Three Recommendations to Improve Law Firm Third-Party Due Diligence

Recent breaches serve as reminders for law firms to examine their third-party risk management programs. Here are three ways to immediately improve your due diligence.
Brenda Ferraro
Vice President of Third-Party Risk
March 10, 2021
Blog law firm due diligence 0321

In the legal industry, protecting files “at rest” and “in transfer” are a couple of the most important control objectives. Records pertaining to client discovery, signature, evidence and court filings all must maintain an unimpeachable chain of custody to stand up in court. So, when firms contract third parties to handle, host, process or store legal files, all parties are held to compliance standards that mandate security controls such as access management and data transfer management.

It’s no wonder that law firms are frequent targets of cyber criminals, considering the amount of sensitive data they manage on the part of their clients. Recently, Jones Day and Goodwin Procter became the latest casualties when they were breached after Accellion, a vendor the firms use for file transfers, reported that it was hacked.

How Vendor Risk Intelligence Networks Can Help Law Firms Improve Cyber Hygiene

You can’t protect the client and the firm by simply collecting static security questionnaire responses or running a point-in-time threat intelligence report on a vendor – although those are essential steps to take. Risk analysis must be more dynamic. That’s why law firms often choose to become members of networks to exchange vendor security control information and share vulnerabilities with one another – to protect the legal community as a whole. Being a network member enhances the participant’s security posture and makes third-party risk management a team sport.

Improve Third-Party Due Diligence at Your Firm in Three Steps

Networks add tremendous risk management value for law firms. Compare your existing practices against these three recommendations to ensure that your firm is conducting the proper due diligence on its third parties.

1. Implement Vendor Pre-Screening

Pre-screening vendors provides visibility into lax security practices that might predict future problems. Third-party risk networks make it easy to perform pre-screening and simplify vendor comparisons by maintaining libraries of completed risk profiles. These risk profiles are typically completed by vendors using a standard and industry-accepted questionnaire (making vendor comparisons easier), and then validated using real-time cybersecurity risk scores to capture important updates in situ. The risk profiles are then shared for the benefit of the community.

2. Offload Assessments to Experts

Chances are your firm doesn’t have the resources or expertise to onboard, manage and assess all of its third parties. Your team can save time and money by letting risk management experts handle everything from conducting assessments, collecting due diligence and following up with vendors, to reviewing responses and evidence for accuracy and relevance. Doing so shifts the administrative burden to others, enabling your team to focus on valuable risk management and remediation work instead.

3. Automate Compliance Mapping and Reporting

More than 50% of organizations rely on spreadsheets to manage vendors – and if you are trying to report on and manage vendor risks or compliance using a spreadsheet you understand how painful that can be. Vendor risk networks provide capabilities to automatically map risk assessment responses to specific regulatory and industry framework requirements, enabling you to quickly verify compliance or justify remediation efforts.

Next Steps

You can join the legal risk management community in reducing third-party risk by becoming a member of the Prevalent Legal Vendor Network. For more on how Prevalent can help your law firm improve its vendor due diligence practices, check out our on-demand webinar, The Top 5 Third-Party Risks for Law Firms and What to Do About Them, or contact us today for a strategy session.

On-Demand Webinar: The Top 5 Third-Party Risks for Law Firms

Learn how vendor risk intelligence networks reduce the time and cost of third-party risk management.

Watch Now
Blog business resilience overview video
Leadership brenda ferraro 2
Brenda Ferraro
Vice President of Third-Party Risk

Brenda Ferraro brings several years of first-hand experience addressing the third-party risks associated with corporate vendors, services and data handling companies. In her quest to economize third-party risk, she organized a myriad of stakeholders and devised an approach to manage risk, receiving recognition from regulators and a multitude of Information Security and Analysis Centers (ISACs). In her role with Prevalent, Brenda works with corporations to build single-solution ecosystems that remove the complexities of Third-Party Risk Management by way of a common, simple and affordable platform, framework and governance methodology. Prior to joining Prevalent, Brenda led organizations through control standardization, incident response, process improvements, data-based reporting, and governance at companies including Aetna, Coventry, Arrowhead Healthcare Centers, PayPal/eBay, Charles Schwab, and Edwards Air Force Base. She holds certifications in vBSIMM, CTPRP, ITIL and CPM.

  • Ready for a demo?
  • Schedule a free personalized solution demonstration to see if Prevalent is a fit for you.
  • Request a Demo