Know Your Client: 3 Issues Facing In-house Counsel in 2023

A 2022 survey by the Legal Value Network (LVN) highlighted a critical disconnect between law firms and the clients they serve: A strong majority (79%) of law firms said they made “strong efforts” to understand the challenges that law departments face, yet fewer than half of their clients agreed.

There is clear misalignment here, but it is one that legal marketers can help bridge. While every company is different, savvy legal marketers will cultivate knowledge about the trends affecting in-house counsel at large, then position their firms to authentically address them.

Heading into 2023, it’s helpful to consider the emerging issues in three areas — cybersecurity, diversity and environmental social governance (ESG) — and how they will affect in-house counsel. It’s also worth noting that these subjects will play an increasingly prominent role in outside counsel guidelines. According to the LVN survey, 43% of clients said they have terminated a law firm or legal service provider for failing to follow their guidelines.

We asked three subject-matter experts to share the big-picture trends that legal marketers must consider in 2023 and beyond.

Cybersecurity

By Dan Nelson

Cybersecurity threats continue to metastasize on an almost weekly basis. The current threat and market trends, and outside counsel’s awareness of these trends, needs to constantly evolve if counsel are to provide up-to-date client guidance.

While an exhaustive survey of recent changes is well beyond the scope of a short article, four changes are of particular note:

• It’s no longer really about your client’s personally identifiable information (PII) or protected health information (PHI);
• New attacks are going to pose much more serious revenue and liability problems;
• Cyber insurance is just plain harder;
• More detailed regulations will hit more of your clients.

PII/PHI is no longer the focus. Don’t misunderstand, your clients must still protect PII and PHI in their care. But bad actors aren’t nearly as focused on the theft of PII/PHI as was the case even a couple of years ago. Over the past several years, the repetitive compromise of everyone’s PII/PHI led to a market glut for this type of stolen data. As a result, black market prices have come down, and bad (but economically savvy) actors have turned to more profitable lines of attack. If your client’s data strategy is solely focused on protection of PII/PHI, they are looking the wrong way.

New attacks present a more immediate and devastating effect. Three current primary threats present a much more profitable target for bad actors: (1) business email compromise (BEC); (2) ransomware; and (3) access/supply chain attacks. 

BEC attacks frequently lead to fraudulent funds transfers — your client’s customers end up sending payments to a bad actor’s bank account, for example. Ransomware locks up critical business processes, sometimes for weeks or months. Access/supply chain attacks leverage your client’s assets to launch attacks against a wide array of secondary targets via trusted links between your client and its suppliers or customers.

Each of these attack vectors is much more profitable to attackers for several reasons. Still, one stands out: Every company uses email, every company has some sort of technology-dependent business process that can be locked up, and almost every company has technological linkages to an ecosystem of suppliers and customers. Bonus points, from the attackers’ point of view, in that these attack vectors don’t ultimately lead to an oversupply of ill-gotten goods and consequent deflation.

Each of these attacks lends itself to litigation using tried-and-true legal theories. Unlike PII breach litigation, which often collapses on standing issues, these attacks don’t require much judicial imagination to withstand a motion to dismiss. If funds get misdirected, somebody was likely negligent in allowing BEC compromise. Ransomware leads to missed delivery deadlines or supply failures that may, or may not, fall within “force majeure.”

If your client’s lax security allows an attacker to launch downstream attacks, standard negligence or breach of contract claims are not hard to write. Focusing your client on the attacks that will likely lead to greater business interruption, loss of revenue and litigation risk makes you a better trusted advisor.

Cyber insurance is harder. When we say “harder,” that’s exactly what we mean: harder to get, harder (more expensive) to pay for and harder to use. Many carriers are exiting the cyber insurance market; actual losses far exceeded early estimates, and the threat landscape keeps changing. The remaining carriers have substantially upgraded their underwriting process: if, two years ago, underwriting was a two-page questionnaire, it’s now a 15-page mini-audit plus external security scanning. Rates have also dramatically increased.

Cyber insurance policy provisions were never standardized, and more carriers are narrowing definitions, enhancing exclusions and otherwise making policy language less favorable to insureds. If your client wants to transfer risk via cyber insurance, the client likely has to work much harder to improve their cybersecurity maturity, and you will need to scrutinize policy provisions even more carefully.

Everyone gets a regulation! Even just a few years ago, meaningful cybersecurity regulations only touched a few sectors of the U.S. economy: for example, HIPAA for health care, or GLBA for financial. But just as cyberattacks have refocused from PII/PHI to a wider variety of threats against a wider array of targets, cybersecurity regulation is coming to the masses.

A primary vehicle for this wider net is enhanced privacy laws, which often contain more specific information security requirements beyond the old “reasonable security measures.” Because these privacy laws have far wider reach across industry sectors, their increasingly meaningful cybersecurity requirements likewise catch more companies. California’s incoming Consumer Privacy Rights Act (CPRA), as just one example, will require “cybersecurity audits” for a much broader range of companies.

At the federal level, enhanced cybersecurity requirements for “critical infrastructure” are in process; the definition of what comprises “critical infrastructure” is likely to be much broader than some would have guessed. Agencies such as the Department of Defense and Securities and Exchange Commission are promulgating enhanced information security mandates. A few years ago, the majority of your clients likely had no cybersecurity regulatory requirement; not long from now, it will be a rare outlier client that doesn’t.

Diversity, Equity, Inclusion and Belonging

By Marcie Dickson

Over the past two years, the legal industry has come under increasing pressure to move the needle on diversity, equity, inclusion and belonging (DEIB). Outside counsel, specifically large and mid-size law firms, will be held accountable. The Institute for Inclusion in the Legal Profession’s recent 2022 report on diverse outside counsel portends a serious push among corporate departments to take decisive action.

Here’s what law firms can expect regarding the legal profession’s enduring focus on DEIB.

• The power of the purse: Many corporate legal departments provide a multi-year grace period for law firms to meet diversity requirements and make noticeable changes and improvements. General counsel and in-house counsel can influence the diversity of outside counsel teams working for them and, as a result, can enable diverse lawyers to gain additional experience that is critical for their success. They hold the power and soon will start using it. Firm marketing and business development leaders can help ensure their firms are not in jeopardy of losing opportunities to deepen client relationships or, worse, at risk of losing new matters altogether.
• Expanded scope of corporate supplier diversity requirements: Corporate legal departments typically rely on outside counsel to make determinations about hiring vendors such as expert witnesses, mediators and arbitrators, and more. Law firms can expect greater scrutiny on the level of inclusion and equity among these “second-tier” vendor relationships.
• Disaggregating diversity data: Most law firms lump all women or racial/ethnic minorities together, which impacts the value and usefulness of their diversity data. Outside counsel can stand out by making it easier for clients to evaluate their diversity recruiting efforts, retention rates, development plans, origination credit and matters assigned to diverse attorneys, representation among firm leadership and firms’ broader DEIB initiatives.
• Focus on diversity in requests for proposals (RFPs): Clients take diversity efforts into account in RFPs. Firm marketers and business development leaders can help attorneys highlight and effectively communicate progress on this front to differentiate their firm and win business.
• Emphasis on culture and well-being: While wellness and mental health programs have long been considered within law firms, 2023 will bring a collective industry push to destigmatize such initiatives. Diversity, equity and inclusion aren’t sustainable without a culture of belonging, safety and support — particularly for disadvantaged attorneys.
• Diversity is everyone’s work: Moving the proverbial needle on DEIB isn’t possible without the understanding, awareness, support and participation of white stakeholders. Clients and law firms alike will continue efforts to highlight the importance of diversity. (And not by merely citing the “business case.”) These actions will include what non-diverse outside counsel do to train, mentor and sponsor diverse lawyers; how they include diverse lawyers in succession planning; how they take personal responsibility for DEIB activities within the firm, and commit to ongoing learning and education about these issues.
• Inter-institution collaboration: Faster, sustainable change within the legal profession’s push for diversity and inclusion will require partnership and cooperation across the client-law firm spectrum, particularly in areas around recruiting. Consequently, law firms will stand out for their ability to lead the charge and tell success stories about these collective efforts.

In 2023 and beyond, law firms will be expected to understand clients’ corporate culture and strategic goals. As catalysts for change, law firm marketers and business development leaders are uniquely positioned to help outside counsel embrace the importance of DEIB and communicate progress to clients, coworkers and industry stakeholders.

Environmental, Social and Governance

By Laura Ernde

In recent years, many law firms have embraced the corporate governance model of environmental, social and governance (ESG).

The idea is this: Corporations are under pressure not only to return profits to shareholders but also to advance larger societal goals to preserve the environment and promote racial and gender equity.

But how do corporations execute that vision? Lawyers play an essential role. In-house lawyers in partnership with outside law firms can help corporations navigate complex and rapidly evolving requirements. Some requirements are spelled out by laws and regulations; others stem from stakeholders’ demands, including employees, customers and the public.

Law firms that want to capitalize on this trend should follow their own advice when it comes to ESG issues. Here are examples of common ESG services being offered. These services may go from nice-to-have sentiments to quantitative requirements memorialized in outside counsel guidelines.

• Leadership: Law firms are being asked to help their in-house counterparts take a leadership role in making ESG a priority for the company. They may help get buy-in for ESG initiatives at the executive and board levels. It makes sense, then, for clients to inquire whether their outside counsel is blazing a similar trail within their law firm. When ESG lawyers can demonstrate this kind of leadership internally, clients will be reassured they are in good hands.
• Materiality assessments: The world of ESG issues is vast. It might include how well a company is meeting environmental sustainability standards, how diverse its executive and board teams are or how it ensures the well-being of employees. Outside counsel are sometimes tasked with helping companies to narrow their ESG focus so they can be more strategic. These materiality assessments aim to identify what topics stakeholders care about most and where the company can have the greatest impact. Law firms should consider doing an assessment of themselves. Holding up this magnifying glass will give them clarity about what ESG issues their clients care about most and give them the opportunity to address them before they are asked to make commitments in outside counsel guideline agreements.
• Pressure testing: ESG work often involves evaluating the data used to measure whether a company has met certain benchmarks. Outside counsel are tasked with pressure testing to make sure the data is reliable and not some form of greenwashing. Likewise, law firms should examine their own records when it comes to the ESG issues their clients care about, to ensure they can stand behind the commitments they have made — either verbally or in outside counsel agreements with their clients.
• Crisis communications: Companies that fail to live up to their ESG commitments become a potential target for the news media, requiring them to respond quickly to make sure their side of the story gets reported. Clients may want to know that their outside counsel is prepared to assist. Make sure the ESG team is trained in crisis communications in case the client wants to include such support in the guidelines.

ESG advising requires law firms to do some soul-searching about what issues they and their clients care about most. It also involves due diligence to make sure that they are prepared to make those commitments in writing via outside counsel guideline agreements.