An organization’s legal department, in particular, may face serious challenges when it comes to risk management of its vendor ecosystem. As a company’s reputation and data are at increasing risk of being compromised, it is critical for legal departments to adopt a comprehensive and robust approach to vendor cyber risk management.
There are a number of detailed steps to consider when building a strong Legal Vendor Cyber Risk Management (LVCRM) program, which enables the management of cyber risk among vendors and suppliers. Understanding the third-party cyber risk management life cycle is critical for both the organization and its vendors to decrease security control gaps and minimize overall risk.
It is important to note that risk management is not a one-time activity. After developing a LVCRM program, organizations must continually assess risks and augment their program. By addressing vendor cyber risks, an organization can mitigate the exposure to its legal department, and thereby the entire organization, reducing the risk of being the next headline.
Once you have a good understanding of your portfolio of legal vendors and your organization’s relationships with them, established your strategic partnerships to increase risk assessment velocity, engaged internal stakeholders about your risk assessment process, and chosen your own security standards or expectations, you are in a strong position to successfully implement and accelerate your LVCRM program.
Orchestrating the integration of these elements will not always be easy, and you will likely experience some growing pains along the way, but your risk story will continue to grow stronger with each piece you put into place. A good chief financial officer (CFO) or board will ask “What are you doing about third-party legal vendor risk?” A great CFO or board will ask “So what are you doing with high-risk legal vendors that we still have to do business with?” By following the best practices outlined in this guide, your LVCRM program will be able to address both. Managing these risks – through strategic remediation, internal compensating controls or changes in your organization’s relationship with the vendor – allows you to confidently answer the second question, which is much more important.
Building a LVCRM program is no small undertaking, but today’s general counsels are realizing that they are going to be at the center of any sizeable cyber incident at their organization. Due to the unique nature of cyber incidents, there will be legal considerations regarding compliance or regulatory impact, conducting incident response activities under privilege, or downstream litigation concerns. Your LVCRM program presents an opportunity to lead by example. Creating a LVCRM program that adheres to the best practices outlined in this guide will ensure that your corporate legal department is doing what it claims it will do with regards to its vendors and is well positioned to support reasonable management of not only its own cyber risks but those of the entire enterprise.