Vendor Risk Management for Law Firms: 7 Steps to Success (Updated 2021)
Most firms have extensive cybersecurity measures in place, but emerging or unclear regulatory requirements embroil them in a never-ending cycle of evaluation, best-practices review, and implementation. Firms don’t just need to have their own systems secured; a responsible firm must also reduce the risk of breach at their third-party vendors. This risk continues to grow as cloud service providers gain acceptance in law firms. As cloud service providers become commonplace, so too does a firm’s responsibility to ensure their vendors are managing risk appropriately.
This article considers the cross-industry best practices and provides seven steps to implement a highly effective vendor risk management plan. For law firms willing to incorporate these steps, the result will be an industry standard, efficient and streamlined approach to vendor risk management.
Whether you currently have a vendor risk management program in place or you are starting from scratch, the following steps will help drive management buy-in and firm-wide adoption.
Step 1: Create a Vendor Risk Management Plan and Assign a Team
Data security, and specifically third-party vendor management, is no longer just an IT issue. For a security strategy to be successful, data and third-party vendor management must be part of the firm’s risk assessment culture. Stakeholders throughout the firm must be held accountable to maintain and follow best practices.
A strong vendor risk management policy must include the scope of the process, the stakeholders, the final deliverable, and the communications process. Stating the objective of implementing a vendor risk management program will set the tone for the organization. In order to have the greatest impact, the tone ought to be set by senior firm leadership, ideally from those outside of IT. The policy should be defined with quantifiable minimum standards of conduct and security (e.g., weighted risk score).
Questions To Ask About Your Vendor Risk Management Program
Which vendors should be part of your assessment process? What assessment methodology ought to be used? How frequently should your vendors be assessed? These questions will help determine the current maturity of your vendor risk management program. If the firm lacks a formal process to evaluate these questions, then first focus on evaluating existing vendors. Then, expand your program to new or potential vendors. Be sure to incorporate contract management evaluations into your process.
Who Should Be On Your Vendor Risk Management Team
For the program to be successful, the vendor risk management team should consist of stakeholders across multiple functional areas of your organization. A team leader should be assigned to manage the coordination and process. Frequently, this is managed by the IT/security team or compliance. Other team members should include business unit leaders, procurement, general counsel, finance/accounting and senior leadership. After all, the firm’s most senior leaders are the ones authorized to accept or reject the risks posed by third-party vendors.
Step 2: Identify all the Firms’ Vendors
Developing a comprehensive list of vendors may seem like a straightforward task but certain vendors might be overlooked. Too often, law firm’s limit their vendor inventory to IT or IT-related vendors. The growing network of third-party vendors requires firms to expand their definition of a vendor if they are going to identify potential security risks. Make sure to include:
All third-parties that interact with your networks, components or information systems including software, hardware, and professional services (g., Document Management, Time and Billing software, E-discovery, CRM, etc.)
Vendors that provide physical security and support services (g., security guards, janitorial, CCTV, etc.)
Identifying all the firm’s vendors can be time consuming and challenging. The program leader should work with legal, procurement, and particularly the accounting team to develop an accurate inventory. One tried and true strategy to assist in the identification of the vendors is to request a download of all payments to vendors and external parties over the last 12 months. The vendor management team should review the entire list to determine which vendors have access to firm, employee, and client data.
Step 3: Categorize Vendors by Risk Tier and Criticality
Once a complete vendor inventory is compiled and each vendor has been categorized by their data access, the next step is to determine the criticality of the vendor to the firm and assign a risk tier to each vendor. Categorizing your vendors by risk tier should be a science, not an art. The vendor risk management team should develop a list of critical questions for each vendor designed to evaluate how they mitigate risk and then assign a weight to each question to help determine a vendor’s risk tier. This process ensures consistency across all your vendors during the audit or assessment process. The vendor management team ought to consider the following questions:
Will the firm store sensitive client or firm data on the vendor’s systems?
Will the vendor have access to any firm or client data?
Will the vendor hold or have access to firm or client intellectual property or other data that could result in significant harm if stolen?
If this vendor suffers a data or privacy breach, would that trigger any reporting obligations either to clients, the public or insurance carriers?
Would a breach of this vendor necessitate the activation of the firm’s Incident Response Plan or cause the firm to activate its business continuity or disaster recovery program?
Would a failure of this vendor’s systems or processes cause a significant impact to the firm’s (or its clients’) business processes or interrupt the firm’s revenue stream?
Step 4: Create a List of Questions for Each Vendor Tier
Develop a security assessment methodology designed to evaluate your legal firm’s tolerance to risk, regulatory requirements and best practices. A security assessment can be developed using industry standard frameworks (e.g., NIST, ISO, CIS, etc.) as guidelines, but it should evaluate key areas of risk depending on the type of vendor and their access to your firm’s data. Initially, the assessment should be created for tier 1 vendors which are business and mission critical. Then, tailor questions for lower tiers based on vendor criticality.
Key areas of risk your firm should evaluate include:
Information Security Policy
Physical & Environmental Security
Identity and Access Management
Security Awareness Training
Data Loss Prevention
Change and Configuration Management
Step 5: Distribute Security Assessment to Vendors and Review Results
Distributing the security assessments to vendors and scoring results is the key to implementing a successful vendor risk management program. Implementing and formalizing your program allows you to leverage data to develop a repository of risk information. The security assessment methodology will provide you with a comprehensive analysis of policy, risk and vendor risk mitigation procedures. Each question should be reviewed and evaluated independently to identify potential security gaps, risks, and vulnerabilities. Once you have reviewed the results, implementing a risk mitigation plan for potential risks with deadlines tied to your terms and conditions will be critical. Discuss the results with the vendors and relate any problems or concerns. Transparency is essential if you hope to develop a strong relationship and a culture of security with your vendors. Communicating any proposed solutions or acceptable mitigation measures — along with a specific deadline — will be mutually beneficial.
Step 6: Address All Identified Risks in the Contract Terms and Conditions
Once the results of a security assessment are reviewed by the vendor risk management team, the results and any mitigating factors should be shared with the general counsel’s office. It is important to tie a vendor’s risk mitigation plan of action with specific dates for compliance.
Contract Terms and Conditions should include:
Remediation timelines and methodologies for identified security risks
Communication process and accountability for breaches (Breach Notification)
Employee and subcontractor vetting (background checks) and data access rights management policy
Maintain minimum insurance requirements including General Liability, Cyber Liability, and Errors and Omissions
Patch update notification requirements before deployment
Right to Audit Clause
Step 7: Monitor Your Vendors
Law firms are the custodians for highly confidential data for their clients. As cloud services become commonplace in the legal industry, that data is being shared with a growing network of third-party vendors. You must take responsibility for ensuring your vendors are maintaining the same security standards and risk mitigation measures your clients are requiring from you. Technology and security risks are evolving rapidly, so continuous monitoring is critical to the assessment process.
Implementing a vendor risk management program is a critical component of a comprehensive security strategy. As previously mentioned, maintaining a comprehensive third-party vendor risk management program and a detailed security assessment process is the cost of doing business today. As the buyer, owner, or custodian of highly confidential data, law firms have a unique responsibility to their clients to maintain the highest levels of protection for the sensitive information in their care. Following these steps will ensure transparency throughout the value chain from client to law firm to vendor. Set a policy, stick with it, and communicate to all stakeholders. Because terms and conditions with each vendor can vary, your security assessment process should be tailored to each vendor’s access to data and risk to your law firm.