Global, end-to-end cyber risk solutions.
By now, hopefully it’s clear that developing a Legal Vendor Cyber Risk Management (LVCRM) program to evaluate your legal vendors should be a priority as part of maturing your overall legal operations. In this section, we discuss the decisions you’ll make as you supplement or augment your existing capacities in this regard.
Regarding LVCRM, most legal operations groups largely lack the necessary capabilities and tools, yet they are responsible for most, if not all, of the diligence process. To overcome this challenge, think critically about the balance between internal resources, desired outcomes and the risks being addressed. This part of the LVCRM Best Practices Guide should set the stage for decisions on how much external support to acquire, as very few – if any – legal operations departments can handle this process on their own and still meet the best practice standards.
Before setting out on this journey, you should take stock of your existing posture, establish a solid understanding of internally available resources and fully comprehend the costs and long-term implications of engaging any internal resources.
Be sure to consider the following areas when approaching a build or buy decision:
Building a LVCRM program requires you to secure not only people but also application-specific technology and expertise. Regardless of whether you build the program in-house or secure external support, you must address the core elements of building this program. These elements generally fall in one of two cost areas:
While these core elements should be present in your program regardless of how much of your program is run in-house, the decision to operate internally will impact not only the actual cost of these core elements but also who bears the cost. Keep this in mind as you consider each of the following LVCRM components.
Furthermore, these assessments often feature questions that can unintentionally complicate the process of both completing and reviewing assessments. Consider these common assessment question structures and their unintended consequences:
Some software tools handle only the workflow components and do not provide any assessments or support for assessment creation – these pieces of content must be developed independently and brought to the platform.
Some software tools handle only certain parts of the risk management life cycle (namely Collect and potentially Validate), leaving your team to struggle to analyze, remediate and monitor with either a manual process or another software solution. Other software solutions are built for more general-purpose governance, risk and compliance support – making them too bulky to gracefully tackle a vendor risk management problem – or require high levels of commitment to custom module development, training or both.
In selecting the software, look for a solution that:
While there may be no such thing as a perfect solution, those built to address your problems will perform better than those built for another purpose.
In addition to the headcount necessary to support the communication around these efforts, consider developing a knowledge base of standardized responses to common questions. This will ensure consistency and fairness across your program and reduce response times and levels of effort. More advanced solutions may contain metrics around this service desk style approach and may even leverage software specifically built to handle these issues, with tickets, tracking, knowledge base support and additional functionality. If these capabilities are not presently available in your enterprise, consider acquiring them or acquiring a managed service provider that can provide them to your vendors on your behalf.
Given the large number of vendors in need of assessment and the often limited time and resources for corporate legal departments to complete their risk assessments, it can be tempting to leverage existing reports and resources to help cover more of this ground more quickly. Engaging with these functions can have great value but can also present unique challenges.
Internal Security Teams
Many large enterprises have equally large enterprise information security operations, often performing similar cyber risk assessment functionalities. Unfortunately for corporate legal departments, collaborating with these internal resources is not always as easy as one would hope. In some instances, engaging these internal resources requires participation in a procurement process that simply does not work from the legal operations perspective. In other cases, the scope of the cyber risk assessments available through internal channels is either too large or too small. Internal resources also tend to suffer from a challenge of velocity, with risk assessments frequently taking somewhere between six weeks and six months to fully complete. Navigating these challenges can be so difficult, time-consuming and costly that obtaining your own risk assessment capacity often makes better business sense, but this does not mean that you should leave your internal cyber colleagues completely in the dark.
Engaging these internal enterprise security teams can have significant benefits. One strong way to offer a path forward is to work with your internal resources to ensure that their highest priority risk areas are addressed in the process that you are building. This may take the form of a minimum set of controls expected to be in place with third-party vendors or a certain set of questions addressed within the process.
Certifications and Accreditations
In an admirable effort to standardize controls and validate their implementation, several security-specific attestations are available in the market, and you have doubtlessly already encountered them. Chief among these is the ISO/IEC 27001:2013 certification, typically performed by a third-party auditing firm on behalf of a vendor. This certification standard consists of a systematic representation of an organization’s information security practices, as evaluated against the International Organization for Standardization (ISO) control set and validated by an independent certification authority or auditor. Achieving this certification is not a small undertaking and often represents significant effort in terms of both time and financial resources. That said, it does have a couple elements that make it difficult to rely on as the sole source of truth for a meaningful cyber risk implementation.
First, the breadth, depth and cost of the ISO certification process can be prohibitive for many mid-sized and smaller vendors. A recent study indicated that only 9% of all law firms have achieved this ISO certification,9 meaning that you’re left to do your own assessment on the remaining 91% of firms.
Second, the ISO certification process is heavily dependent on the scope of the process. Clearly understanding what is in scope for a given assessment will help you better determine where any gaps in coverage may exist. For example, it is not uncommon for an ISO 27001 certification to be limited to internal systems, applications and services. It may not cover external services, including web-based Software-as-a-Service solutions and contract employees (including attorneys). These out-of-scope elements are left to you to conduct an assessment against.
Developed by the American Institute of Certified Public Accountants, the System and Organization Controls (SOC) 2 audit is a comprehensive assessment on the system-level controls of a service organization (as opposed to SOC 1, which focuses on financial controls and reporting). The SOC 2 audit is available in both Type 1 and Type 2: Type 1 includes a review around an organization’s controls against the trust services criteria, and Type 2 includes the same coverage as Type 1 and also tests those controls to validate their implementation.
Similar to the ISO certification discussed earlier, SOC 2 Type 2 reports are developed to be thorough assessments of an organization’s security posture but also have shortcomings. They are conducted by an independent third-party and offered as a proxy report for overall security posture. As with ISO, scope can be a significant area of concern when reviewing a SOC 2 Type 2 report. Anything that is not explicitly included in the scope of said report should be considered to be out of scope and thus completely unaccounted for in the contents of the report. Perhaps this is not a high-risk consideration for your relationship with a given vendor because all your interactions are covered under the scope of the SOC 2 Type 2 report. If not, however, you must conduct your own assessment on out-of-scope items.
In addition to the scope challenges, SOC 2 Type 2 reports are frequently written in close collaboration with the organization, often to the point where any potential findings of risk or areas of concern are minimized or excluded. Indeed, it is rare to find SOC 2 Type 2 reports that contain any negative findings. If they do, the findings are tend to be inconsequential, appearing only as token content for that section of the report.
Generally, both ISO 27001 certification and SOC 2 Type 2 reports should be considered useful but not sufficient. Unless your entire relationship with the vendor in question is addressed in the scope of the certification or report, additional risk assessments will be necessary to diligently address areas of concern.
These challenges often drive organizations to consider premade and readily available assessment vehicles, such as the Shared Assessments Standardized Information Gathering (SIG) questionnaire. The SIG, as it’s commonly known, is not as standardized as it might seem. To allow organizations to create more tailored assessments, Shared Assessments has introduced the ability to scope and tailor questionnaires beyond the three pre-scoped SIGs already offered – Lite, Core and Full. Because of this, there is less and less overlap between the assessments as organizations mix and match questions from the various pre-scoped parts, resulting in gaps between what vendors may have previously answered and what an organization is looking to have vendors complete. This often defeats the reusability purpose of the SIG, and the only way to be prepared to respond to any question is for vendors to complete the Full SIG, which comprises over 1,400 questions.
Furthermore, the SIG assessments include several of the assessment question structures, mentioned earlier, that can make interpreting results more complicated. Namely, much of the SIG relies on both a Yes/No/Not Applicable response, followed by a scaled response for questions answered in the affirmative. Some SIG questions, such as the NIST Cyber security Framework or CIS Controls, are mapped to standards, but others are not, further compounding the difficulty in understanding what these answers mean against your chosen standard. Because of their standardized nature and licensing agreements, organizations are not able to make changes to any SIG questions to better meet their needs, which can limit flexibility and scope.
Evaluating the landscape of third-party risk tools and services can be overwhelming. Each one claims a meaningful differentiation from the others, yet they appear to be very similar after reviewing the details of each one’s website or marketing sheet or talking to their representative at a conference booth. In the next section, we’ll discuss the three pillars of people, process and technology to help evaluate which partners will be the best fit for your team.Download the Report
Global, end-to-end cyber risk solutions.
Advisory for technical innovation and process insights.
Help to optimize key legal processes through improved management of work product and vendors.
Processes and strategies to manage and optimize information produced through M&A, divestitures and integration.