Reports of cyberattacks, such as the recent Equifax hack, continue to raise awareness across industries that companies must make cybersecurity a top priority. These efforts should not be limited to the IT function -- corporate legal departments are particularly vulnerable in the area of law firm risk. Legal organizations, by necessity, have to share a substantial amount of information with their outside counsel. Even though many legal departments are bringing more work in-house, much of the data still shared externally is among the most sensitive and associated with the greatest financial and reputational risks.
Surveys (such as the ALM Intelligence 2017 General Counsel Up-at-Night survey) have shown that legal departments do not always put as much focus on cybersecurity as its importance merits. It is therefore important to take action within the legal department right away to begin mitigating third-party risk. To ensure that you are on the right track, be sure to take the following steps:
- Start a formal third-party risk management program in the legal department and collaborate with your internal Information Security and Technology partners. Even if your initial steps will be small ones, or if you have already begun efforts without a formal program in place, you should announce that you are establishing a program. This raises the visibility and emphasizes the importance of the effort among the internal legal team. It also sets the expectation that everyone in the legal department needs to have third-party risk on their radar.
- Use a tiered approach. If, like most legal departments, the majority of your external assignments go to just a few outside counsel, then a one-size-fits-all program isn’t the most efficient or effective for you. Concentrate on the law firms that have the majority of your data, and especially your most sensitive information, particularly when you’re getting started. For instance, if you designate preferred outside counsel, start with them and assess their cybersecurity efforts more rigorously and more often. You may wish to focus even more on those that handle very sensitive areas, such as mergers and acquisitions or intellectual property.
- Require your law firms to self-assess on standardized criteria. Develop a standard set of questions about security practices that outside counsel must answer and keep updated. Use that information to better understand your exposures, and to continuously refine your risk tiers. This exercise may also help firms identify risk they hadn’t considered previously. The Association of Corporate Counsel has issued suggested requirements for law firms, which might help you develop your assessment.
- Develop Corrective Action and Preventive Action plans, and closely manage execution. Develop these plans jointly with your outside counsel, informed by their required self-assessments. To actually reduce risk, it is critical to track the assessment results and take action to correct the uncovered vulnerabilities. Don’t simply assign this responsibility to your firms and move on. To ensure effectiveness, you must monitor and track ongoing execution to make sure that your concerns are addressed.
- Develop a formal incident response approach with plans for likely incident types. When a breach, attack, or other incident occurs, your early response will have a tangible impact on the eventual outcome. There are several types of incidents that, unfortunately, have occurred often enough to have accepted best practices associated with them. Be aware of previous incidents and consider where they may overlap with your outside counsel’s and your own exposures, and have plans ready to go when needed.
Like most important areas that may seem overwhelming at first, cybersecurity is best addressed by building manageably-scaled actions into your ongoing operations. It is important to keep in mind that cybersecurity is a continuing and critical business process, not a project to be completed and forgotten. With good plans and processes in place, engaged law firms, and continued focus, you can drastically reduce your department’s risk of outside counsel security incidents.