4 Steps for Law Firm Cybersecurity Assessments
Knowing where to begin addressing cybersecurity can be overwhelming, but can be made less so by starting with a few simple steps.
October 30, 2017 at 08:00 AM
5 minute read
According to new findings in the 2017 ALM Intelligence General Counsel Up-at-Night survey, when it comes to data privacy and security, most organizations' general counsel spend less time managing risks than their importance warrants.
Because outside law firms serve as a valued partner of the corporate legal department at almost every company, firms typically have access to some of a company's most sensitive data. So, while an organization's general counsel may have more responsibility for incident response than for cybersecurity guidelines, he or she also needs to be aware of, and prepared to manage, the innate risks that accompany legal work.
From my experience talking with general counsel and in-house attorneys, I am aware that it's often the resource gap that presents the biggest issue in managing compliance with cybersecurity guidelines. Knowing where to begin addressing this issue can be overwhelming, but can be made less so by starting with a few simple steps.
First, using a tiered approach to manage risk can help you concentrate your efforts on the law firms that have a majority of your sensitive data. Once you prioritize the risk associated with your firms, you can next require them to self-assess their compliance using your guidelines. This allows you to focus your limited resources on the greatest risks and potentially identify some you may not have considered previously.
|1. An initial look at law firm risk
Many legal departments, eager to get their risk mitigation under control as soon as possible, typically start by taking whatever steps they can with the tools at their disposal. This usually means putting together a few requirements and then emailing their outside counsel to ask where they stand on those points. When the replies come in, the next step is normally to track each firm's status in a spreadsheet to centralize the data.
This is the right instinct, of course, as it is important to make a start. But this approach really doesn't even scratch the surface of what needs to be done. Email and spreadsheets will not suffice as a long-term solution to third-party cybersecurity needs. A more advanced approach involves a partnership between the legal, IT, and security departments. This collaboration ensures that all of the company's areas of expertise on cybersecurity are leveraged, and that the most current corporate data security policies are being considered.
It is also important to use a dedicated, purpose-built technology solution that helps with all phases of the effort. It should support the creation and management of cybersecurity assessments of law firms, help you to track and analyze the assessment results, and create and take action on remediation plans. This solution should be designed for measuring and managing law firm risk, specifically, as distinguished from vendors in general, because the information they access and store tends to be far more sensitive.
|2. Require law firms to self-assess
Standardized self-assessments by law firms are the foundation of an outside counsel risk mitigation program. To get started, refer to your corporate data security policies and collaborate with IT colleagues to develop a standard set of questions for law firms to answer. Firms should be required to update these assessments at least yearly, and as you develop additional requirements.
Use the information collected to better understand your exposures and to continuously refine the focus of how you address identified risks. This exercise may also help firms identify risk they hadn't considered previously. To help legal departments understand what to look for from law firms, the Association of Corporate Counsel has published suggested requirements for law departments.
|3. Focus on firms where risk is concentrated
For most legal departments working with hundreds of outside counsel firms, it isn't feasible to collect all assessments in a single phase. The better approach is to set tiers that help you to prioritize firms within the program. Many legal departments assign the majority of external work to a small number of firms. Concentrate your efforts on those firms that have the majority of your data, and especially your most sensitive information.
For instance, if you designate a panel of preferred outside counsel, start with them and assess their cybersecurity efforts more rigorously and more often. You may wish to zoom in even more on those that handle very sensitive areas, such as mergers and acquisitions or intellectual property.
|4. An ongoing project
It's important for law departments and outside counsel alike to recognize that managing cybersecurity risk is not just a one-time event, but is an ongoing requirement. Your program should build in periodic re-assessments and should have the flexibility to assess off-cycle as needed due to policy changes or cybersecurity events.
The development and updating of preventive and corrective action plans also needs continued attention, as well as incident response plans and the testing of such plans. All of these risk mitigation program components should be periodically revisited and updated to reflect the current environment. While it isn't possible to eliminate cybersecurity risks altogether, taking these steps is well worth the effort. With your outside counsel assessments current, remediation ongoing, and potential responses well planned, your organization is far less likely to be featured in the next big cybersecurity breach headline.
David Sankar is Senior Director, Product Management – Growth Portfolio, for Wolters Kluwer's ELM Solutions, a provider of enterprise spend and matter management, analytics, and legal operations solutions for large corporate legal and insurance claims departments.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllTrending Stories
- 1Senate Confirms Last 2 of Biden's California Judicial Nominees
- 2Morrison & Foerster Doles Out Year-End and Special Bonuses, Raises Base Compensation for Associates
- 3Tom Girardi to Surrender to Federal Authorities on Jan. 7
- 4Husch Blackwell, Foley Among Law Firms Opening Southeast Offices This Year
- 5In Lawsuit, Ex-Google Employee Says Company’s Layoffs Targeted Parents and Others on Leave
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250
