law firms.
Lawyers are often uncomfortable with technology. The ABA actually had to adopt a rule a few years ago to tell lawyers they have a professional and ethical responsibility to get up to speed on technology, if only to protect the interests of their clients. Trained in a field that is built on precedent, lawyers are often uncomfortable when forced to change old practices.
     On top of that, partners at a firm can be a cantankerous group of joint owners. Getting them to agree on a new venture often proves difficult—especially when it involves a large outlay of money.
     We wondered whether Arctic Wolf had studied these issues before diving into this particular market. We also wondered whether they had prepared for the possibility that a client that suffers a painful breach, despite the equipment and expenses, might decide to sue.
When we asked Thiemann and Deeth that last question, they had indeed considered the prospect. Thiemann pointed out that Arctic Wolf’s terms of service minimize any legal exposure (and it certainly reads as though it was prepared by teams of lawyers, and vetted by dozens more). And none of the firms they’ve worked with, he added, has yet decided to sue.
     As for the other challenges the company faces in its bid to sign up law firms, we note that in its slide deck were statistics from last year’s ILTA survey on technology. In head-to-head competition with other MSSPs, Arctic Wolf was doing well in the two categories of firms ranging from 50 to 350 lawyers, though it had struck out with the largest firms.
     Ultimately, time may be on this company’s side. Technology invariably grows familiar as it’s widely adopted. If the risks of cyberattack continue to be scary and unpredictable—and sometimes ruinous—another well-known quality of lawyers may hold sway. Lawyers are known to be risk-averse.


Expanding, Adjusting but Still Focused on E-Discovery

David Hechler | February 17, 2020

When Exterro was founded in Beaverton, Oregon, in 2007 e-discovery was still new. It wouldn’t be until the following year that the U.S. Supreme Court amended the Federal Rules of Civil Procedure to create a category for electronic discovery.
     Fifteen years later, the privately held company is still at it. E-discovery is still what it does. And the company is proud of its determination to stay the course. But it’s also made changes that have added product offerings, while it continues to serve the in-house legal market.
During a briefing for TAG Cyber’s analysts, chief marketing officer Bill Piwonka emphasized continuity. Some of the earliest e-discovery vendors “stumbled” by swerving into intrusion detection and data loss recovery, he said. His company, by contrast, has resisted the impulse to dive into security work.
     But there have been changes—starting with the role of the general counsel. Over the past decade or so, Piwonka pointed out, lots of functions have been reporting up to the GC, like privacy, compliance and ethics. This new “convergence of responsibilities,” he said, has meant that “previously siloed organizations” are now better integrated.
     Exterro has followed this lead. Last June it acquired Jordan Lawrence, a maker of data privacy and information management software. The move was designed to create a newly integrated software platform. And it resulted in a partnership with the Association of Corporate Counsel, the largest membership organization for in-house lawyers.
Jordan Lawrence was the association’s exclusive provider of privacy and cybersecurity services. Now Exterro is the exclusive provider of e-discovery software for ACC members as well, Piwonka said.
     The relationship may also help facilitate another initiative. Having focused for the past 15 years on the Global 2000, the CMO said, Exterro is now thinking that the relationship with ACC “will improve our ability to go after the midmarket,” between $250 and $1 billion in annual revenues.
The concepts he laid out struck us as reasonable. But they also seemed at odds with his description of a company that always keeps its eyes on the ball. E-discovery, e-discovery, e-discovery.
     The menu has expanded. Especially since Piwonka also mentioned that another new product, due out in Q1, will help GCs respond to data breaches. Even though all 50 states have their own data breach notification laws. And that’s just within the United States. (Piwonka explained that the software will just get them started. It will provide templates to direct the workflow, and companies can then customize the product to match their needs.)
     They’re still focused on Legal, and their target is still the GCs. But the focus has gotten a lot bigger. “We want to be your Legal GRC platform,” is the picture that Piwonka painted. And that’s a bigger canvas than “we want to be your e-discovery program.”
     If they can pull it off, it will certainly separate them from the pack.