I recently sat down with Peter Lesser, Director of Global Technology at Skadden, Arps, Slate, Meagher & Flom LLP, to discuss how nth parties, certifications, and Incident Response scenario-based tests are vital to third-party assurance and resiliency. We also touched on the need for a community-based approach to managing vendor risk, much like those found in coveted Financial and Healthcare sectors known for being leaps and bounds ahead regarding a single third-party ecosystem. In the legal world, you would think that a collaborative approach might be complicated, simply due to the nature of their work. I am happy to report that the Legal sector has succeeded in forming a Legal Vendor Network community that agrees on a single third-party framework, questionnaire, assessment, and remediation ecosystem. Moreover, they did this more rapidly than the larger sectors!
“I think we’re very fortunate that the legal community is very tight-knit and there is the sense that we are not in competition with each other. In fact, law firms never use the term ‘competitor’; they use the term ‘peer.’ There is this whole colloquial nature of how we treat each other and how we relate to each other, and we do view it as a community either succeeding or not, together. It’s in everyone’s best interest to work as a team.” Peter Lesser
Many organizations divulge that they are not looking at fourth-party assessments to understand where data flows and if proper assessment and due diligence reach data flow end-points. So, what can you do? Here’s a tip: Be aggressive! Speak with your vendors to learn about their business relationships to better understand the layer upon layer of vendors and ultimately, where the data flows. It can be as simple as holding your vendors responsible for abiding by your rules and taking those rules down the line with them. However, contractual obligation and liability remain a challenge. We all know from a security perspective that somebody is going to have a problem at some point.
As if this isn’t hard enough, the massive digital transformation from on-premises data centers to cloud infrastructures adds a whole new layer of risk. Does anyone really know where their data lives? Certainly, the Cloud can provide a layer of protection but do your vendors and your vendors’ vendors understand the importance of cloud security and validation? This has led some legal firms to internalize as much as possible. Furthermore, small, medium and large vendors alike are vulnerable to breaches; in fact, most have already experienced one. It is no longer a matter of ‘WHEN’ our data is exposed, it is a matter of ‘IF’ the exposure is impactful enough to cause brand damage. The Legal Vendor Network has turned its focus to data flow to minimize the impact and to prepare for the ramifications of a breach ‘IF’ it happens. This focus in many cases is what verticals much larger than the Legal sector are doing, yet the Legal Vendor Network is going about it more collaboratively.
‘I think the Legal Vendor Network is a great example of what we can do, when we work as a community, to create something that there is a great need for, but that none of us are big enough to have the where-with-all to do all on our own.’ Peter Lesser
From a certification perspective, the Legal sector finds certifications an industry expectation. What each organization does with the certification improvement recommendations determines if the certification is meaningful or not. If certifications look good from a client development standpoint, they will also look good from an industry standpoint. The most significant value is when an organization receives direction to start building a structured security program with all the pieces that layer on top of it from a process, people, policy, and tool standpoint. For organizations that don’t have a mature structure, the certification will help to evolve their program more quickly than organic growth alone. The range of value depends on the maturity spectrum where your organization starts the process. The Legal Vendor Network has embraced certifications and uses the certifications and standards that are most valuable to their organization based on their current structured maturity.
The Legal Vendor Network identifies two distinct paths for resiliency; one is a technology-based disaster recovery plan to recover services with specific timeframes and tolerance for data loss, and the second is a global crisis management program that regularly conducts incident response scenario-based testing. The highest senior management level resources are involved in severe response plans, and communication is tested internally and externally up to and including public press releases. Third-Party involvement is by way of tabletop exercises. The results of the test give companies the ability to evolve their security practices to be as resilient as possible for ‘IF’ a breach occurs. Let us not forget to include our friends in the Forensic areas. Make sure you have point of contact information at your fingertips and include them in your tabletop exercises to ensure office-by-office level crisis management support.
All in all, it comes down to collaboration amongst the Legal Firms, and they have figured out the most efficient methodology, framework, and approach to expediting vulnerability management.
Learn more about the Prevalent Legal Vendor Network to help you minimize the time and cost of assessing vendors while making sure that necessary vendor risks are properly scrutinized.
Listen to Brenda Ferraro and Peter Lesser discuss this topic and more at The Legal Vendor Network’s Taste for Third-Party Collaboration
Brenda Ferraro is a Senior Director at Prevalent, Inc. She is a sought after Third Party Risk Practitioner that has received recognition from Regulators, Information Security and Analysis Centers (ISACs) and Standardized Third Party Framework organizations. She brings surmounted attention to Third Party Risk by providing her metrics, reporting, and process mastery experience to lead corporations to a single solution ecosystem that breaks through the complexities of Third Party Risk Governance.