Running Legal Like A Business - Ch. 12 - Cybersecurity
Chapters 12 and 13 of Running Legal Like A Business by Connie Brenton and Susan Lambreth, PLI Press, 2021, address cybersecurity and business continuity. Both topics are once again of heightened topical interest and reason enough to read the book, though it is chock full of other excellent essays on legal operations.
In the case of cybersecurity, more than 10 years ago, analysis of potential weaknesses in the security of sensitive corporate information, led a number of financial companies, in consultation with law enforcement, to conclude that their law firm suppliers were vulnerable and increasingly subjects of interest to hackers. In 2011 financial services members from an informal legal operations NYC group organized by Jeff Isaacs of Goldman Sachs, launched a cybersecurity initiative with a dozen or so firms they used in common to share information and analyze threats. Participating companies, among others, included American Express, Bank of America, Deutsche Bank, Goldman Sachs, Morgan Stanley, and Prudential. In 2015 the group was formalized as the Financial Services Info Sharing and Analysis Center (FS-ISAC), which as of 2020 has more than 150 members.
In chapter 12, authors Ishan Girdhar and Kelly Belfer, both of Privva, Inc.*, note that even if a law firm has extensive protocols in place, then their vendors' networks may have gaps that hackers can exploit to access clients' sensitive information.
The authors walk through 7 steps to pulling together a vendor risk management program for your company or firm (not constrained to legal service providers):
- Assemble a multi-disciplinary team, and a good list of assessment guidelines.
- Inventory a complete list of vendors (including the vendors' vendors).
- Assign all vendors a risk tier according to their data access via a mini assessment. Girdhar and Belfer note the importance of considering all vendors' data access (PHI, PII and PCI) and physical, as well as digital, security.
- Develop a tailored assessment based on risk tier. The authors walk through the areas to be covered and points weighting in a custom questionnaire and also recommend the Shared Assessments Standardized Information Gathering Questionnaire (SIG) as a more standard option. In either case, they recommend tailoring the questionnaire to the vendor tier. There are trade-offs on a standard vs. custom approach. For your company or firm a custom assessment gives you exactly the information you find most important; on the other hand, it poses an additional burden on the vendor to complete a different assessment for each client. I like that the authors suggest you have your own firm or company complete the questionnaire to assess clarity and difficulty before sending out to vendors.
- Implement the questionnaire. While collecting responses from current vendors, also build the assessment into your RFP or onboarding process for new vendors.
- Score responses against the company standard with an eye on acceptable risk (and not). Report against results.
- Develop an ongoing process for monitoring. The authors recommend a review cycle based on the vendor's assigned tier, and as a response to emerging threats, as opposed to their initial score on an information security review (incorporating questions addressing new threats arisen since the last assessment), as I am accustomed to doing.
The authors offer helpful tips throughout.
At some companies, law firms may have been exempt from supplier information security review requirements. If this is the case at your company complete a risk audit based on the type of company sensitive information each firm may have. At minimum, those firms with sensitive information should be asked to undergo your company's review process. Girdhar and Belfer suggest that for smaller or less mature firms, you can pursue alternative data sharing and storing systems, such as giving them remote access to data stored in your environment.
For technology vendors, I have a preference to require their systems and protocols to be SOC2 or ISO27001 (or equivalent) certified. Frequently, when speaking with startups they will respond that their app is housed on a certified AWS or Azure server. This is not in and of itself sufficient. Both AWS and Azure post security protocol recommendations for companies using their services. At minimum, make sure your vendor follows all of the recommended practices (makes a handy checklist).
* Privva Inc. offers a platform to auto-score submissions, allows for the submission of remediation tickets and includes reports.