This article appeared in Cybersecurity Law & Strategy, an ALM publication for privacy and security professionals, Chief Information Security Officers, Chief Information Officers, Chief Technology Officers, Corporate Counsel, Internet and Tech Practitioners, In-House Counsel. Visit the website to learn more.
Most firms have extensive cybersecurity measures in place, but emerging or unclear regulatory requirements embroil them in a never-ending cycle of evaluation, best-practices review, and implementation. Firms don’t just need to have their own systems secured; a responsible firm must also reduce the risk of breach at their third-party vendors. This risk continues to grow as cloud-service providers gain acceptance in law firms. As cloud service providers become commonplace, so too does a firm’s responsibility to ensure their vendors are managing risk appropriately.
Managing risk presented by outside vendors is simply the cost of doing business today. “Business efficiency and price are no longer the only key factors in vendor evaluation,” says John Stambelos, CEO of Stambelos Consulting and Former Director of IT at Munger, Tolles & Olson LLP. “Security must have an equal weight in the decision-making process. Your clients demand it and new regulations are emerging across multiple industries.”
For example, the New York State Department of Financial Services is considering a regulatory requirement to conduct supply chain risk assessments in 2018 that will change the landscape of how vendors will be required to provide products and services to this market. The precedent has been set and additional states and regulatory bodies will surely follow suit.
This article considers the cross-industry best practices and provides seven steps to implement a highly effective vendor risk management plan. For firms willing to incorporate these steps, the result will be an industry standard, efficient and streamlined approach to vendor risk management.
From my experience, whether you currently have a vendor risk management program in place or you are starting from scratch, the following steps will help drive management buy-in and firm-wide adoption.
Create a Plan and Assign a Team
Data security, and specifically third-party vendor management, is no longer just an IT issue. For a security strategy to be successful, data and third-party vendor management must be part of the firm’s risk assessment culture. Stakeholders throughout the firm must be held accountable to maintain and follow best practices.
A strong vendor risk management policy must include the scope of the process, the stakeholders, the final deliverable, and the communications process. Stating the objective of implementing a vendor risk management program will set the tone for the organization. In order to have the greatest impact, the tone ought to be set by senior firm leadership, ideally from those outside of IT. The policy should be defined with quantifiable minimum standards of conduct and security (e.g., weighted risk score).
Which vendors should be part of your assessment process? What assessment methodology ought to be used? How frequently should your vendors be assessed? These questions will help determine the current maturity of your vendor risk management program. If the firm lacks a formal process to evaluate these questions, then first focus on evaluating existing vendors. Then, expand your program to new or potential vendors. Be sure to incorporate contract management evaluations into your process.
For the program to be successful, the vendor risk management team should consist of stakeholders across multiple functional areas of your organization. A team leader should be assigned to manage the coordination and process. Frequently, this is managed by the IT/security team or compliance. Other team members should include business unit leaders, procurement, general counsel, finance/accounting and senior leadership. After all, the firm’s most senior leaders are the ones authorized to accept or reject the risks posed by third-party vendors.
Identify all the Firms’ Vendors
Developing a comprehensive list of vendors may seem like a straightforward task but certain vendors might be overlooked. Too often, firm’s limit their vendor inventory to IT or IT-related vendors. The growing network of third-party vendors requires firms to expand their definition of a vendor if they are going to identify potential security risks.
- Include all third-parties that interact with your networks, components or information systems including software, hardware, and professional services (g., Document Management, Time and Billing software, E-discovery, CRM, etc.);
- Include vendors that provide physical security and support services (g., security guards, janitorial, CCTV, etc.).
Identifying all the firm’s vendors can be time consuming and challenging. The program leader should work with legal, procurement, and particularly the accounting team to develop an accurate inventory. One tried and true strategy to assist in the identification of the vendors it to request a download of all payments to vendors and external parties over the last 12 months. The vendor management team should review the entire list to determine which vendors have access to firm, employee, and client data.
Categorize Vendors by Risk Tier and Criticality
Once a complete vendor inventory is compiled and each vendor has been categorized by their data access, the next step is to determine the criticality of the vendor to the firm and assign a risk tier to each vendor. The risk tier should determine the depth of the security assessment process that should be taken to assess a vendor’s risk to the firm.
Categorizing your vendors by risk tier should be more science and less art. The vendor management team should develop a list of critical questions for each vendor designed to evaluate how they mitigate risk and then assign a weight to each question to help determine a vendor’s risk tier. This process ensures consistency across all your vendors during the audit or assessment process. The vendor management team ought to consider the following questions:
- Will the firm store sensitive client or firm data on the vendor’s systems?
- Will the vendor have access to any firm or client data?
- Will the vendor hold or have access to firm or client intellectual property or other data that could result in significant harm if stolen?
- If this vendor suffers a data or privacy breach, would that trigger any reporting obligations either to clients, the public or insurance carriers?
- Would a breach of this vendor necessitate the activation of the firm’s Incident Response Plan or cause the firm to activate its business continuity or disaster recovery program?
- Would a failure of this vendor’s systems or processes cause a significant impact to the firm’s (or its clients’) business processes or interrupt the firm’s revenue stream?
Risk Tier 1 vendors should be classified as your organization’s business and mission critical vendors that have the greatest access to your organization or clients’ sensitive data. Vendors in your tier 1 category must receive your most comprehensive security assessment. Expect to conduct rigorous inquiries into each of these vendors’ policies, procedures, and network architecture.
Risk Tier 2 vendors should be classified as your organization’s medium risk vendors. Vendors in your tier 2 category should receive a less exhaustive security assessment compared to the tier 1 assessment. The tier 2 assessment should still request questions covering the main risk categories, but your objective is to identify vendors’ policies, procedures, and architecture.
Risk Tier 3 vendors should be classified as your organization’s low risk vendors. Vendors in your tier 3 category should receive a more focused security assessment compared to the tier 2 assessment. These vendors don’t have the same access to organization or clients’ data, but your tier 3 questions should still assess the main risk categories. Even though these vendors lack the same access to your firm’s data as tier 1 and tier 2 vendors, it is still important to understand the controls in place designed to protect your firm from risk.
Create a List of Questions for Each Vendor Tier
Develop a security assessment methodology designed to evaluate your firm’s tolerance to risk, regulatory requirements and best practices. A security assessment can be developed using industry standard frameworks (e.g., NIST, ISO, CIS, etc.) as guidelines, but it should evaluate key areas of risk depending on the type of vendor and their access to your firm’s data. Initially, the assessment should be created for tier 1 vendors which are business and mission critical. Then, tailor questions for lower tiers based on vendor criticality.
Key areas of risk your firm should evaluate include:
- Asset Management
- Information Security Policy
- Human Resources
- Risk Assessment
- Vendor Management
- Physical & Environmental Security
- Identity and Access Management
- Security Awareness Training
- Data Loss Prevention
- Change and Configuration Management
- Vulnerability Management
Distribute Security Assessment to Vendors and Review Results
Distributing the security assessments to vendors and scoring results is the key to implementing a successful vendor risk management program. Implementing and formalizing your program allows you to leverage data to develop an auditable and contractible repository of risk information.
The security assessment methodology will provide you with a comprehensive analysis of policy, risk and vendor risk mitigation procedures. Each question should be reviewed and evaluated independently to identify potential security gaps, risks, and vulnerabilities. Once you have reviewed the results, implementing a risk mitigation plan for potential risks with deadlines tied to your terms and conditions will be critical.
Discuss the results with the vendors and relate any problems or concerns. Transparency is essential if you hope to develop a strong relationship and a culture of security with your vendors. Communicating any proposed solutions or acceptable mitigation measures — along with a specific deadline — will be mutually beneficial.
Address Any Identified Risks in the Contract Terms and Conditions
Once the results of a security assessment are reviewed by the vendor risk management team, the results and any mitigating factors should be shared with the general counsel’s office. It is important to tie a vendor’s risk mitigation plan of action with specific dates for compliance. Contract Terms and Conditions should include:
- Remediation timelines and methodologies for identified security risks;
- Communication process and accountability for breaches (Breach Notification);
- Employee and subcontractor vetting (background checks) and data access rights management policy;
- Maintain minimum insurance requirements including General Liability, Cyber Liability, and Errors and Omissions;
- Patch update notification requirements before deployment; and
- Right to Audit Clause.
Monitor Your Vendors
Law firms are the custodians for highly confidential data for their clients. As cloud services become commonplace in the legal industry, that data is being shared with a growing network of third-party vendors. You must take responsibility for ensuring your vendors are maintaining the same security standards and risk mitigation measures your clients are requiring from you. Technology and security risks are evolving rapidly, so continuous monitoring is critical to the assessment process. The life-cycle of the security assessment has four main steps:
- Baseline Security Assessment: Request the vendor complete the firm’s security assessment to identify any areas of risk;
- Security Reassessment: Complete annual or semi-annual reassessments based on vendor access and risk profile;
- Real-Time Critical Updates: Distribute ad-hoc assessments based on industry incidents (g., Meltdown and Spectre) to identify potential vulnerabilities in real-time;
- Enforce Audit Clauses Included in Your Terms and Conditions: Review additional documentation on security controls to validate assessments or conduct an on-site audit.
Implementing a vendor risk management program is a critical component of a comprehensive security strategy. As previously mentioned, maintaining a comprehensive third-party vendor risk management program and a detailed security assessment process is the cost of doing business today. As the buyer, owner, or custodian of highly confidential data, law firms have a unique responsibility to their clients to maintain the highest levels of protection for the sensitive information in their care.
Following these steps will ensure transparency throughout the value chain from client to law firm to vendor. Set a policy, stick with it, and communicate to all stakeholders. Because terms and conditions with each vendor can vary, your security assessment process should be tailored to each vendor’s access to data and risk to your law firm.
Ishan Girdhar is the CEO and founder of Privva, a cloud-based platform that streamlines the data security assessment process throughout value chain. Prior to starting Privva, Ishan’s experience included corporate strategy, business development, and investment banking including working for the Walt Disney Corporation in their corporate strategy and business development team.