Standardized Legal Security Assessment Should Be Reality, Says CLOC
An opening-day session from the 2018 CLOC Conference explored the potential for a streamlined cybersecurity questionnaire from the corporate legal department and law firm perspective.
April 22, 2018 at 07:48 PM
6 minute read
When you talk about corporate legal operations and cybersecurity, you aren't just talking about data housed in the company itself. An important—and depending on whom you ask, perhaps the most important—aspect of corporate legal cybersecurity has to do with data that travels outside the organization, to law firms and other outside third-party companies.
“We give law firms many of the most important emails we have, and many of those come from the C-suite. But there's a history of law firms being subject to these attacks,” noted Gary Tully, head of legal operations at Gilead Sciences. “There seems to be this perception in the in-house departments that I've worked in that law firms will act responsibility … but I think there's a misconception out there of what law firms are capable of doing.”
That's why it's important for corporate legal departments, law firms and outside vendors to get on the same page with cybersecurity, a task typically done through cybersecurity assessments. But not all cybersecurity assessments are equal, and even those who work with them daily see a lot of room for improvement. The perfection and standardization of these assessments has been a major component of a burgeoning Corporate Legal Operations Consortium (CLOC) cybersecurity initiative, unveiled at the 2018 CLOC Conference session “Vendor Management, Threat Assessments & Security Questionnaires—Oh My!”
Tully, one of the heads of the CLOC initiative, noted that operations knowledge of cybersecurity is typically limited, and there historically haven't been many places to turn.
“I don't want to be a security expert, I shouldn't be a security expert. … But security is a deep issue, and we need to hire help to get this done,” Tully said. “The first place we turn is our law firms, but they seem to be having problems with this too.”
One of those major problems, noted Justin Hectus, CIO and CISO at law firm Keesal, Young & Logan, is the sheer number of assessment requests coming into law firms. He noted from his own firm's internal statistics that client security assessments doubled in both 2016 and 2017, and still, 85 percent of clients don't conduct them, meaning there is a whole lot of room for an increased workload. Combine these figures with the fact that there is an overall cybersecurity-centric labor shortage, and even completing assessments could become untenable.
Hectus noted that many assessments are based off a similar framework, such as NIST. But even if the assessments have 90 percent of the same questions, they are not standardized, he said. “The approach and the format, that's really the problem. You'll get something in an Excel sheet one day, and the next day it's in an online tool, in a different order.”
He added that completing paperwork rather than doing actual security “just doesn't make sense.” As a result, “streamlining the process is really in everybody's best interest,” he said.
With this in mind, CLOC is looking to streamline the process through an ongoing initiative that will ultimately look to provide corporate legal departments with a common set of criteria and methods through which to scrutinize cybersecurity. Tully laid out seven criteria that, from his work both at Gilead and previously at Qualcomm, are necessary in any sort of standardized assessment:
- Assessments of all vendors, not just a small subset;
- An ongoing thorough assessment process, rather than one time at onboarding;
- Auditing vendor responses, not just rely on vendor self-reporting;
- A cost-effective solution, without affecting quality of assessment;
- The ability to leverage security assessment information at the time of choosing a vendor, i.e., within a matter management or e-billing tool;
- Remediation advice and assistance, to help our vendors improve their security posture; and
- The ability to benchmark our vendors.
Sound like a lot? Perhaps. Tully noted that when coming up with an initial assessment at Qualcomm that instituted all of these factors, it took him over nine months. But without asking these questions up front, he said, corporate legal departments can't truly travel the road to security.
“If we don't ask the questions, we can't take this next step,” Tully explained. “If we don't have a common language to be able to talk about this stuff, we can't get to the next point to make sure our data is secure.”
Imran Jaswal, managing director at Duff & Phelps and head of the advisory company's CYBERCLARITY 360 product, noted that any solution to the issue, such as the one his company developed, should be beneficial to all parties. “The idea here is not to call out firms, but to increase transparency, which will help the relationship between you and the firm,” he said.
To help facilitate this change, Tully identified what he called five “building blocks”: actionable items that he suggested all legal operations managers in attendance perform immediately. These included:
- Create awareness and a “need for action”;
- Obtain executive sponsorship;
- Update outside counsel guidelines with language empowering in-house to request an audit;
- Communicate expectations to vendors; and
- Provide in-house relationship managers with FAQs.
Of course, these are just the first steps in what all three panelists insisted should be an ongoing process. Tully suggested that corporate legal departments assess law firms at vendor onboarding, then regularly throughout the relationship, ideally every six months. He also said all outside vendors be audited, law firms and legal technology providers alike.
And, as always, as cybersecurity threats evolve, so too should the assessment, a reason that Tully said he prefers partnering with outside vendors on a standard assessment, as they can stay on top of threats.
“There are things that none of us really know what's going on out there, and it's serious,” Jaswal warned. “It's a real problem, and it's a problem for today.”
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllTrending Stories
- 1Holland & Knight Launches Export Control Disputes and Advocacy Team
- 2Blake Lively's claims that movie co-star launched smear campaign gets support in publicist's suit
- 3Middle District of Pennsylvania's U.S. Attorney Announces Resignation
- 4Vinson & Elkins: Traditional Energy Practice Meets Energy Transition
- 5After 2024's Regulatory Tsunami, Financial Services Firms Hope Storm Clouds Break
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250