Call 855-808-4530 or email [email protected] to receive your discount on a new subscription.
Most firms have extensive cybersecurity measures in place, but emerging or unclear regulatory requirements embroil them in a never-ending cycle of evaluation, best-practices review, and implementation. Firms don't just need to have their own systems secured; a responsible firm must also reduce the risk of breach at their third-party vendors. This risk continues to grow as cloud-service providers gain acceptance in law firms. As cloud service providers become commonplace, so too does a firm's responsibility to ensure their vendors are managing risk appropriately.
Managing risk presented by outside vendors is simply the cost of doing business today. “Business efficiency and price are no longer the only key factors in vendor evaluation,” says John Stambelos, CEO of Stambelos Consulting and Former Director of IT at Munger, Tolles & Olson LLP. “Security must have an equal weight in the decision-making process. Your clients demand it and new regulations are emerging across multiple industries.”
For example, the New York State Department of Financial Services is considering a regulatory requirement to conduct supply chain risk assessments in 2018 that will change the landscape of how vendors will be required to provide products and services to this market. The precedent has been set and additional states and regulatory bodies will surely follow suit.
This article considers the cross-industry best practices and provides seven steps to implement a highly effective vendor risk management plan. For firms willing to incorporate these steps, the result will be an industry standard, efficient and streamlined approach to vendor risk management.
From my experience, whether you currently have a vendor risk management program in place or you are starting from scratch, the following steps will help drive management buy-in and firm-wide adoption.
|Data security, and specifically third-party vendor management, is no longer just an IT issue. For a security strategy to be successful, data and third-party vendor management must be part of the firm's risk assessment culture. Stakeholders throughout the firm must be held accountable to maintain and follow best practices.
A strong vendor risk management policy must include the scope of the process, the stakeholders, the final deliverable, and the communications process. Stating the objective of implementing a vendor risk management program will set the tone for the organization. In order to have the greatest impact, the tone ought to be set by senior firm leadership, ideally from those outside of IT. The policy should be defined with quantifiable minimum standards of conduct and security (e.g., weighted risk score).
Scope
Which vendors should be part of your assessment process? What assessment methodology ought to be used? How frequently should your vendors be assessed? These questions will help determine the current maturity of your vendor risk management program. If the firm lacks a formal process to evaluate these questions, then first focus on evaluating existing vendors. Then, expand your program to new or potential vendors. Be sure to incorporate contract management evaluations into your process.
Team
For the program to be successful, the vendor risk management team should consist of stakeholders across multiple functional areas of your organization. A team leader should be assigned to manage the coordination and process. Frequently, this is managed by the IT/security team or compliance. Other team members should include business unit leaders, procurement, general counsel, finance/accounting and senior leadership. After all, the firm's most senior leaders are the ones authorized to accept or reject the risks posed by third-party vendors.
|Developing a comprehensive list of vendors may seem like a straightforward task but certain vendors might be overlooked. Too often, firm's limit their vendor inventory to IT or IT-related vendors. The growing network of third-party vendors requires firms to expand their definition of a vendor if they are going to identify potential security risks.
Identifying all the firm's vendors can be time consuming and challenging. The program leader should work with legal, procurement, and particularly the accounting team to develop an accurate inventory. One tried and true strategy to assist in the identification of the vendors it to request a download of all payments to vendors and external parties over the last 12 months. The vendor management team should review the entire list to determine which vendors have access to firm, employee, and client data.
Categorize Vendors by Risk Tier and Criticality
Once a complete vendor inventory is compiled and each vendor has been categorized by their data access, the next step is to determine the criticality of the vendor to the firm and assign a risk tier to each vendor. The risk tier should determine the depth of the security assessment process that should be taken to assess a vendor's risk to the firm.
Categorizing your vendors by risk tier should be more science and less art. The vendor management team should develop a list of critical questions for each vendor designed to evaluate how they mitigate risk and then assign a weight to each question to help determine a vendor's risk tier. This process ensures consistency across all your vendors during the audit or assessment process. The vendor management team ought to consider the following questions:
Risk Tier 1 vendors should be classified as your organization's business and mission critical vendors that have the greatest access to your organization or clients' sensitive data. Vendors in your tier 1 category must receive your most comprehensive security assessment. Expect to conduct rigorous inquiries into each of these vendors' policies, procedures, and network architecture.
Risk Tier 2 vendors should be classified as your organization's medium risk vendors. Vendors in your tier 2 category should receive a less exhaustive security assessment compared to the tier 1 assessment. The tier 2 assessment should still request questions covering the main risk categories, but your objective is to identify vendors' policies, procedures, and architecture.
Risk Tier 3 vendors should be classified as your organization's low risk vendors. Vendors in your tier 3 category should receive a more focused security assessment compared to the tier 2 assessment. These vendors don't have the same access to organization or clients' data, but your tier 3 questions should still assess the main risk categories. Even though these vendors lack the same access to your firm's data as tier 1 and tier 2 vendors, it is still important to understand the controls in place designed to protect your firm from risk.
|Develop a security assessment methodology designed to evaluate your firm's tolerance to risk, regulatory requirements and best practices. A security assessment can be developed using industry standard frameworks (e.g., NIST, ISO, CIS, etc.) as guidelines, but it should evaluate key areas of risk depending on the type of vendor and their access to your firm's data. Initially, the assessment should be created for tier 1 vendors which are business and mission critical. Then, tailor questions for lower tiers based on vendor criticality.
Key areas of risk your firm should evaluate include:
Distributing the security assessments to vendors and scoring results is the key to implementing a successful vendor risk management program. Implementing and formalizing your program allows you to leverage data to develop an auditable and contractible repository of risk information.
The security assessment methodology will provide you with a comprehensive analysis of policy, risk and vendor risk mitigation procedures. Each question should be reviewed and evaluated independently to identify potential security gaps, risks, and vulnerabilities. Once you have reviewed the results, implementing a risk mitigation plan for potential risks with deadlines tied to your terms and conditions will be critical.
Discuss the results with the vendors and relate any problems or concerns. Transparency is essential if you hope to develop a strong relationship and a culture of security with your vendors. Communicating any proposed solutions or acceptable mitigation measures — along with a specific deadline — will be mutually beneficial.
|Once the results of a security assessment are reviewed by the vendor risk management team, the results and any mitigating factors should be shared with the general counsel's office. It is important to tie a vendor's risk mitigation plan of action with specific dates for compliance. Contract Terms and Conditions should include:
Monitor Your Vendors
Law firms are the custodians for highly confidential data for their clients. As cloud services become commonplace in the legal industry, that data is being shared with a growing network of third-party vendors. You must take responsibility for ensuring your vendors are maintaining the same security standards and risk mitigation measures your clients are requiring from you. Technology and security risks are evolving rapidly, so continuous monitoring is critical to the assessment process. The life-cycle of the security assessment has four main steps:
Implementing a vendor risk management program is a critical component of a comprehensive security strategy. As previously mentioned, maintaining a comprehensive third-party vendor risk management program and a detailed security assessment process is the cost of doing business today. As the buyer, owner, or custodian of highly confidential data, law firms have a unique responsibility to their clients to maintain the highest levels of protection for the sensitive information in their care.
Following these steps will ensure transparency throughout the value chain from client to law firm to vendor. Set a policy, stick with it, and communicate to all stakeholders. Because terms and conditions with each vendor can vary, your security assessment process should be tailored to each vendor's access to data and risk to your law firm.
*****
Ishan Girdhar is the CEO and founder of Privva, a cloud-based platform that streamlines the data security assessment process throughout value chain. Prior to starting Privva, Ishan's experience included corporate strategy, business development, and investment banking including working for the Walt Disney Corporation in their corporate strategy and business development team.
ENJOY UNLIMITED ACCESS TO THE SINGLE SOURCE OF OBJECTIVE LEGAL ANALYSIS, PRACTICAL INSIGHTS, AND NEWS IN ENTERTAINMENT LAW.
Already a have an account? Sign In Now Log In Now
For enterprise-wide or corporate acess, please contact Customer Service at [email protected] or 877-256-2473
In June 2024, the First Department decided Huguenot LLC v. Megalith Capital Group Fund I, L.P., which resolved a question of liability for a group of condominium apartment buyers and in so doing, touched on a wide range of issues about how contracts can obligate purchasers of real property.
With each successive large-scale cyber attack, it is slowly becoming clear that ransomware attacks are targeting the critical infrastructure of the most powerful country on the planet. Understanding the strategy, and tactics of our opponents, as well as the strategy and the tactics we implement as a response are vital to victory.
Latham & Watkins helped the largest U.S. commercial real estate research company prevail in a breach-of-contract dispute in District of Columbia federal court.
The Article 8 opt-in election adds an additional layer of complexity to the already labyrinthine rules governing perfection of security interests under the UCC. A lender that is unaware of the nuances created by the opt in (may find its security interest vulnerable to being primed by another party that has taken steps to perfect in a superior manner under the circumstances.