Vendor Risk Management: A Revenue Stream for Law Firms

The Big 4 accounting firms have identified legal services as an area for growth beyond traditional financial services and consulting services. Additionally, data security and compliance are critical components for the success of both developing and established companies. These combined trends present an expanding field for law firms to develop partnerships with cybersecurity companies to offer their clients legal expertise with additional business services. Numerous firms have created subsidiaries under the firm’s umbrella to offer consulting services, from big law to mid-size firms, setting a precedent for law firm cybersecurity relations and other relevant consulting services.

Keesal Propulsion Labs

Recently, Keesal Young & Logan’s client consulting team spun up a sister company, Keesal Propulsion Labs (KPL), to augment its service offerings for key clients through a partnership with Mitratech for Mitratech’s TAP Workflow Automation and Privva for Third-Party Vendor Risk Management. The law firm leverages the Privva platform for vendor risk assessment on behalf of the firm and as part of the firm’s client-facing cyber risk practice, and KPL is building custom legal and business process automation workflows on TAP for clients in Silicon Valley and on Wall Street.

These are not just tools purchased; KPL meets with Privva and Mitratech regularly and has become part of the development feedback loop, helping to improve the products by sharing lessons learned in the field.

“By investing our time and energy in our relationships with these strategic partners, we are able to provide integrated solutions featuring best-in-class people, process and tech — each professional and organization focusing on what they do best, while all acting as one unit” says Justin Hectus, KPL Principal and Keesal Young & Logan’s CIO/CISO and a member of Cybersecurity Law & Strategy’s Board of Editors.

A Worldwide Development

The data regulation and compliance environment will only become more restrictive in the future. Governments and governing bodies worldwide are creating legislation to ensure data protection for their citizens in the domestic and global markets. The European Union, Canada and Japan have created some of the most intensive legislation on the topic of citizen data to date, however, experts anticipate China’s data privacy and security standards to be far more reaching than that of the European Union’s GDPR.

In March, 2018, the United States federal government adopted new data breach notification laws that require companies to inform their consumers if any personal data has been compromised, while also expanding the definition of what is considered personal data. Individual states are continually taking greater control of their own data security regulations, with the most intensive legislation coming out of California in the California Consumer Privacy Act. Due to California’s large commercial economy, the state sets precedent for international companies doing business within the United States to implement California standards throughout the entirety of the country.

A handful of other states have also implemented their own data breach laws, including broadening the scope of who is required to post notice of a data breach, including companies or bodies that retain personal or user data. Other state legislation passed that includes penalties and/or fines that may occur if a data-retaining body does not post notice of a data breach to the individuals who may be affected by the breach.

Hedge Against Client Pressure on Hourly Rate

Traditional consulting business models are very similar to law firm business models, including hourly billing rates, fixed fee or value-based pricing models. However, changing business dynamics may result in new pricing models and less traditional hourly billing. Licensing revenue and centralized documentation can mitigate billable hour loses by creating a new relationship dynamic involving increased communications between law firms and their clientele. In turn, increased communications create additional product and firm stickiness for involved clientele. Clients trust their attorneys with managing risk and attending to the most critical and sensitive matters, giving firms an opportunity to offer clients products that can provide more consistent revenue streams. Nelson Mullins Riley & Scarborough LLP formed a subsidiary to offer lower cost HIPAA Risk Assessments under the brand HIPAA2Z.

This solution allows Nelson Mullins to offer a solution to their clients at a lower cost than traditional consulting companies and will likely generate additional business for the law firm through policy development and contract/business associate agreement development and review. HIPAA2Z, which aggregates Privva’s platform with legal and compliance services, streamlines the compliance process, and intersects with a company’s current compliance efforts, by providing a customized risk assessment, management plan and other tools to ensure that documents adhere to the law and that providers and vendors are secure and compliant.

“By combining security and legal services, HIPAA2Z offers everything you need to know, and do, to comply with HIPAA and to be more secure in handling data,” says Roy Wyman, Partner and a former Chief Privacy Officer, who is also a member of the firm’s Healthcare Regulatory and Transactional Team and deals extensively with healthcare IT issues. “By standardizing and automating HIPAA compliance, we reduce the cost, hassle and time required to feel confident about protecting health information and complying with the law.”

Looking Forward: Achieving Impactful Clientele Relationships

Identifying opportunities that will help law firms have a greater impact at the board level will be critical to business and relationships as this trend continues. For example, Gartner stated that by 2020, 75% of Fortune Global 500 companies will treat vendor risk management as a board-level initiative to mitigate brand and reputation risk. A clear understanding of vendor risk management, clientele/vendor relations, and the overall threat landscape of a client’s industry has the potential to create more partnership opportunities between law firms and their clientele. Increasing the number of impactful relationships among clientele opens opportunities for more current and future board-level involvement.

Overall board-level involvement promotes a more holistic management strategy throughout the entire company. Law firms who provide cybersecurity consultation to company boards can advise additional risk management strategies that not only promote current and future company goals, but that also can create an informed culture of cybersecurity awareness throughout every level of the company, reducing future security risks. Actions taken proactively to reduce cybersecurity risks may also mitigate stakeholders concerned of a looming cybersecurity attack.

Areas of Focus and Opportunities for Legal Services Law Firms

 Vendor Risk Management. Digitization is increasing the flow of information to third-party vendors, creating a greater security risk for companies. The importance of detailed security review and relevant contract terms and condition (e.g., breach notification clauses) is an area in which law firms can add value to their clients.

 SOC 2 Readiness. Increasing data collection and utilization increases data security risks. Regulation compliance ensures best practices are implemented to ensure the Trust Service Principles audited by SOC 2 are properly maintained and mediate potential remediation costs for clients.

 GDPR Assessment. Sweeping European Union data regulations raise requirements and expectations of domestic and international companies when conducting business within the EU. A detailed assessment comprising of compliance thresholds promotes a smooth transition for clients to continue business in the European sphere while minimizing penalty and fine risks.

 HIPAA Risk Assessments. Digitization and the transmission of patients’ medical files from medical facilities to other facilities, offices, and insurance companies create data insecurity. Insecure data transfers can create large gaps in the security of files, putting all parties involved in the transfer at risk of future lawsuits. A comprehensive risk assessment can display insecurities in affiliated third-party clients and give the clientele information to decide how these insecurities may be rectified moving forward. Ensuring the proper policies are in place and implemented are a critical component of being HIPAA compliant.

Law firms expanding their services beyond legal is a logical next step to diversify the existing revenue stream. While consulting services may take law firms and attorneys outside of their comfort zone, possibly causing hesitation, the landscape is changing and forward-thinking firms can create the opportunity to get ahead of it simply by starting the conversation. Identifying areas of need within a particular domain of expertise can complement their practice and provide a new, sustainable revenue stream to take firms to the next level.

A successful program will require a team of stakeholders including IT/security, business development, innovation and attorneys. Identifying strategic partners that will value your client relationship like their own will ensure long-term benefits both financially and strategically.

*****

Ishan Girdhar is the CEO and founder of Privva, a cloud-based platform that streamlines the data security assessment process across industries including legal, financial services, education, healthcare and real estate. Prior to starting Privva, Ishan’s experience included corporate strategy, business development, and investment banking including working for the Walt Disney Corporation in their corporate strategy and business development team. The author gratefully acknowledges the assistance of his Privva colleagues, Madison Lovasz and Carly McGee in the preparation of this article.