You’ve bought the cybersecurity tools your MSP recommended to manage your cybersecurity. You use a permission-based platform to transfer client files back and forth. Your firm should be covered for data breaches, especially third-party vendor risk, right?
Tell that to global law firm Kirkland & Ellis. The firm is facing a proposed class action lawsuit over a data breach caused by its secure file transfer program, MOVEit. The data breach occurred while the firm worked on an acquisition between Trilogy Home Healthcare and Humana’s CenterWell Home Health. More than 4,700 residents’ HIPAA-protected files were breached when MOVEit’s systems failed. The firm didn’t inform Trilogy of the breach for several months, and customers weren’t notified until later.
The case is unresolved as of September 2024, but it is a great example of what we call third-party vendor risk. For the companies affected, it’s heartbreaking because they’ve done everything right. The vendors they trusted let them down.
Fortunately, there are third-party vendor protocols that can help your firm avoid signing on with poorly protected partners. Even better, there are disaster recovery preparations that can help you mitigate data losses when the worst happens.
Let’s talk about the third-party vendor risks your law firms face and how to keep your firm’s name out of the headlines.
Third-Party Vendor Risk: How It Impacts Law Firms
When working with third-party vendors, law firms face several potential risks, including:
Cybersecurity risks
Partnering with any third-party vendor can open the door to data breaches or cyberattacks. Since these vendors often access sensitive client information, a breach could expose this data. Even if the law firm isn’t directly responsible, such incidents can tarnish its reputation and lead to expensive lawsuits. Cybercriminals often target third-party vendors, and a successful attack could compromise the law firm’s systems and client data.
Business Continuity
If a critical third-party vendor experiences service disruptions, it can halt the law firm’s operations. This dependency means that any interruption in the vendor’s services can directly impact the firm’s ability to function smoothly.
Regulatory Compliance
Third-party vendors might not always adhere to the necessary laws, regulations, and ethical standards. This non-compliance can expose law firms to legal and regulatory risks, including hefty fines or litigation. This should be carefully vetted before establishing a relationship with the vendor. Your vendor contracts should always include written guarantees for regulatory compliance.
Data Ownership
Data access and ownership disputes can arise if third-party vendors claim ownership of the data they handle. This can lead to complications and conflicts regarding who controls the data. Your agreement should also include written protocols for safe data handling.
What is Third Party Vendor Risk Management for Law Firms?
Managing third-party risks is crucial for law firms, especially when you’re about to onboard a new IT tool or process. Third-party vendor risk management is the process that helps your firm do that. It’s a comprehensive approach that assesses the risk a new vendor/IT tool poses to your cybersecurity, infrastructure operations, and compliance risk.
This holistic process involves vetting, onboarding, continuous monitoring, and regular reviews. When done correctly, it will ensure you onboard the right resources at the start and create a clear mitigation process in case of vendor-based outages or breaches.
Third-Party Vendor Risk Management for Law Firms: What to Do
Third-party risk management for law firms involves identifying, assessing, and mitigating risks associated with third-party vendors and service providers. If you haven’t done this for the vendors you’re working with now, it’s not too late to evaluate them. In fact, we recommend a comprehensive Cybersecurity Assessment that includes reviewing the cybersecurity practices of your vendors.
Remember that you’ll only need to evaluate vendors who directly impact your IT systems or share critical firm and client data. This process should be managed by your internal IT staff or, ideally, by a CISSP-certified cybersecurity expert through your MSP or a cybersecurity consulting firm.
Here are the steps needed to get a third-party risk management program going at your law firm:
Step #1—Identify Your Third-Party Vendors
List all the third-party vendors impacting your systems, including crucial SaaS software, document management services, IT service providers, and other external partners.
Step #2—Conduct a Risk Assessment
Send a cybersecurity questionnaire to your vendors inquiring about key cybersecurity best practices. Do they:
- Have cyber risk insurance?
- Conduct regular patching?
- Adhere to the basic cybersecurity standards set by the National Institute of Science and Technology (NIST) and the Biden Administration’s Shields Up program.
- Adhere to data handling practices requested by any other relevant regulations, such as HIPAA, CMMC, etc.?
- Have good customer reviews and reliability ratings?
- Have a disaster recovery plan in place?
- Complete thorough testing of system updates before they are released?
Step #3—Conduct your due diligence
Identify the stakeholders for this vendor. Does the vendor’s offering align with their needs? Are any of those stakeholder concerns conflicting? How does the tool/vendor interact with your existing IT systems? Are there incompatibilities? If you chose this vendor, how would it impact your written IT plans, policies, and procedures? All this will need to be factored into your decision to bring a new vendor aboard.
Step #4—Execute Regular Security Assessments and Audits
Once your baseline security is set, you’ll still need to assess your vendors yearly to ensure they comply with your policies.
Step #5–Set Contractual Safeguards
Include specific clauses in contracts to ensure vendors adhere to the firm’s security and compliance requirements. As part of your master Service Agreement (MSA), this can include data protection clauses, confidentiality agreements, and termination triggers if they are out of compliance.
Step #6—Implement Continuous Monitoring
Create a monitoring and documentation system with your vendor. This may include monthly reports covering things like patching, mitigations, system activity, and the like. We require thorough notice before any system updates may affect your platforms. This will help you stay one step ahead of any potential problems.
Step #7—Create an Incident Response Plan
While your disaster recovery plan should be in place to cover the overall effects of outages and hacks, incident response is a set of procedures specifically related to your relationship with this vendor. If something goes wrong with the tool/software/service they provide, who will the firm contact? How will tickets be handled? How will the mitigations impact your IT operations and written policies? You’ll need these questions answered to move forward with the vendor relationship.
Interested in Third Party Vendor Risk Management for Your Law Firm? Integris Can Help.
Integris is a national IT MSP serving more than 100 law firms. Our vCISO staff can help your firm with all your third-party risk assessment needs. Contact us today for a free consultation.