More than ever, corporate legal departments across industries are focused on cybersecurity. The almost daily barrage of news stories about data breaches and ransomware attacks has corporate leaders feeling uneasy and compelled to take urgent action to contain risk. Unfortunately, at many companies, the legal function has not kept pace with procurement areas on cybersecurity defense, particularly regarding third parties, such as outside counsel law firms and other legal vendors.

Many corporate legal departments leverage information sharing and automation technologies that increase their operational efficiency and improve collaboration with outside counsel. These partners are frequently engaged for the most sensitive work and given access to confidential information. It’s no wonder that events like the Panama Papers release and the WannaCry and Petya ransomware attacks have corporate legal and law firm leaders losing sleep.


The growing cybersecurity threat has prompted advice from professional corporate and law firm industry associations. The American Bar Association released guidelines to help firms understand and meet their professional responsibilities regarding cybersecurity. Meanwhile, the Association of Corporate Counsel (ACC) issued model security controls with a list of suggested security measures for legal departments to require of their vendors. It’s critical to take the advice in these documents on board when establishing a third-party cybersecurity program.

In addition, I suggest that legal departments take the following steps: