No matter the strength of an organization’s cybersecurity apparatus, its vendors can leave them open to risk. And for large corporations with hundreds of vendors, managing this risk can be a daunting task. But the risk is one that Wolters Kluwer is hoping to automate in its newly released Cybersecurity Risk Assessment Application, a tool for managing cybersecurity obligations.

Here’s a look at the app and its position in a growing, innovative marketplace.

What it is: Wolters Kluwer’s Cybersecurity Risk Assessment Application is a management tool that allows legal departments and other corporate teams to create, store and send cybersecurity questionnaires and remediation plans to outside counsel or external vendors. Through the application, users can follow up and track whether their external parties are documenting and meeting their cybersecurity obligations.

David Sankar, senior director, product management at Wolters Kluwer ELM Solutions, called the application “a management and [analysis] tool for law departments that is purpose built to handle cybersecurity preparedness.”

How it Works: The Cybersecurity Risk Assessment Application allows users to create and store any number of questions in library repositories, which are used to create custom cybersecurity questionnaire templates. Such custom templates can be saved alongside standard templates provided by the application.

After a questionnaire is sent out, the application alerts users when responses have been returned. Users can make notes or comments on the filled-out questionnaires to send back to their outside counsel or to forward to internal parties.

In addition to questionnaires, users can also create and send out cybersecurity remediation plans, and similarly track whether outside counsel completed specified tasks related to the plan. Such task and questionnaire tracking is shown on the user dashboard homepage, which essentially provides status reports on outside counsel and external vendors. If users so choose, dashboards can also display a cybersecurity risk score for each outside counsel or vendor managed through the application.

Sankar explained that such scores are based off of weighted questions and answers in users’ cybersecurity questionnaires. For example, a user may assign a quantitative point value to whether a law firm has an incident response plan or not, which along with other factors will make up their overall risk score. Because scores are based off of questionnaires, which can be customized, they are specific to each user’s risk assessment.

Communication Breakdown: All communication and file transfers between users and their outside counsel on the application happens through Wolters Kluwer’s collaboration portal. Sankar noted that this portal is already being used for other Wolters Kluwer services to allow “many legal service providers to collaborate with legal departments on matters and invoices, among other types of things.”

Given the nature of the content being shared, the portal is a secure channel protected by “encryption at rest and in transit, and all of the things one would expect to have when dealing with this type of sensitive information,” Sankar said.

Competition: While there are no apparent solutions that offer similar cybersecurity risk assessment management and analytics in the market, Sankar said many compliance companies do offer some capability around cybersecurity assessment. “There are a number of vendors in the market that are focused broadly on compliance solutions that have tools that include cybersecurity assessment preparedness.”

Some cybersecurity and compliance companies also offer analytics around cybersecurity risk, whether in-house or over a company’s extended service network. NexLP, for example, leverages artificial intelligence (AI) to assess risk and track users behavior within a connected intranet network, while companies like Clutch Group and Nuix have teamed up to offer similar risk surveillance technology.

Cybersecurity companies are likewise moving in to partner with law firms to build out their cybersecurity defenses and provide assessments of their security posture. Law firm technology company Innovative Computing Systems, for instance, partnered with cybersecurity firm Digital Defense to offer such services to law firms in 2016.

Many law firms themselves also offer cybersecurity risk assessment services, while some have been coming out with their own cybersecurity related applications.

In June 2017, for example, law firm Reed Smith launched a data reach notification assessment app named Breach RespondeRS, which provides questionnaires to determine what applicable laws apply after a data breach.

In addition, many organizations also provide cybersecurity questionnaire templates that can be used in lieu of those provided by Wolters Kluwer, including EDRMThe National Institute of Standards and Technology (NIST), and the Federal Financial Institutions Examination Council.