Three Recommendations to Improve Law Firm Third-Party Due Diligence

In the legal industry, protecting files “at rest” and “in transfer” are a couple of the most important control objectives. Records pertaining to client discovery, signature, evidence and court filings all must maintain an unimpeachable chain of custody to stand up in court. So, when firms contract third parties to handle, host, process or store legal files, all parties are held to compliance standards that mandate security controls such as access management and data transfer management.

It’s no wonder that law firms are frequent targets of cyber criminals, considering the amount of sensitive data they manage on the part of their clients. Recently, Jones Day and Goodwin Procter became the latest casualties when they were breached after Accellion, a vendor the firms use for file transfers, reported that it was hacked.

How Vendor Risk Intelligence Networks Can Help Law Firms Improve Cyber Hygiene

You can’t protect the client and the firm by simply collecting static security questionnaire responses or running a point-in-time threat intelligence report on a vendor – although those are essential steps to take. Risk analysis must be more dynamic. That’s why law firms often choose to become members of networks to exchange vendor security control information and share vulnerabilities with one another – to protect the legal community as a whole. Being a network member enhances the participant’s security posture and makes third-party risk management a team sport.

Improve Third-Party Due Diligence at Your Firm in Three Steps

Networks add tremendous risk management value for law firms. Compare your existing practices against these three recommendations to ensure that your firm is conducting the proper due diligence on its third parties.

1. Implement Vendor Pre-Screening

Pre-screening vendors provides visibility into lax security practices that might predict future problems. Third-party risk networks make it easy to perform pre-screening and simplify vendor comparisons by maintaining libraries of completed risk profiles. These risk profiles are typically completed by vendors using a standard and industry-accepted questionnaire (making vendor comparisons easier), and then validated using real-time cybersecurity risk scores to capture important updates in situ. The risk profiles are then shared for the benefit of the community.

2. Offload Assessments to Experts

Chances are your firm doesn’t have the resources or expertise to onboard, manage and assess all of its third parties. Your team can save time and money by letting risk management experts handle everything from conducting assessments, collecting due diligence and following up with vendors, to reviewing responses and evidence for accuracy and relevance. Doing so shifts the administrative burden to others, enabling your team to focus on valuable risk management and remediation work instead.

3. Automate Compliance Mapping and Reporting

More than 50% of organizations rely on spreadsheets to manage vendors – and if you are trying to report on and manage vendor risks or compliance using a spreadsheet you understand how painful that can be. Vendor risk networks provide capabilities to automatically map risk assessment responses to specific regulatory and industry framework requirements, enabling you to quickly verify compliance or justify remediation efforts.

Next Steps

You can join the legal risk management community in reducing third-party risk by becoming a member of the Prevalent Legal Vendor Network. For more on how Prevalent can help your law firm improve its vendor due diligence practices, check out our on-demand webinar, The Top 5 Third-Party Risks for Law Firms and What to Do About Them, or contact us today for a strategy session.