An In-Depth Guide to Legal Vendor Cyber Risk Management
The cyber threat landscape is complex and security breaches have become a daily occurrence. The rise in the number of high-profile cyberattacks reinforces the need for organizations of all sizes to boost their cyber resiliency.
An organization’s legal department, in particular, may face serious challenges when it comes to risk management of its vendor ecosystem. As a company’s reputation and data are at increasing risk of being compromised, it is critical for legal departments to adopt a comprehensive and robust approach to vendor cyber risk management.
There are a number of detailed steps to consider when building a strong Legal Vendor Cyber Risk Management (LVCRM) program, which enables the management of cyber risk among vendors and suppliers. Understanding the third-party cyber risk management life cycle is critical for both the organization and its vendors to decrease security control gaps and minimize overall risk.
It is important to note that risk management is not a one-time activity. After developing an LVCRM program, organizations must continually assess risks and augment their program. By addressing vendor cyber risks, an organization can mitigate the exposure to its legal department, and thereby the entire organization, reducing the risk of being the next headline.
PART 1: Why Your Legal Department Needs to Conduct Cyber Risk Assessments
Accountability for Legal Vendor Management
Since the financial crisis, legal departments have experienced their greatest evolution, pushing toward operational excellence and driving greater value from their outside counsel. Although ever-increasing hourly rates started to bring some work in-house, strong reliance remains on outside counsel and alternative legal service providers to deliver the legal services needs of most corporations. Well over 50% of legal department budgets are spent on outside law firms, and they will undoubtedly be the primary service provider to law departments for the foreseeable future.
The relationship between legal departments and their outside counsel is unique and valuable to an enterprise but also challenging from a risk management perspective. This trusted relationship is often tied to a single attorney, rather than a firm, leading to a fluid landscape, where varying caseloads and the mobile nature of attorneys lead to an ever-changing level of engagement across firms. Further complicating this relationship is the fact that many legal departments have obtained exemptions from their corporation’s standard procurement and vendor management processes.
When traditional procurement channels are not engaged, it’s not uncommon to find ownership and accountability of this relationship residing entirely within the legal department. The growth of legal operations has certainly allowed legal departments to decouple the practice of law from the business of law. Although this transition hasn’t always been easy, a set of sourcing best practices and accepted standards has been developed through the hard work and advocacy of organizations like the Corporate Legal Operations Consortium (CLOC) and the Association of Corporate Counsel (ACC).
Outside Counsel Management Guidelines and Cyber Risk Management
Most large legal departments have developed their own vendor management programs, including an Outside Counsel Management (OCM) program that typically includes elements around preferred vendors, alternative fee arrangements, budgeting, invoice review, billing compliance and performance evaluations. Generally, OCM programs are implemented to better define the business relationship with outside counsel, manage costs and drive greater value – all worthy goals. Unfortunately, these programs often lack the risk management components that are typically part of the procurement function, with any cyber risk assessment of outside counsel and other legal vendors often conspicuously missing from the list of OCM activities.
This absence is notable not only because risk management is often a critical step of a traditional procurement process, but also because of the nature of data transferred to outside counsel. In many organizations, this is a treasure trove of highly sensitive and privileged data, representing a relevant and curated list of a company’s litigation, mergers and acquisitions, intellectual property, lobbying activities and more. A 2017 formal opinion from the American Bar Association observed that “[t]he FBI has reported that law firms are often viewed as ‘one-stop shops’ for attackers (with information on multiple clients) and it has seen hundreds of law firms being increasingly targeted by hackers. Law firm breaches have ranged from simple (like those resulting from a lost or stolen laptop or mobile device) to highly sophisticated (like the deep penetration of a law firm network, with access to everything, for a year or more).”
As demonstrated by the breach of Mossack Fonseca, known colloquially as the Panama Papers or the subsequent Paradise Papers, an incident at a single firm can have a meaningful impact on hundreds of downstream client organizations. Couple this concentration of sensitive data with increasing global geopolitical tensions, and the need to ensure that organizational data is being appropriately protected is something that can no longer be conveniently ignored. “Law firms are targets for two general reasons: (1) they obtain, store and use highly sensitive information about their clients while at times utilizing safeguards to shield that information that may be inferior to those deployed by the client, and (2) the information in their possession is more likely to be of interest to a hacker and likely less voluminous than that held by the client.”
Budgets – particularly those focused on activities generally perceived as cost centres, such as cybersecurity – continue to shrink. “Since 2007, with the exception of a spike in 2011, the trend for profit margins has been slightly downward over the entire decade.” The impact of these budget reductions is seen clearly in recent studies that indicate that law firms have not prioritized or allocated adequate resources to securing their client data:
Perhaps a more alarming 2018 statistic from the American Bar Association indicates that “23% of respondents overall reported this year that their firm had experienced a data breach at some time.”
Although reported cybersecurity incidents usually focus on loss or theft of data, business interruption poses an equally significant risk to organizations. We have seen several recent examples of this situation befalling large law firms in a public way. In 2017, DLA Piper – one of the world’s largest and most profitable law firms – spent several days at a standstill as a result of a malware incident. Not only did this incident cost the firm more than 15,000 hours of overtime for internal information technology staff worldwide, but it was also extremely damaging for the firm. The now infamous image of a whiteboard in the lobby of one DLA office instructing employees to undock and turn off their computers is an unpleasant reminder of this incident.
These risks might manifest in outside counsel, but the ownership of these vendor risks lies squarely with an organization’s general counsel. Although it’s possible to outsource the work or operations, it’s not possible to outsource the risk.
A recent survey of over 130 general counsel from around the world was conducted by Kroll, a division of Duff & Phelps, and LegalWeek. This report highlighted the changing role of the general counsel within an organization and assigned responsibility for these – and perhaps all – cyber risks to their domain.
“General counsel are becoming the quarterbacks,” says Jason Smolanoff. “They’re increasingly owning the risk that’s associated with a breach and, as a result, are taking on more and more cyber security responsibilities.”
Indeed, ultimate responsibility will fall with the general counsel in many of these cyber-related situations – whether it’s because the breach has regulatory implications, the response is coordinated through an outside firm to provide privilege, or litigation is a possibility. This potential for scrutiny is now being understood by proactive general counsel, who are realizing that before they coordinate cyber risk responses across the organization, they must ensure their own house is in order.
PART 2: Develop Your Legal Vendor Cyber Risk Management Program
The prospect of adding cyber risk management to an Outside Counsel Management (OCM) program can be daunting. Legal operations professionals are quite comfortable enhancing the business and operations of legal departments; however, they may think that engaging in complex cyber risk assessments is better left to their enterprise security teams. Unfortunately, outside counsel firms are generally exempt from traditional vendor procurement or onboarding processes, including the engagement of these security teams. Most legal departments view their ability to retain ownership of the legal vendor onboarding process as key to successfully managing these unique outside counsel relationships. Therefore, cyber risk management must be considered as an integral part of the risk management activities within your OCM program.
Beginning Your Journey
The challenges of increasing transparency about cyber risk are similar to those that many legal departments experienced when seeking greater transparency into outside counsel spend. Relationship and engagement managers may regard efforts to understand the cyber risk of their firms as something that hampers their highly trusted and personal relationships. Therefore, obtaining executive and management sponsorship is critical.
Clearly communicate that the purpose is to establish a culture of security and to manage cyber risk across the legal vendor portfolio, not to penalize firms. Training attorneys and support staff within the department to understand the goals and objective of the risk management initiative is vital as you begin your initial outreach to firms.
Legal Vendor Cyber Risk Management Life Cycle
As you begin to engage your legal vendors on cybersecurity risks, understanding both the big picture and the steps that you and your firms will need to take together is important. The third-party cyber risk management life cycle involves five core phases: collect, validate, analyze, remediate and monitor.
The first phase of any risk management life cycle is to collect the data you will use to drive the rest of the process. Collecting the right data (i.e., that will help drive risk- based decisions) in an appropriate format is paramount to avoiding the pitfalls associated with data overload. Sending a questionnaire that contains 100 cyber risk questions to 100 vendors will quickly test any team’s ability to review and process thousands of responses.
Well-accepted approaches to collecting this data include leveraging internally developed questionnaires, purchasing standardized assessment questionnaires (e.g., Standardized Information Gathering from Shared Assessments), engaging vendors that specialize in legal vendor third-party risk assessment (such as Duff & Phelps CyberClarity360™1), or purchasing a subscription to an outside-in network security rating service (such as SecurityScorecard or BitSight). The decision to build your own assessment vehicle or buy content or services from a vendor is covered in Part 3: Augment Your Legal Vendor Cyber Risk Management Program.
Things to consider for this phase of the life cycle:
- Thoroughness and Focus. Are you obtaining the necessary data to drive the subsequent life cycle phases? Are you collecting extraneous data that’s not being used but instead needs to be reviewed and processed? Reducing the scope to only those elements that you’re actually leveraging can reduce friction for your vendors, increase velocity and reduce risk around collecting and housing sensitive data that isn’t adding value.
- Modality. How will you collect the data? Will you collect it manually using spreadsheets or Word documents via email, or will you use a shared platform like SharePoint? You may even choose to use a platform designed to collect data from hundreds of vendors simultaneously. Consider the human capital required to operate in this modality and ensure that you can support it at the appropriate level.
- Evidence/Collateral. How will you improve the quality of responses? Will you gather supporting collateral or evidence? If so, have you considered the implications around securely transmitting and storing this often sensitive information? Equally important is evaluating whether you have the expertise in-house or need to hire experts to provide a meaningful level of review.
Data Collection: “Outside In” or “Inside Out”?
When collecting information to analyze the security posture of your legal vendors, it is important to consider the primary source from which you will receive this information. As mentioned above, there are multiple collection methods, primarily divided into two categories: “outside-in” and “inside-out.”
Inside-Out Data Collection
This method delivers data around the vendor’s own view of themselves, usually through self-assessment questionnaires. The unique benefit of this approach is that no one knows more about an organization’s people, policies, procedures and controls than the organizations themselves.
Inside-out data can provide much greater clarity about the organization’s security culture, particularly important in assessing insider threats, and assists in understanding components such as frequency of security practices such as employee training, vulnerability scanning and penetration testing, business continuity and disaster recovery capabilities. This approach can also serve as a proxy of a vendor’s transparency, which is important in a world where it’s not if, but when you are breached.
Inside-out collection methods provide vendors with the ability to share rich information about what they have in place today and what they are planning to deploy soon, which have the potential to create an active dialogue between you and your vendors. Finally, when the inside-out view is tied to a specific request developed or deployed or tailored by an organization (such as a questionnaire), it can better reflect the requesting organization’s unique security controls, requirements, and data governance regulations.
Inside-out data collection, specifically self-assessments, does have some drawbacks. Certain vendors will paint their security posture in the best possible light and may, even if required to attest to the validity of the information, provide inaccurate or misleading responses. Additionally, some organizations may feel that by sharing this type of sensitive information, they may be putting themselves at risk and thus refuse to participate in this type of assessment or provide such limited data that it becomes minimally useful for the point of the exercise. Some vendors provide only specific information that has been sanitized and streamlined for sharing and draw a hard line in the sand on sharing anything beyond that.
These challenges can be mitigated through positive communication and taking extra steps around requesting and reviewing inside-out assessments. Letting vendors know that this assessment will be viewed as an important part of this relationship, that honesty around security challenges will be met with discussion and not accusations, and that falsehoods will have consequences, will go a long way to ensuring honesty and accuracy in what is shared. Ensuring that any data collected in this mode is shared within a secure medium with limited access and strong controls will help reduce many security concerns.
Some risk assessment solutions, like CyberClarity360, use ‘intelligent’ questionnaires to improve the quality of vendor’s responses, incorporating features such as rules engines to check for inconsistent responses and asking vendors to provide evidence supporting submitted responses.
Outside-In Data Collection
This method, also known as “Security Risk Scoring” or SRS, is traditionally provided by a vendor who has scanning tools and the capability to review publicly available information to make a prediction on an organization’s cybersecurity posture. Popular vendors in this category include BitSight, SecurityScorecard and RiskRecon.
The main benefits of this method are speed and scale, allowing faster review of a large number of vendors. The data is usually already collected and can be validated in the sense that it was observed at a certain date/time on a certain set of unique identifiers (e.g. server names, IP addresses, etc.). Companies that provide this service typically have a score that they apply to their data, based around one or more of the following data elements:
- Website: specifically, how up to date the website software is
- Visibility of networks: looking at how many devices can be accessed from the internet
- History of breaches: leveraging public and private data
- “Unmasked” Accounts: how many account credentials associated with the organization are available on the dark web or were involved in previous breaches
Each of these various “outside-in” providers has taken the time to collect information on as many entities as possible, and since they are viewing publicly accessible data sources, generally do this without the permission, interference, or – in many cases – knowledge of the entities being assessed. This enables them to provide largely unbiased data, though there are some drawbacks to this methodology.
The main challenge of using this type of collection is that it represents a specific data point that has no context from the organizations. The security posture of an organization is not comprised simply of what’s “outside the firewall” or otherwise publicly accessible. Full visibility cannot be achieved by reviewing what is externally available, as controls and protocols operated by a good security team often lie within the organization, working behind a website, and extend beyond the systems and technology themselves.
Additional challenges of this data collection method exist for organizations that are either very large, very small, or relatively new. Very small or new organizations may not have much of a digital footprint, which limits what data an “outside-in” scan can provide. Thus, they may appear to have a stronger posture than they really do, simply because there
are no “findings” available. For very large organizations, the opposite can be true. These scans may collect a significant amount of data, resulting in high findings on components such as “attack surface” or other metrics that similarly struggle with accuracy at scale. Another challenge is attribution, where these services often use automated scans to find security weaknesses and it can be difficult to ensure that the weakness found actually belongs to the vendor in question. Finally, each of these vendors presents the data and score against their own rubric and with a varying degree of supporting documentation, which makes it difficult to do comparisons across providers.
“Outside-in” versus “inside-out” is an important decision as you collect data to assess your vendors and one that should be made considering the entirety of your vendor’s security capabilities. To achieve the most holistic view of your vendor’s posture, consider an “inside out” collection, supplemented by “outside-in” data to either support or refute the results of the “inside out” self-assessment components. Ultimately, your organization should collect data it can validate and trust to make these important risk-based decisions.
Validation is often the shortest phase of the life cycle; it also tends to be overlooked. The primary objective of this phase is to ensure that the data you’re going to use to drive the rest of the life cycle is complete, relevant and has a high level of integrity.
If your collection process includes evidence, use the Validate phase to ensure that the evidence provided is both present and relevant. Vendors may utilize a standard set of evidence that they provide all vendor requests, evidence that may be out of date, out of sync with your request or otherwise incorrect. Ensure that you are satisfied with the supporting evidence you receive from vendors. If it’s not relevant or complete, have vendors revisit their submissions.
The goal of the Validate phase is to minimize both downstream frustration and time spent by vendor teams and your own team. If the data provided is insufficient, the Validate phase is the time to address the issue. Once a vendor clears the Validate phase, the working assumption regarding the data is that it’s complete and accurate. This can serve as the underpinnings for any risk-informed decisions taken by your organization in the Analyze, Remediate and Monitor phases.
The Analyze phase is one of the most difficult because it requires processing large and often disparate amounts of complex data and deriving meaning at both the micro (individual security controls for individual vendors) and macro (overall performance of your portfolio of vendors) levels. To accomplish this, it is helpful to establish:
- Minimum required controls
- Inherent risk
- Disposition/action required
Minimum Required Controls
Establishing a baseline of security controls that you expect vendors to have in place will enable you to clearly articulate your expectations in these critical areas and demonstrate a standards-based approach to vendor evaluation.
Typically, minimum controls address the following key areas of cyber hygiene and operations:
- Security policy
- Inventory and device management
- Access control (including passwords)
- Encryption (in transit and at rest)
- Audit and logging capabilities
- Incident response and disaster recovery
- Breach notification
Many organizations struggle to define these controls themselves and turn to an external resource, such as the Center for Internet Security2 or the National Institute of Standards3 and Technology. You can also develop controls that are tailored to the inherent risk level or type of data your organization is sharing with a given vendor. A more detailed and nuanced discussion on these processes is in Part 3: Augment Your Legal Vendor Cyber Risk Management Program.
Once you establish these minimums, communicating them with your vendor community is important. Having a meaningful, collaborative conversation with a vendor about its risk posture is nearly impossible if you do not first define the metrics against which they are being measured. It’s also important to understand that some vendors will not be able to meet a given set of minimum controls, particularly smaller vendors or those that are not focused on technology. As you will see in the Remediate phase, closing these control gaps will likely take time and significant effort on the part of your vendor. To empower this process, prioritize your internal controls and ensure that the most critical gaps are addressed first.
For many large organizations, the volume of third-party legal vendors can quickly rise into the hundreds or even thousands. Even well-supported and well-resourced third-party risk programs will be challenged with evaluating risks at this size and scale. To help address this, organizations leverage an inherent risk rating to help categorize vendor risk and focus their limited resources on addressing the highest risk vendors first.
“Inherent risk” is defined as the risk that is present in a vendor when no additional controls are in place. Once controls or remediation have been applied, the term “residual risk” is often applied. Because inherent risk is just that – inherent – it’s a great starting point to identify potentially high-risk relationships and begin to better understand and manage those risks. This process, also known as scoping, generally hinges on several factors relating to your relationship with a given vendor, including:
- Type of data shared
- Amount of data shared
- Type of service provided
- Systems integration/connectivity
Even the most mature organizations struggle with classifying their data against an internal taxonomy, making monitoring data flows with external vendors almost impossible. As a result, some organizations, particularly legal departments evaluating outside counsel, look at annual spending as a proxy to determine inherent risk. While tempting, the ability for spend to be a meaningful risk metric falls short in a few key areas. For example, some firms have a high volume of work, and thus high spending, but may only have access to public data. Conversely, a firm can have a relatively small amount of data and still have a high spend. Finally, spend is a lagging indicator – meaning any risk decisions you make based on spend are always made using old data.
Once you have determined how you are going to categorize the inherent risk of your vendors, you can prioritize the analysis of those vendors with the highest risk given your chosen risk categories. This is a critical step in building your cyber risk story – especially if an incident does occur with a vendor while you’re midway through your cyber risk assessment process. In general, if you have defined your risks, sorted your vendors according to those definitions and prioritized the highest risk relationships first, you are in a much stronger position relative to an incident. If you haven’t done any of these things, you are less likely to get the benefit of the doubt from your board, from regulators or in litigation.
Inherent Risk Approach for Legal Vendors
The inherent risk approach for assessing the legal vendor portfolio may not be optimal. The unique and fluid nature of the relationship with outside counsel could easily shift utilization across law firms. A new discovery by a business unit could force an organization to quickly share significant sensitive information with a firm that had previously been used only on a small scale or for less sensitive matters. Such circumstances could completely change the risk profile of the firm, often without any trigger to reassess the risk. An inherent risk approach would likely exclude such a firm during the initial review. Accordingly, when assessing legal vendors, it is more important to take a comprehensive approach and to understand the risk profile of all firms at a given time.
The outcome of the Analyze phase should provide clear next actions for the vendor in question. Typical outcomes for this phase of the risk management life cycle include a variation on one of the following dispositions:
- Accept all risks – no action required on behalf of the vendor
- Conditional acceptance – some actions required by the vendor
- Do not accept – alter or terminate the relationship with the vendor
Of all phases, Remediate is not only the most critical but also the most often overlooked. In this phase, you use the data you have collected, validated and analyzed to drive improvements into your portfolio or implement your own internal compensating controls to better manage the risks surfaced through this process.
Many organizations are hesitant to meaningfully engage in this phase because of one or more of the following:
- Responsibility for remediation rests solely with vendors
- Potential exposure to downstream liability exists
- They have insufficient resources or technical expertise to provide remediation guidance
- The sheer volume of vendors and control gaps is overwhelming
While these hurdles are common for organizations, if your goal is to meaningfully manage and mitigate risk in your vendor portfolio, they are critical to overcoming.
Considering every control gap as an equal risk is not productive, nor is asking a vendor with multiple control gaps to remediate them all concurrently. Instead, work to prioritize your vendors against your inherent risk ratings. Address the highest risk vendors first, and focus on their most critical risk control gaps.
Working with your internal vendor relationship managers and points of contact to share the findings from your assessment is essential, including the risk and impact of any gaps and desired remediation activities. Generally, the more collaborative and proactive you can make this exercise, the better the likely outcome of the overall effort. Recall that the objective is not to be punitive toward your vendors but rather to identify and better manage risk. Many, if not most, vendors will require a significant investment of resources to remediate gaps.
The mode of communication should be appropriate to the risk. For high-risk vendors or those with high-risk control gaps, connecting directly via a phone call, web conference or in-person visit is more effective to ensure they fully understand the scope of your expectations and have a chance to ask any clarifying questions. For low-risk vendors or those with low-risk control gaps, the use of a more automated mode of communication is likely appropriate.
Once a remediation plan has been established and work is underway, continued diligence is necessary to ensure the vendor delivers on its promises. Best practices include requesting regular updates regarding progress on the agreed-upon plan.
Beyond monitoring compliance against agreed-upon remediation plans, it is a best practice to monitor vendors for news or information that may materially impact your relationship, present additional risks or exacerbate existing risks. You can accomplish this additional monitoring through a range of available services, including traditional negative news feeds.
The activities to close any gaps with vendors often represent a significant project. Each legal vendor has a unique cyber risk story. The larger and more mature vendors are better able to respond to remediation activities in a reasonable manner. Smaller or less mature vendors are simply unable to devote adequate resources to addressing cyber risk. Therefore, a flexible approach is needed to achieve an improved posture across the portfolio.
Vendors should be allowed to determine the remediation activity and time frame because their priorities will be driven largely by their own commercial and business goals. However, you can set expectations to help guide both the vendor and your own internal resources to an agreement that meets the needs of both.
Once a remediation plan has been established and work is underway, continued diligence is necessary to ensure the vendor delivers on its promises. Best practices include requesting regular updates regarding progress on the agreed-upon plan.
Beyond monitoring compliance against agreed-upon remediation plans, it is a best practice to monitor vendors for news or information that may materially impact your relationship, present additional risks or exacerbate existing risks. You can accomplish this additional monitoring through a range of available services, including traditional negative news feeds.
In addition to the phases of the third-party risk management life cycle, you should consider several other elements as you begin to build your program.
Risk management is not a one-time activity. While some components of risk management certainly reflect a point in time, the need to continually reassess risks is driven by many factors, including:
- Continuously evolving threat landscape
- Dynamic relationships with changing risk profiles
- Internal changes to technology, sourcing and data utilization
- Increasing state and federal regulatory compliance obligations
To account for each of these challenging elements, you need to create a program that is sustainable, scalable and defensible. This means that you will have ongoing program activity and should ensure that the associated cost and efforts are understood and supported by the highest levels of leadership within your organization.
While the creation of a Legal Vendor Cyber Risk Management program is not a small undertaking, it’s critically important given the significant reliance on your external legal vendor ecosystem to deliver legal services. Ensuring that your vendors understand not only their role in maintaining a secure posture but also the importance of transparency and collaboration through the required diligence is paramount to appropriately mitigating risk. By implementing the steps discussed in this guide, you will make meaningful progress toward both maturing your approach to managing cyber risk within your vendor ecosystem and engendering material progress in enlisting your vendors to partner with you on these efforts.
PART 3: Augment Your Legal Vendor Cyber Risk Management Program
By now, hopefully, it’s clear that developing a Legal Vendor Cyber Risk Management (LVCRM) program to evaluate your legal vendors should be a priority as part of maturing your overall legal operations. In this section, we discuss the decisions you’ll make as you supplement or augment your existing capacities in this regard.
Regarding LVCRM, most legal operations groups largely lack the necessary capabilities and tools, yet they are responsible for most, if not all, of the diligence process. To overcome this challenge, think critically about the balance between internal resources, desired outcomes and the risks being addressed. This part of the LVCRM Best Practices Guide should set the stage for decisions on how much external support to acquire, as very few – if any – legal operations departments can handle this process on their own and still meet the best practice standards.
Assess Your Situation
Before setting out on this journey, you should take stock of your existing posture, establish a solid understanding of internally available resources and fully comprehend the costs and long-term implications of engaging any internal resources.
Be sure to consider the following areas when approaching a build or buy decision:
- Capacity. Do you have sufficient resources to dedicate to the process, including the nonobvious time requirements around communication, content creation, and engaging internal and external stakeholders? Supplementing your LVCRM by choosing a vendor that offers managed service support will allow you to better balance the competing priorities faced by your internal resources.
- Expertise. Cyber risk assessments require technical cybersecurity expertise. In many cases, some of this capacity can come from internal enterprise information security resources, but these resources often come with restrictions that may be a nonstarter for legal operations professionals. Legal operations are unlikely to have cybersecurity subject matter experts (SMEs) on staff. People with these skills are in high demand, making them difficult to find and expensive to secure. Consider these long-term, fully burdened costs as you weigh the decision to hire or contract these skilled professionals.
- Tools. Performing LVCRM at any scale will require support from one or more technology tools. Rudimentary or small-scale programs can be run in a mostly manual fashion using standard business tools such as email, spreadsheets and perhaps a single shared repository, such as SharePoint. Beyond more than a couple of dozen vendors, however, you will likely need tools to help with the creation, distribution, collection, validation, analysis, storage and tracking of vendor cyber risk efforts. If these tools are not already in place, you need to consider the acquisition, maintenance, performance and other elements of any tools you decide to acquire to either supplement your team or provide outright augmentation.
What It Takes
Building an LVCRM program requires you to secure not only people but also application-specific technology and expertise. Regardless of whether you build the program in-house or secure external support, you must address the core elements of building this program. These elements generally fall in one of two cost areas:
- Startup Costs. Elements you need prior to beginning any cyber risk assessments.
- Operating Costs. Elements you need as your assessment program continues to operate.
While these core elements should be present in your program regardless of how much of your program is run in-house, the decision to operate internally will impact not only the actual cost of these core elements but also who bears the cost. Keep this in mind as you consider each of the following LVCRM components.
The underlying core of any LVCRM program is the assessment itself. Everything else – any software for handling workflow around the assessment, any analysis that comes out of the assessment, or any other downstream remediation or risk decisions – is based squarely on this fundamental collateral. Many organizations have developed their own internal assessment questionnaire. Often, this has been done in an ad hoc manner over time, without a concerted effort to adhere to a recognized standard control framework, such as the National Institute of Standards and Technology (NIST) Cybersecurity Framework or Center for Internet Security (CIS) Controls.
Furthermore, these assessments often feature questions that can unintentionally complicate the process of both completing and reviewing assessments. Consider these common assessment question structures and their unintended consequences:
- Yes/No/Not Applicable Questions. Writing questions that are easily answered with these common responses can seem like a good approach because it limits the number of choices and leads to the development of straightforward questions. Unfortunately, it also creates constraints that drive assessment creators to quickly balloon the number of questions or leave valuable details obfuscated because they don’t fit cleanly into a yes/no approach.
- Open-Ended Questions. As a response to the constraints of yes/no questions, it can be tempting to include open-ended questions to encourage a more narrative response, which requires humans to not only write the questions but also read and interpret them once they have been received. This significantly increases the time it takes to both respond to and analyze assessments. It also creates an opportunity for confusion when responses don’t fully or accurately address the question.
- Scaled Response Questions. While a rating scale can be incredibly helpful to better understand a vendor’s posture, presenting a set of choices without explicitly defining them can lead to confusion and miscommunication. What you may think qualifies as a 2 on the scale may be what a vendor considers a 4 on the same scale. Avoid these challenges by defining any answers against a known set of standards.
Controls and Content
Because internally developed questionnaires are often drawn from contributions from different business units, they can feel disjointed and suffer from a lack of ownership with regards to the content (or, conversely, a significant challenge around territorialism of the content, creating significant internal friction when making modifications). Updating content becomes a similarly difficult proposition, with the complexity of the exercise increasing exponentially as additional stakeholders are added.
As mentioned earlier, the sheer scope of the assessment and vendor population will quickly out-scale manual processes such as email, spreadsheets and shared file storage. Modern software tools can help solve these issues of scale, but not all are created equal.
Some software tools handle only the workflow components and do not provide any assessments or support for assessment creation – these pieces of content must be developed independently and brought to the platform.
Some software tools handle only certain parts of the risk management life cycle (namely Collect and potentially Validate), leaving your team to struggle to analyze, remediate and monitor with either a manual process or another software solution. Other software solutions are built for more general-purpose governance, risk and compliance support – making them too bulky to gracefully tackle a vendor risk management problem – or require high levels of commitment to custom module development, training or both.
In selecting the software, look for a solution that:
- Is tailored to your needs;
- Supports the security standards you’re seeking to evaluate your vendors against;
- Requires little to no custom development or platform-specific training; and
- Supports as many of the vendor risk management life cycle phases as possible.
While there may be no such thing as a perfect solution, those built to address your problems will perform better than those built for another purpose.
As you engage your vendors, they will inevitably have many questions about the assessment process. Often these questions begin before you even distribute the first assessment, as your vendors learn of your intention to begin an assessment process. Without hiring external support in the form of consulting or managed services, your team will handle each of these questions. If you lack external support, you should ensure that you have the capacity to answer questions ranging from the premise of the exercise to exceptions or exemptions to technical information about the assessment content. Clear and consistent communication, combined with a strong expectation setting, will make the process go more smoothly, but there will always be hiccups. A solid dose of empathy when working with your vendors can help smooth out these bumps in the road.
In addition to the headcount necessary to support the communication around these efforts, consider developing a knowledge base of standardized responses to common questions. This will ensure consistency and fairness across your program and reduce response times and levels of effort. More advanced solutions may contain metrics around this service desk style approach and may even leverage software specifically built to handle these issues, with tickets, tracking, knowledge base support and additional functionality. If these capabilities are not presently available in your enterprise, consider acquiring them or acquiring a managed service provider that can provide them to your vendors on your behalf.
Outcomes and Remediation
In addition to handling the content of the assessment, communication regarding the outcome of the assessment and any required or requested remediation will add an additional burden to your team. Consider looking for this communication capability within a software solution or managed services support that will help to track and communicate these needs. In many ways, the long tail of these components can be more burdensome than questions regarding the assessment itself because each remediation plan is tailored to a specific vendor and carries its own activities, timelines and monitoring needs. At scale, managing these open threads can quickly overwhelm even the most dedicated team.
Given a large number of vendors in need of assessment and the often limited time and resources for corporate legal departments to complete their risk assessments, it can be tempting to leverage existing reports and resources to help cover more of this ground more quickly. Engaging with these functions can have great value but can also present unique challenges.
INTERNAL SECURITY TEAMS
Many large enterprises have equally large enterprise information security operations, often performing similar cyber risk assessment functionalities. Unfortunately for corporate legal departments, collaborating with these internal resources is not always as easy as one would hope. In some instances, engaging these internal resource requires participation in a procurement process that simply does not work from the legal operations perspective. In other cases, the scope of the cyber risk assessments available through internal channels is either too large or too small. Internal resources also tend to suffer from a challenge of velocity, with risk assessments frequently taking somewhere between six weeks and six months to fully complete. Navigating these challenges can be so difficult, time-consuming and costly that obtaining your own risk assessment capacity often makes better business sense, but this does not mean that you should leave your internal cyber colleagues completely in the dark.
Engaging these internal enterprise security teams can have significant benefits. One strong way to offer a path forward is to work with your internal resources to ensure that their highest priority risk areas are addressed in the process that you are building. This may take the form of a minimum set of controls expected to be in place with third-party vendors or a certain set of questions addressed within the process.
CERTIFICATIONS AND ACCREDITATIONS
In an admirable effort to standardize controls and validate their implementation, several security-specific attestations are available in the market, and you have
doubtlessly already encountered them. Chief among these is the ISO/IEC 27001:2013 certification, typically performed by a third-party auditing firm on behalf of a vendor.
This certification standard consists of a systematic representation of an organization’s information security practices, as evaluated against the International Organization for Standardization (ISO) control set and validated by an independent certification authority or auditor. Achieving this certification is not a small undertaking and often represents a significant effort in terms of both time and financial resources. That said, it does have a couple of elements that make it difficult to rely on as the sole source of truth for a meaningful cyber risk implementation.
First, the breadth, depth and cost of the ISO certification process can be prohibitive for many mid-sized and smaller vendors. A recent study indicated that only 9% of all law firms have achieved this ISO certification,3 meaning that you’re left to do your own assessment on the remaining 91% of firms.
Second, the ISO certification process is heavily dependent on the scope of the process. Clearly understanding what is in scope for a given assessment will help you better determine where any gaps in coverage may exist. For example, it is not uncommon for an ISO 27001 certification to be limited to internal systems, applications and services. It may not cover external services, including web-based Software-as-a-Service solutions and contract employees (including attorneys). These out-of-scope elements are left to you to conduct an assessment against.
System and Organization Controls 2
Developed by the American Institute of Certified Public Accountants, the System and Organization Controls (SOC) 2 audit is a comprehensive assessment on the system- level controls of a service organization (as opposed to SOC 1, which focuses on financial controls and reporting). The SOC 2 audit is available in both Type 1 and Type 2: Type 1 includes a review around an organization’s controls against the trust services criteria, and Type 2 includes the same coverage as Type 1 and also tests those controls to validate their implementation.
Similar to the ISO certification discussed earlier, SOC 2 Type 2 reports are developed to be thorough assessments of an organization’s security posture but also have shortcomings. They are conducted by an independent third party and offered as a proxy report for overall security posture. As with ISO, the scope can be a significant area of concern when reviewing a SOC 2 Type 2 report. Anything that is not explicitly included in the scope of the said report should be considered to be out of scope and thus completely unaccounted for in the contents of the report. Perhaps this is not a high-risk consideration for your relationship with a given vendor because all your interactions are covered under the scope of the SOC 2 Type 2 report. If not, however, you must conduct your own assessment on out-of-scope items.
In addition to the scope challenges, SOC 2 Type 2 reports are frequently written in close collaboration with the organization, often to the point where any potential findings of risk or areas of concern are minimized or excluded. Indeed, it is rare to find SOC 2 Type 2 reports that contain any negative findings. If they do, the findings tend to be inconsequential, appearing only as token content for that section of the report.
Generally, both ISO 27001 certification and SOC 2 Type 2 reports should be considered useful but not sufficient. Unless your entire relationship with the vendor in question is addressed in the scope of the certification or report, additional risk assessments will be necessary to diligently address areas of concern.
Shared Assessments Standardized Information Gathering
These challenges often drive organizations to consider premade and readily available assessment vehicles, such as the Shared Assessments Standardized Information Gathering (SIG) questionnaire. The SIG, as it’s commonly known, is not as standardized as it might seem. To allow organizations to create more tailored assessments, Shared Assessments has introduced the ability to scope and tailor questionnaires beyond the three pre-scoped SIGs already offered – Lite, Core and Full. Because of this, there is less and less overlap between the assessments as organizations mix and match questions from the various pre-scoped parts, resulting in gaps between what vendors may have previously answered and what an organization is looking to have vendors complete. This often defeats the reusability purpose of the SIG, and the only way to be prepared to respond to any question is for vendors to complete the Full SIG, which comprises over 1,400 questions.
Furthermore, the SIG assessments include several of the assessment question structures, mentioned earlier, that can make interpreting results more complicated. Namely, much of the SIG relies on both a Yes/No/Not Applicable response, followed by a scaled response for questions answered in the affirmative. Some SIG questions, such as the NIST Cybersecurity Framework or CIS Controls, are mapped to standards, but others are not, further compounding the difficulty in understanding what these answers mean against your chosen standard. Because of their standardized nature and licensing agreements, organizations are not able to make changes to any SIG questions to better meet their needs, which can limit flexibility and scope.
Evaluating the landscape of third-party risk tools and services can be overwhelming. Each one claims a meaningful differentiation from the others, yet they appear to be very similar after reviewing the details of each one’s website or marketing sheet or talking to their representative at a conference booth. In the next section, we’ll discuss the three pillars of people, process and technology to help evaluate which partners will be the best fit for your team.
PART 4 People, Processes, Technology
Successfully executing a thorough cyber risk process requires people with cyber risk expertise. If you do not have these SMEs as part of your full-time legal operations staff, you can secure their services in one of three ways:
- Hire Resources. Many organizations use the concept of a business information security officer to play the role of cybersecurity SME for a business unit. Some corporate legal departments are large enough to have this role on staff, but you should consider whether you have the volume of work to keep someone in this role busy full-time. If you can justify the volume, then you should consider the cost. Senior cybersecurity experts in major metropolitan markets are commanding high salaries and have many opportunities available to them. Few of these experts have direct experience in the legal market. You will likely need to offer significant salary and incentives to secure such a full- time hire, and doing so quickly may not be possible with today’s labour market. Be prepared to endure both the timeline and the fully burdened cost if you choose to secure a full-time in-house resource to support this effort.
- Leverage Internal Resources. Today, large enterprises operate information security departments that have a large degree of influence and a high level of capability. These large firms have a significant set of talent and capabilities on staff and can address some of today’s most pressing cybersecurity issues. The question you must answer is whether you can leverage these resources for your program’s needs and at what cost. Sometimes these internal cyber risk assessment resources are only available through an existing procurement process that does not make sense for your legal vendors. Sometimes these resources are limited if another business unit has pressing issues, making their timelines long and unpredictable. Finally, these resources may come with cross-billed charges for their time that can approach the cost of either your own dedicated resource or dedicated external resources.
- Leverage External Resources. Outside vendors are a popular way to secure cybersecurity expertise on an as-needed basis. The plus side of this model is that you can often secure a high level of cyber expertise on short notice and use it when you need it, giving you the flexibility to meet changing demands in your workload. You should consider the particular expertise in choosing your security consultant, including experience in cyber risk assessments and the legal vertical. Be prepared to pay a premium for these skills in an on-demand manner or to sign a longer-term agreement because these consultants are in high demand.
Defining the process for your Legal Vendor Cyber Risk Management program (LVCRM) will be critical to its success. Part 2: Develop Your Legal Vendor Cyber Risk Management Program details the risk management life cycle and has specifics on the elements you need to ensure your program addresses. If your LVCRM program is not yet well-defined, consider leveraging a service provider that can help you build out your process. Some providers have predefined processes that align well with the goals of a LVCRM program. Others will help you define your processes as part of their engagement. Consider how far along you are in your own development and choose the support that will meet you where you are and get you where you are trying to go.
Typically, these services are coupled with people, technology or both.
Using software to help build and run your LVCRM program is a must. Achieving best practices without the aid of technology is virtually impossible. You should also be diligent in your procurement process to ensure that any technology you choose optimally enhances your capabilities without limiting your program or providing a false sense of security with regards to your process, output or risk findings.
In general, third-party risk technology breaks down as follows:
- Assessments Only. The most basic technology used in third-party risk is offered in an assessment only model. While thinking of a questionnaire as a piece of technology may seem counterintuitive, a significant amount of technical thinking is often put into these best-of-breed assessments. An assessment should allow you to address the risks you have identified as being priorities for your organization, map to a standard and allow you to get a rich understanding of your vendor’s responses (beyond simply yes/no). On the other hand, an assessment should not be overwhelming for a vendor to complete and should be accessible to vendors that may not have cybersecurity or technical expertise on staff (which is common for smaller and mid-sized legal vendors). By leveraging an assessment that has been developed specifically for third-party risk assessments, you can significantly shorten your time frame to begin assessing vendors and avoid common pitfalls when creating an assessment internally and from scratch. Be sure to get buy-in from the requisite stakeholders on the assessment because the data returned from this exercise will serve as the bedrock for the rest of your process.
- Distribution and Collection Tools. A plethora of tools is available to help you distribute and collect your third-party risk assessments. In the smallest of organizations, these tools may be common manual tools, such as email. For organizations of any larger size, a dedicated software platform is a meaningful improvement and considered a best practice for achieving third-party risk assessments at scale. Some of these platforms are also paired with assessments, which can address two areas of technology with a single purchase. Others require you to bring your own assessment content to the platform. Be sure to understand which functionality is present in any vendor you are considering and understand how that functionality, or lack thereof, fits into your overall processes. While these platforms can significantly accelerate the distribution and collection process, you should understand what other capabilities are offered. Some may offer algorithmic validation or enforce certain rules (e.g., completeness, collecting required evidence). Be aware, however, that these platforms generally do not have functionality beyond returning completed assessments. As a result, you may be able to leverage these platforms to get to a large data set more quickly but will still be faced with the challenge of making meaning of that data and using it to drive better risk-based decisions, which can be difficult to do without the support of a technology platform.
- Analysis and Workflow Platforms. Recently, some vendors have begun creating third-party risk assessment platforms that are focused not only on the assessment and distribution/collection components but also have built-in capabilities to help your program perform analysis at scale, support the risk management workflow and even address remediation and ongoing monitoring needs. These platforms tend to incorporate assessment and distribution/ collection as part of their overall capability, meaning that by purchasing one of these platforms you can get the highest level of functionality. A select few of these offerings can also be paired with managed services from the same vendor, resulting in a particularly potent combination of support for your LVCRM program. When evaluating these vendors, ensure that you understand how they support each of the program areas that you are building, their cost model (a flat fee per year, per vendor assessment, per enterprise user, etc.) and what level of support you can expect at that price.
Finally, as you consider your partners, ask if they can bring any other benefits in addition to their people, process or technology contributions. Some vendors can provide an accelerated review process through an exchange model, where they may have already completed reusable assessments on some of your vendors. In certain cases, a significant number of your vendors already may be present in this exchange, which can significantly shorten the time it takes for you to implement best practices.
Other aspects to consider are partners who can support additional elements of the risk management life cycle, including validation services – either on-site or remote – or specific support for remediation activities with your vendors. These validation and remediation capabilities will enhance your risk story in many ways. Validation ensures that your data is as accurate as possible and has been reviewed by experts prior to being used to make a risk-based decision. Remediation capabilities for vendors help answer the difficult questions around how you may be addressing the risks you’re discovering through this process. Both elements can be incredibly time-consuming to achieve on your own and often appear as tangential to the core elements of the LVCRM program. Thus, they are given lower priority for smaller teams or programs with resource constraints. Finding a partner who can help provide these capabilities will further enrich your program by more accurately identifying risks and more diligently working to manage them.
Once you have a good understanding of your portfolio of legal vendors and your organization’s relationships with them, established your strategic partnerships to increase risk assessment velocity, engaged internal stakeholders about your risk assessment process, and chosen your own security standards or expectations, you are in a strong position to successfully implement and accelerate your LVCRM program.
Orchestrating the integration of these elements will not always be easy, and you will likely experience some growing pains along the way, but your risk story will continue to grow stronger with each piece you put into place. A good chief financial officer (CFO) or board will ask “What are you doing about third-party legal vendor risk?” A great CFO or board will ask “So what are you doing with high-risk legal vendors that we still have to do business with?” By following the best practices outlined in this guide, your LVCRM program will be able to address both. Managing these risks – through strategic remediation, internal compensating controls or changes in your organization’s relationship with the vendor – allows you to confidently answer the second question, which is much more important.
Building an LVCRM program is no small undertaking, but today’s general counsels are realizing that they are going to be at the centre of any sizeable cyber incident at their organization. Due to the unique nature of cyber incidents, there will be legal considerations regarding compliance or regulatory impact, conducting incident response activities under privilege, or downstream litigation concerns. Your LVCRM program presents an opportunity to lead by example. Creating an LVCRM program that adheres to the best practices outlined in this guide will ensure that your corporate legal department is doing what it claims it will do with regards to its vendors and is well-positioned to support reasonable management of not only its own cyber risks but those of the entire enterprise.
Download the full report below.View and Download Article