Vendor Risk: As Strong As Your Weakest Link

July, 18 2019

Cybersecurity is one of the few practices where the strength of a product or process is determined by its weakest component. With the growing amount of digital business and cloud-based products, cyber-crime is rampant and no one in the legal industry can afford to take any risks.

Take a moment to think about all of your vendors, all of their vendors, and so on. Consider the number of access points within your various supply chains to your data and systems. Even if your company or business unit has taken the time to develop and implement thorough internal security policies, all it takes is one overlooked vendor and one data breach to render your security preparation useless.

Think of it this way: in the case of the Death Star, the strongest galactic weapon, all it took was one overlooked thermal exhaust chute; in the case of the Titanic, the “unsinkable ship,” all it took was one disregarded iceburg. We have a long history of overestimating our preparation and underestimating risk, but we don’t have any excuses.

Corporations have long been at the top of hacker hit lists, with the Legal Department a veritable goldmine of valuable information. As cyberattacks and security regulations continue to increase in number and complexity, companies are focused on developing preventative countermeasures. Not surprisingly, cybercriminals have adapted and are working smarter, not harder, by shifting their focus to easier targets with fewer resources. As custodians of their clients’ confidential information, firms have access to the same sensitive data, but typically have far fewer cybersecurity preventions in place. Data security, and specifically Vendor Compliance Management, is no longer just an IT issue, it’s a Legal and Compliance responsibility.


Risk is Contextual


Most companies have cybersecurity measures in place, but the flux of regulatory requirements embroil them in a never-ending cycle of evaluation, best-practices review, and implementation. From state specific regulations, such as the New York State DFS Risk Based Monitoring System Requirements, to international ones such as the GDPR, every industry has been touched by expanding cybersecurity regulations. With a growing marketplace of cloud-based solutions, wise companies know they’re not only responsible for the security of their own systems, they’re responsible for their vendors’ systems too.

A company’s risk assessment must include the full network of systems and information – it is dependent on the context that surrounds each element. Take a simple, low-risk task: ordering business cards. The company that has been approved to print your business cards requires only your name and shipping information, and a cursory risk assessment turns up certifications ensuring transactions are secure. However, if the same company required you to provide specific PII (personally identifiable information) such as your SSN, or didn’t display any certifications of secure exchange of information, the low-risk action of ordering business cards suddenly becomes high risk. Risk is contextual, not isolated. You take on the risk of your vendors.

Now imagine a complex, high-risk project, such as litigating a multi-million dollar corporate lawsuit. The firm that is approved to serve as Outside Counsel must be thoroughly vetted, both for their compliance with your policies and for their compatibility with your practices. Security must have an equal, if not more significant, weight in the decision-making process.


Take the Man out of Manual


Legal Departments are adapting, running competitive procurement processes and developing thorough Compliance programs for their Legal Service Providers to undergo before granting access to systems, networks, and data. Given the potential exposure a cloud-based vendor can open your system up to, it’s critical to dig deep, do your due diligence, and understand your vendors’ security controls. From assessing the physical security of their data center to knowing who will have access to your data and how that access will be granted, it is your responsibility to confirm the security of your data. Your vendors may not be immediately familiar with the intricacies of the kinds of data you handle and how you handle it. That’s why it’s crucial to define your security concerns and requirements in your Agreements, and to take the time to discuss the specific needs of your business before the engagement begins.

Check out this article for suggestions of questions to ask your vendors during your compliance risk assessment!

Built specifically for Compliance workflows in the legal industry, the Counself Risk is powerful not only in onboarding vendor compliance, but also in the continuous monitoring tools it offers, which are critical to the assessment process.

Keep in mind that although managing risk presented by Outside Counsel is simply the cost of doing business today, it doesn’t have to be a frustrating one. Escape endless email chains and excel sheets by designing custom, collaborative forms that can capture all of the documentation and information you need.

Automate event notifications so you can keep track of expiration, renewal, and reassessment dates. Tap into your team’s knowledge and optimize your working relationships by evaluating Outside Counsel. Tailor your assessments to each of your vendors, collaborate internally and externally, and centralize your data in an auditable repository of risk information.  All on a fully secured, ISO 27001:2013 certified private-cloud platform.

Take the man out of manual, and make better use of his time, (and yours!), by optimizing your Vendor Compliance and Management process with Counself. Please contact us at info@Counself.com or here for more information.

What Else Are You Interested In?

We love research and would be happy to share our finding with you