The Importance of Cybersecurity for Legal Entities
The American Bar Association (ABA) clearly appreciates cybersecurity as a major concern for law firms and legal entities, and views issues around third-party risk management (TPRM) as particularly crucial for its constituents
An organization’s security is only as strong as its weakest link, and the increasing reliance on third-party vendors for everything from cloud services to cleaning the office increases information security risk and complicates its management. Indeed, research increasingly points to third-party culpability in the majority of data breaches.
Vendor Management Best Practices, Simplified
To help reduce the likelihood and mitigate the potential impact of cyber attacks through a third-party component of your security perimeter, the ABA’s Legal Task Force has released its Vendor Contracting Project: Cybersecurity Checklist.
This checklist provides guidance for legal entities looking to manage cybersecurity risk in relation to third-party vendors, from the vendor selection process to contract relationships to vendor management. It addresses key issues, including:
- How to conduct a risk assessment of a prospective vendor to identify and evaluate relevant security threats
- How to review vendor InfoSec practices
- How to embody vendor security best practices within the contracting process
- Critical elements for TPRM and other InfoSec programs
This Checklist does a solid job of discussing cybersecurity concerns in terms lawyers can relate to. A further benefit of the Checklist is it aligns with industry best-practice guidance; e.g., ISO 27001, SOC 2 and NIST/FISMA.
In the summary that accompanies the Checklist, the Task Force states:
The objective of this Checklist is to assist procuring organizations, vendors, and their respective counsel to address information security requirements in their transactions. The Checklist frames the issues parties should consider consistent with common principles for managing cybersecurity risk. The Checklist contemplates transactions from due diligence and vendor selection through contracting and vendor management. It suggests that cybersecurity provisions are not “one-size-fits-all,” but should instead be informed by parties’ assessment of risk and strategies to mitigate risk.
The ABA Cybersecurity Legal Task Force recognizes that cybersecurity is a dynamic subject, and we expect practitioners will modify and supplement the Checklist to reflect the particular regulatory requirements and business needs of their clients.
The ABA encourages legal professionals to share the Checklist with their respective entities.
Learn More about Information Security and TPRM
The implications of third-party risk for your firm, including cyber security requirements, could impact your vendor management practices. To learn more from an expert, contact Pivot Point Security.
For more information:
- The SOHA Systems May 2016 report on third-party cyber attacks
- The Checklist was initially published on the November 2016 “Business Law Today” site
- Third Party Risk Management vs. Vendor Risk Management vs. Supplier Relationship Management
- “High Business Impact” Data—A Better Way to Talk about Vendor Risk