Cybersecurity Essentials for LegalTech Companies
According to IBM & Ponemon, the average cost of a data breach is a staggering $4.35 million! No wonder companies feel the need to invest heavily in cybersecurity. For legal tech companies, handling a large amount of sensitive client data daily, the stakes are even higher. Beyond the immediate financial impact, a data breach can cause severe reputational damage that is often much harder to repair, making cybersecurity a top priority for legal professionals. As the digital world evolves, strategies for protecting sensitive information must also adapt to increasingly sophisticated threats.
ELTA, the European Legal Tech Association, gathered some of today's leading cybersecurity experts in a digital meeting room. Roeland Delrue, Co-Founder & CRO at Aikido Security, Aidas Kavalis, Co-Founder & Head of Product at Amberlo, Wouter Van Respaille, Co-Founder & CTO at Henchman and Michiel Denis, Head of Growth at Henchman share their expertise and insights on how to install a solid cybersecurity framework for LegalTech companies.
The Growing Importance of Cybersecurity
What are the foundational cybersecurity standards every legaltech application should meet, and how have these standards evolved with emerging threats? Roeland Delrue, Co-founder & CRO at Aikido Security, emphasizes that developing a secure legaltech application starts with the code.
- Programmers are writing the app in code. The first layer of security is ensuring that the code itself is secure
- Once the code is ready, it is typically shipped in containers - which represent the second layer that must be scanned and monitored.
- The third layer is the cloud environment where the application is deployed.
Followed by the fourth layer, the domains (login.com or app.com) through which users access the application.
Compliance and Continuous Monitoring
Wouter Van Respaille, Co-Founder and CTO at Henchman, stressed the importance of compliance with industry standards such as ISO 27001 and SOC 2. These certifications are not just checkboxes; they are indicators that a vendor is serious about security. He noted that companies without these certifications might lack the necessary resources or commitment to security.
Beyond compliance, continuous monitoring and creative approaches like bug bounty programs are crucial. These programs involve ethical hackers who continually test the system, providing an additional layer of security beyond traditional scanning tools. Van Respaille shares their approach at Henchman: “Aikido continuously scans both our infrastructure and our code. Additionally, we use Intigriti for bug bounty hunting, which involves a collective of social hackers creatively probing and exploring our systems. Compared to traditional scanning tools, this approach is far more innovative. We also use Phished to send phishing simulations to all our employees, raising awareness of phishing and security while adding a touch of gamification. As a company handling a never-ending stream of sensitive data, it's important to have these partnerships rather than doing everything ourselves."
Because cybersecurity is a complex matter, Aidas Kavalis, co-founder and head of product at Amberlo, points out that it's wise to bring in a third party to evaluate vendors. "An expert in the field can help you discover things you'd never have thought of. Even if an ISO27001 or SOC 2 standard is implemented, how can you be sure that the certificate matches reality? A professional helps to ask the right questions and ensure that the right things are checked up front.”
Legal data is highly sensitive and valuable
The panelists agree that legaltech applications face unique cybersecurity challenges compared to other web applications, being a top target for hackers together with financial institutions. Legal data, much like financial data, is highly sensitive and valuable. "The difference is that financial institutions handle money, while law firms manage client information, which can sometimes cause more harm if breached. Recently, there have been several attacks where law firms were hacked, leading to individual targeting of their clients. Therefore, I believe law firms are definitely among the highest-risk sectors," says Kavalis.
Delrue urges to be mindful of the value of the data you handle, as it impacts the level of security required: "For instance, there's a significant difference between a legaltech vendor that only reviews contracts without storing them and one that holds numerous clients' actual contracts. The more sensitive data you hold, the more attractive a target you become to hackers, who aim to extort money through ransomware or by selling the data. Therefore, whether you are a legaltech vendor or consumer, you should assess the sensitivity and value of your data to potential malicious actors. If your data is highly valuable, it is crucial to implement more rigorous cybersecurity measures than the average company."
Evaluating LegalTech Security
When evaluating the security of legaltech products, law firms should also consider the sensitivity and volume of the data they handle and ensure that the applications have the necessary security measures in place.
As a legaltech provider, Kavalis is asked for three things by his customers:
- ISO or SOC 2 certifications, along with GDPR compliance questionnaires.
- External cybersecurity assessment: Larger law firms often ask for tech sessions, where they bring in external experts to dig deep into Amberlo to see if it has adequate technology and policies in place.
- And from time to time, a history of security incidents. “Fortunately, we haven't experienced any major security incidents so far, which I consider a significant achievement. Since we launched Amberlo in 2017, we have seen daily attempts to break into our systems from some well-known hacker locations,” says Kavalis.
An easy thing to check is whether a company is ISO 27001- or SOC 2-compliant. However, Delrue stresses the importance of understanding what these certifications entail. Delrue sees ISO27001 or SOC 2 as a shortcut to filling out a lengthy security questionnaire, where ⅔ of boxes can be checked off automatically. However, some things are not covered by certifications, such as malware scanning which is not covered by SOC2, for example. So in some cases, standard ISO certifications might not cut it and you might want to add some deeper questions.
On-premise vs hosted in the cloud?
With the rapid advancements brought by GPT and other AI technologies, evaluating technology in law firms has become increasingly crucial. However, there has always been an on-premises vs. cloud hosting debate. Let’s have a look at what this means first:
- On-premise software: customers have the servers physically and host their applications there
- The private cloud: customers adopt Microsoft Azure, the Google Cloud Platform or AWS where they run all the applications inside of their network
- The cloud: applications run fully on the cloud and then the customers adapt that technology
"I don't want to get hit by a car, so I'll just stay home forever. Or I could actually go somewhere, and when I cross the street, I look left and right first to make sure I’m safe.”
Van Respaille uses this analogy to compare on-premises to the cloud. In his view, staying on-premise is outdated. "It means you will be excluded from a lot of innovation. My advice to all law firms is to fully embrace the cloud but approach it thoughtfully. Be aware that there are security checklists available. These don't need to be overly complex or resource-intensive; a basic questionnaire can suffice for evaluating the tools you wish to adopt. This approach creates an initial layer of security, giving you a clear understanding of what you're actually purchasing. In summary, 'Go full cloud, but know which tools you are going to adopt!'"
If certain standards are met, Delrue sees on-premise as a legitimate option: "If you have a top-notch on-prem program with dedicated security people who know how to manage that on-prem, then it's definitely a viable option." However, he believes that high-quality on-prem security is rare. "If you're dealing with very highly professional cloud providers and you don't have the in-house resources to manage your on-prem, it's probably safer to go with the cloud version because there are a lot of security risks on-prem." So basically, it’s a risk assessment: where do you want the risk to be, and who do you want to manage that risk?
"Very often, on-premise becomes a single point of failure," Adias adds. "If one perimeter is breached, it often means that all the other systems are also quite easily accessible. I have rarely seen a layered approach to on-prem cybersecurity, where each application is isolated in a separate security zone."
From ideation to deployment
Of course, legaltech vendors should integrate security standards and measures from the start, even before the product has been built.
"It starts with the software developer's laptop. The developer writes code, and that's where you can do the first check. That's what Aikido does," says Delrue. "Whether it's code, containers, cloud, domain, in every part of the development lifecycle, Aikido can do security checks." Being too strict, however, can slow down the development process tremendously. That's why Delrue advises using the risk categorization of vulnerabilities & security issues (low, medium, high, critical) smartly. "If you start blocking them at medium, you're going to slow down development: they're going to be stopped at every step they take because of some security check that needs to be fixed. Sometimes it's a little easier to only block the ‘critical issues’ and then maybe fix the ‘highs’ later in a focused moment.”
Throughout the whole development lifecycle, you can perform different checks to have a proper security posture. In the world of security products, this is referred to as ‘shifting left’. "This means catching someone earlier in the cycle, which makes it easier to fix than when it's already live with a customer. Because at that point the damage is done." Delrue says.
In an age where data breaches can cost millions and reputations hang by a thread, it's clear that cybersecurity is no longer an option for legaltech companies, it's a necessity. So whether you're debating cloud vs. on-premises or evaluating a new tech solution, remember: in the digital age, the only thing more expensive than investing in cybersecurity is not investing in it.