September 20, 2017 – Corporate legal departments are particularly vulnerable to law firm risk and should step up their efforts to avoid becoming victim of cyberattacks. That’s according to Wolters Kluwer’s ELM Solutions, which has released a list of five steps for legal departments to take to address cybersecurity concerns, arguing it is best addressed by building manageably-scaled actions into ongoing operations.
“Reports of cyberattacks, such as the recent Equifax hack, continue to raise awareness across industries that companies must make cybersecurity a top priority. These efforts should not be limited to the IT function — corporate legal departments are particularly vulnerable in the area of law firm risk,” according to David Sankar, Senior Director, Product Management for Wolters Kluwer’s ELM Solutions. “Legal organizations, by necessity, have to share a substantial amount of information with their outside counsel. Even though many legal departments are bringing more work in-house, much of the data still shared externally is among the most sensitive and associated with the greatest financial and reputational risks.”
Wolters Kluwer notes that surveys (such as the ALM Intelligence 2017 General Counsel Up-at-Night survey) have shown that legal departments do not always put as much focus on cybersecurity as its importance merits. To ensure that companies are on the right track the firm suggests taking the following five steps.
First off, Wolters Kluwer recommends starting a formal third-party risk management program in the legal department, collaborating with internal Information Security and Technology partners. “A formal program raises the visibility and emphasizes the importance of the effort among the internal legal team. It also sets the expectation that everyone in the legal department needs to have third-party risk on their radar,” Sankar notes.
Legal departments are also encouraged to use a tiered approach. “If, like most legal departments, the majority of your external assignments go to just a few outside counsel, then a one-size-fits-all program isn’t the most efficient or effective for you,” Sankar says. “Concentrate on the law firms that have the majority of your data, and especially your most sensitive information, particularly when you’re getting started.”
Wolters Kluwer also recommends requiring law firms to self-assess on standardized criteria. “Develop a standard set of questions about security practices that outside counsel must answer and keep updated. Use that information to better understand your exposures, and to continuously refine your risk tiers,” Sankar suggests. “This exercise may also help firms identify risk they hadn’t considered previously. The Association of Corporate Counsel has issued suggested requirements for law firms, which might help you develop your assessment.”
It is also important to develop Corrective Action and Preventive Action plans, and closely manage execution, Wolters Kluwer’s experts note. “Develop these plans jointly with your outside counsel, informed by their required self-assessments. To actually reduce risk, it is critical to track the assessment results and take action to correct the uncovered vulnerabilities,” Sankar adds. “Don’t simply assign this responsibility to your firms and move on. To ensure effectiveness, you must monitor and track ongoing execution to make sure that your concerns are addressed.”
Finally, Wolters Kluwer recommends developing a formal incident response approach with plans for likely incident types. “When a breach, attack, or other incident occurs, your early response will have a tangible impact on the eventual outcome. There are several types of incidents that, unfortunately, have occurred often enough to have accepted best practices associated with them,” Sankar notes. “Be aware of previous incidents and consider where they may overlap with your outside counsel’s and your own exposures, and have plans ready to go when needed.”
Sankar adds that it is important to keep in mind that cybersecurity is a continuing and critical business process, not a project to be completed and forgotten. “With good plans and processes in place, engaged law firms, and continued focus, you can drastically reduce your department’s risk of outside counsel security incidents,” he says.