Third Party Vendor Risk Management: A Guide for Law Firms

by

September 15, 2024

Greg Cooke headshotYou’ve bought the cybersecurity tools your MSP recommended to manage your cybersecurity. You use a permission-based platform to transfer client files back and forth. Your firm should be covered for data breaches, especially third-party vendor risk, right?

Tell that to global law firm Kirkland & Ellis. The firm is facing a proposed class action lawsuit over a data breach caused by its secure file transfer program, MOVEit. The data breach occurred while the firm worked on an acquisition between Trilogy Home Healthcare and Humana’s CenterWell Home Health. More than 4,700 residents’ HIPAA-protected files were breached when MOVEit’s systems failed. The firm didn’t inform Trilogy of the breach for several months, and customers weren’t notified until later. 

The case is unresolved as of September 2024, but it is a great example of what we call third-party vendor risk. For the companies affected, it’s heartbreaking because they’ve done everything right. The vendors they trusted let them down.  

Fortunately, there are third-party vendor protocols that can help your firm avoid signing on with poorly protected partners. Even better, there are disaster recovery preparations that can help you mitigate data losses when the worst happens. 

Let’s talk about the third-party vendor risks your law firms face and how to keep your firm’s name out of the headlines. 

 

Third-Party Vendor Risk: How It Impacts Law Firms

When working with third-party vendors, law firms face several potential risks, including: 

Cybersecurity risks

Partnering with any third-party vendor can open the door to data breaches or cyberattacks. Since these vendors often access sensitive client information, a breach could expose this data. Even if the law firm isn’t directly responsible, such incidents can tarnish its reputation and lead to expensive lawsuits. Cybercriminals often target third-party vendors, and a successful attack could compromise the law firm’s systems and client data. 

 

Business Continuity

If a critical third-party vendor experiences service disruptions, it can halt the law firm’s operations. This dependency means that any interruption in the vendor’s services can directly impact the firm’s ability to function smoothly. 

 

Regulatory Compliance

Third-party vendors might not always adhere to the necessary laws, regulations, and ethical standards. This non-compliance can expose law firms to legal and regulatory risks, including hefty fines or litigation. This should be carefully vetted before establishing a relationship with the vendor. Your vendor contracts should always include written guarantees for regulatory compliance. 

 

Data Ownership

Data access and ownership disputes can arise if third-party vendors claim ownership of the data they handle. This can lead to complications and conflicts regarding who controls the data. Your agreement should also include written protocols for safe data handling. 

 

What is Third Party Vendor Risk Management for Law Firms? 

Managing third-party risks is crucial for law firms, especially when you’re about to onboard a new IT tool or process. Third-party vendor risk management is the process that helps your firm do that. It’s a comprehensive approach that assesses the risk a new vendor/IT tool poses to your cybersecurity, infrastructure operations, and compliance risk.  

This holistic process involves vetting, onboarding, continuous monitoring, and regular reviews. When done correctly, it will ensure you onboard the right resources at the start and create a clear mitigation process in case of vendor-based outages or breaches. 

 

Third-Party Vendor Risk Management for Law Firms: What to Do

Third-party risk management for law firms involves identifying, assessing, and mitigating risks associated with third-party vendors and service providers. If you haven’t done this for the vendors you’re working with now, it’s not too late to evaluate them. In fact, we recommend a comprehensive Cybersecurity Assessment that includes reviewing the cybersecurity practices of your vendors. 

Remember that you’ll only need to evaluate vendors who directly impact your IT systems or share critical firm and client data. This process should be managed by your internal IT staff or, ideally, by a CISSP-certified cybersecurity expert through your MSP or a cybersecurity consulting firm.

Here are the steps needed to get a third-party risk management program going at your law firm: 

 

Step #1—Identify Your Third-Party Vendors

List all the third-party vendors impacting your systems, including crucial SaaS software, document management services, IT service providers, and other external partners. 

 

Step #2—Conduct a Risk Assessment

Send a cybersecurity questionnaire to your vendors inquiring about key cybersecurity best practices. Do they: 

  • Have cyber risk insurance? 
  • Conduct regular patching? 
  • Adhere to the basic cybersecurity standards set by the National Institute of Science and Technology (NIST) and the Biden Administration’s Shields Up program.
  • Adhere to data handling practices requested by any other relevant regulations, such as HIPAA, CMMC, etc.?
  • Have good customer reviews and reliability ratings? 
  • Have a disaster recovery plan in place? 
  • Complete thorough testing of system updates before they are released? 

 

Step #3—Conduct your due diligence

Identify the stakeholders for this vendor. Does the vendor’s offering align with their needs? Are any of those stakeholder concerns conflicting? How does the tool/vendor interact with your existing IT systems? Are there incompatibilities? If you chose this vendor, how would it impact your written IT plans, policies, and procedures? All this will need to be factored into your decision to bring a new vendor aboard. 

 

Step #4—Execute Regular Security Assessments and Audits

Once your baseline security is set, you’ll still need to assess your vendors yearly to ensure they comply with your policies. 

 

Step #5–Set Contractual Safeguards

Include specific clauses in contracts to ensure vendors adhere to the firm’s security and compliance requirements. As part of your master Service Agreement (MSA), this can include data protection clauses, confidentiality agreements, and termination triggers if they are out of compliance. 

 

Step #6—Implement Continuous Monitoring

Create a monitoring and documentation system with your vendor. This may include monthly reports covering things like patching, mitigations, system activity, and the like. We require thorough notice before any system updates may affect your platforms. This will help you stay one step ahead of any potential problems. 

 

Step #7—Create an Incident Response Plan

While your disaster recovery plan should be in place to cover the overall effects of outages and hacks, incident response is a set of procedures specifically related to your relationship with this vendor. If something goes wrong with the tool/software/service they provide, who will the firm contact? How will tickets be handled? How will the mitigations impact your IT operations and written policies? You’ll need these questions answered to move forward with the vendor relationship. 

 

Interested in Third Party Vendor Risk Management for Your Law Firm? Integris Can Help.

Integris is a national IT MSP serving more than 100 law firms. Our vCISO staff can help your firm with all your third-party risk assessment needs. Contact us today for a free consultation. 

Greg Cooke serves as VP of Sales for our dedicated legal practice. He joined Integris after serving a pivotal, decade-long role at USI Affinity’s Lawyer’s Liability Division, specializing in Professional Liability and Cybersecurity Insurance.

Keep reading

How to Run Governance on Your Security Awareness Training Program

How to Run Governance on Your Security Awareness Training Program

Has your company decided to take the plunge, and start a regular schedule of monthly online security awareness trainings for your employees? Great! You’ve just taken a big step toward hardening your cybersecurity defenses. Now what? Chances are, you’ve purchased a...

What Can Cybersecurity Awareness Training Do for My Company?

What Can Cybersecurity Awareness Training Do for My Company?

Global spending on employee cybersecurity awareness training is predicted to exceed $10 billion USD by 2027, up from around $5.6 billion USD in 2023, according to the latest estimates from Cybersecurity Ventures. Why? Because more companies than ever are realizing...