cybersecurity risk assessment

When you talk about corporate legal operations and cybersecurity, you aren't just talking about data housed in the company itself. An important—and depending on whom you ask, perhaps the most important—aspect of corporate legal cybersecurity has to do with data that travels outside the organization, to law firms and other outside third-party companies.

“We give law firms many of the most important emails we have, and many of those come from the C-suite. But there's a history of law firms being subject to these attacks,” noted Gary Tully, head of legal operations at Gilead Sciences. “There seems to be this perception in the in-house departments that I've worked in that law firms will act responsibility … but I think there's a misconception out there of what law firms are capable of doing.”

That's why it's important for corporate legal departments, law firms and outside vendors to get on the same page with cybersecurity, a task typically done through cybersecurity assessments. But not all cybersecurity assessments are equal, and even those who work with them daily see a lot of room for improvement. The perfection and standardization of these assessments has been a major component of a burgeoning Corporate Legal Operations Consortium (CLOC) cybersecurity initiative, unveiled at the 2018 CLOC Conference session “Vendor Management, Threat Assessments & Security Questionnaires—Oh My!”

Tully, one of the heads of the CLOC initiative, noted that operations knowledge of cybersecurity is typically limited, and there historically haven't been many places to turn.

“I don't want to be a security expert, I shouldn't be a security expert. … But security is a deep issue, and we need to hire help to get this done,” Tully said. “The first place we turn is our law firms, but they seem to be having problems with this too.”

One of those major problems, noted Justin Hectus, CIO and CISO at law firm Keesal, Young & Logan, is the sheer number of assessment requests coming into law firms. He noted from his own firm's internal statistics that client security assessments doubled in both 2016 and 2017, and still, 85 percent of clients don't conduct them, meaning there is a whole lot of room for an increased workload. Combine these figures with the fact that there is an overall cybersecurity-centric labor shortage, and even completing assessments could become untenable.

Hectus noted that many assessments are based off a similar framework, such as NIST. But even if the assessments have 90 percent of the same questions, they are not standardized, he said. “The approach and the format, that's really the problem. You'll get something in an Excel sheet one day, and the next day it's in an online tool, in a different order.”

He added that completing paperwork rather than doing actual security “just doesn't make sense.” As a result, “streamlining the process is really in everybody's best interest,” he said.

With this in mind, CLOC is looking to streamline the process through an ongoing initiative that will ultimately look to provide corporate legal departments with a common set of criteria and methods through which to scrutinize cybersecurity. Tully laid out seven criteria that, from his work both at Gilead and previously at Qualcomm, are necessary in any sort of standardized assessment:

  1. Assessments of all vendors, not just a small subset;
  2. An ongoing thorough assessment process, rather than one time at onboarding;
  3. Auditing vendor responses, not just rely on vendor self-reporting;
  4. A cost-effective solution, without affecting quality of assessment;
  5. The ability to leverage security assessment information at the time of choosing a vendor, i.e., within a matter management or e-billing tool;
  6. Remediation advice and assistance, to help our vendors improve their security posture; and
  7. The ability to benchmark our vendors.

Sound like a lot? Perhaps. Tully noted that when coming up with an initial assessment at Qualcomm that instituted all of these factors, it took him over nine months. But without asking these questions up front, he said, corporate legal departments can't truly travel the road to security.

“If we don't ask the questions, we can't take this next step,” Tully explained. “If we don't have a common language to be able to talk about this stuff, we can't get to the next point to make sure our data is secure.”

Imran Jaswal, managing director at Duff & Phelps and head of the advisory company's CYBERCLARITY 360 product, noted that any solution to the issue, such as the one his company developed, should be beneficial to all parties. “The idea here is not to call out firms, but to increase transparency, which will help the relationship between you and the firm,” he said.

To help facilitate this change, Tully identified what he called five “building blocks”: actionable items that he suggested all legal operations managers in attendance perform immediately. These included:

  1. Create awareness and a “need for action”;
  2. Obtain executive sponsorship;
  3. Update outside counsel guidelines with language empowering in-house to request an audit;
  4. Communicate expectations to vendors; and
  5. Provide in-house relationship managers with FAQs.

Of course, these are just the first steps in what all three panelists insisted should be an ongoing process. Tully suggested that corporate legal departments assess law firms at vendor onboarding, then regularly throughout the relationship, ideally every six months. He also said all outside vendors be audited, law firms and legal technology providers alike.

And, as always, as cybersecurity threats evolve, so too should the assessment, a reason that Tully said he prefers partnering with outside vendors on a standard assessment, as they can stay on top of threats.

“There are things that none of us really know what's going on out there, and it's serious,” Jaswal warned. “It's a real problem, and it's a problem for today.”