Being in the legal department of your organization puts you in a trusted position. Critical contract negotiations, protecting the organization’s intellectual property and sensitive human resource issues are all matters your clients turn to you for. Even though you’re in a position of trust, you need to consult with others outside your organization to be able to get the best result for your client. These third-party vendors can help you research faster, provide expertise to understand a complex issue better or just provide additional resources to meet critical deadlines. However, they can also be a source of risk if those you trust maintain an immature cyber security posture. This blog post can serve as a guide to how you can assess the size of this type of risk.
The first step is to figure out which third parties support your legal department. While it may seem like a simple question, for larger corporations or those with immature legal operations, this can be a challenge. Poor record-keeping, lawyers in different offices or even different countries, and clients that engage directly can create a patchwork understanding of outside counsel and other legal vendors. If your legal department services independent subsidiaries, this could get even more difficult as contracts may not be in your parent companies’ name.
If no centralized vendor management program exists, your legal department will have to start from scratch. Luckily, there are a few simple steps you can take. The first is to work with accounts payable and find out everyone who has invoiced you for legal or legal adjacent services (lobbying, etc.) This will serve as your first list. Circulate this amongst your legal team members to see if there are errors or anything related that may be missing. Once you have a final list of vendors, send an email to everyone on the list, asking them to identify a cyber security point of contact as part of your third-party cyber risk program. While some vendors may take a while to respond to this request, the lack of response or confusion around it will help you evaluate which legal vendors you are genuinely engaged with and how.
Now that you have your list of legal vendors and their cyber security point of contact, it is essential to consider the inherent risk each vendor represents. Inherent risk is the risk that the vendor poses before any mitigating controls are put into place. When considering risk, it is crucial to look beyond the amount of money you spend, which, while useful in understanding the extent of the relationship, is not the only factor in calculating risk. The type of data you share, and how much, is the more important factor. For instance, a relatively simple issue concerning employee benefits may include sharing a large list of employee data with a vendor.
After you review your vendors and identify their inherent risk, it is good to group them into categories. These may be as simple as high, medium and low risk, or it could be based on data types such as personally identifiable information (PII), business confidential or publicly available data. By having categories, you can see if there are specific risk tranches that may require additional review and focus. Categories allow you to plan the resources that may be needed for the actual cyber security assessments and collection of information.
While the process outlined above may seem challenging, it is a foundational step in understanding the risks that comes with working with external third parties. Your organization has trusted your department with some of its most sensitive matters, and you need to trust those who assist you with it. By following these steps, you can begin that process of understanding and even improving their cyber security posture.