The Top 5 Third-Party Risks for Law Firms and What to Do About Them

Amanda: Hello. Hello. We will give it a few seconds to make sure we are all here. How’s everybody doing today? Good. I’m waiting for the fall to hit Arizona, though. It’s still pretty hot. Oh, it was so beautiful out in like 5 in the morning when I had to let my dogs out. I was like, “Oh, it’s brisk. Let me open the doors.” But Brenda: beautiful fall day in New York. Gotta say, Brenda: it’s like, you know, it’s a nice thing. But then the winter hits and it’s a it’s a disaster. Amanda: And then you’re like, Amanda: All right. Well, we’ll go ahead and start the intros. Welcome everybody. Happy spooky season, aka how spooky life truly be without cyber security. Am I right? Right. Josh: Right. Amanda: Thank you guys all for joining our webinar today, the top five legal third party risks and what to do about them with our very own vice president of third-party risk, Brenda Ferraro. And with our special guest, Joshua Mali is also the founder of Theorem LTS. My name is Amanda Fina. I’ll be your host today. because I thoroughly enjoy having an excuse to not be in pajamas all day. And a couple of things to go over everybody. Uh you’re all muted. Nobody, not a single soul enjoys background noise. So we made it official just to mute yourself on your behalf. But even if you’re muted, we do want this to be interactive. So make sure that you’re asking questions in the Zoom console and then at towards the end if we have time, we’ll go over those in a Q&A. And Today’s webinar is going to be recorded. So, we plan to deliver that tomorrow morning for you to send out to all of your friends, your loved ones who have an interest in this. And you can, you know, watch it over and over as many times as you’d like. Um, pretty much that’s all I have. I’m going to take it over to Brenda. Thank you both so much for joining. And Brenda, take it away. Brenda: Thank you, Amanda. Well, Josh, we’re really happy to have you here today. And the partnership that we’ve built is going to make extreme difference. ences when it comes to identifying and reducing risk in the legal community. So, um why don’t you talk a little bit about yourself and and then um give us a fun fact about excuse me your sports that you were engaged in as you were growing up and then what your favorite thing is to do today. Josh: Love it. Okay. So, a little bit of my background. I went to Wake Forest Law School. I spent about five six years working before I went to you know law school working venture capital. I came from institutional finance. Um, decided to get into legal tech and I think that’s what brought me through legal education. I love technology. I, you know, I like the collaboration, uh, aspect of, of working in the tech industry. Um, I did play professional soccer, which was, uh, you know, interesting, I guess, maybe for my background. And then to to realize what it does to your body over a long period of time, um, playing and and maybe having a head on my shoulders. Uh wanted to get, you know, away from being an athlete and and trying to apply, you know, apply the brain power uh to, you know, work and building something. I love to build things. Uh but then, you know, I got involved in legal and and what it does to your mind and it’s just, you know, it’s a balancing act. So, it’s it’s been interesting. I’ve got a three-year-old daughter. She’s the most beautiful thing in the world, a loving, supporting family. So, my first, you know, thank you that want to give, you know, that shout out um to them. And uh what I do today is is really run around and make sure that she’s occupied and make sure that she’s into space and STEM and math and all the things that I think she’s going to be much better than me at. So Brenda: that sounds like a lot of fun. Thank you for sharing that information. So as for me, um I’m the VP of third party risk at Prevalent and my tenure is going to age me. It’s like 25 plus years. IT, OT, and all kinds of technology things. I think that I kind of fell into this position. I was more wanting to be a psychologist or a physical therapy resource when I was growing up in college. And for some reason, um, my parents were my mom was a teacher and my dad was an architect. So, building processes and being able to teach people on the right guidance and approach to take for strategy just kind of fell naturally in my genetics. As for sports, I was a gymnast when I was younger. I was in a lot of dance. That was my kind of sport. I also was a band geek. So, I played the flute and the piccolo and the marching band and the orchestra. And I was also in chorus, but right now you wouldn’t know that from my froggy throat today. Um, and then as for my favorite thing to do right now, I am not a domestic person. I am more of a brain person where I like to work. And so, cooking has not been one of my favorite things. And I’m starting to try to figure out how do I make really healthy foods. So, every night I’m experimenting with internet recipes and things like that. I am not good at it whatsoever. And I have two children as well, 30 and 26. My 30-year-old will taste something. And I think the only thing I’ve done well so far is made boxed gluten-free, dairyfree chocolate chip cookies that actually taste real. So, that was kind of an accomp. Josh: I love it. I love it. Brenda: People didn’t hear come to hear totally about our lives and stuff. Let’s get started into what we wanted to talk to them about today. So, we’re really excited. Um, Prevalent and Theorem has for the past um, six almost months, maybe four, have decided to partner. We were finding that there was a disconnect and gap in the legal firms being able to know if they were going to go and use a technology or a vendor, how could they go and look at a marketplace that would tell them if those particular companies and or applications were secure enough to use and a lot of companies are still going through the practice of doing third-party risk analysis and continuous evaluation and running threat monitoring. But it’s really something that’s more of a if you were to go and look at here I want to do this type of work with someone how are they with their security posture before I even look down the path of using either them or someone else. We also want to talk about the top five hidden risks that law firms need to be aware of now, especially since we’re going through a pandemic and the ecosystem and the supply chain. And then some strategies that are available to help you address those hidden risks. Anything else, Josh, that you can think of on the agenda or comments to say before we move on? Josh: Well, just uh I’m I’m going to do it for the first time, maybe maybe not the last, but how prevalent, right, is information security in the world that we live in right now, right? Work from home, uh massive amount of cloud option migration to cloud migration to hybrid cloud it’s just if information security you know from as a vendor as someone who builds things not always the the sexiest topic right but I know and and I’m excited about this partnership because I know that you and Prevalent uh are bringing technology to the forefront in this field and I believe that uh there’s just I’m always learning from you right and and it’s one of the things that theorem uh wanted to do was was was partner with a great organization like Prevalent who really un understands this stuff. What is effectively this this sort of uh black box I guess of of you know misunderstanding around what information security governance actually is and to be able to partner with you all so that we didn’t have to focus and try to be experts in something we’re not um it was just a it’s just an amazing thing and I I you know I’m really looking forward to how we continue to build this. So that’s my only comment. Brenda: And back at you, when when we started our conversations about what could we do together, what really struck me as an a positive thing with you is that you are wanting to do things more efficient with cost effectiveness and just the ability to get things to people’s fingertips that they need to know right away and then have the opportunity to dig deep where they needed to. So it’s it’s an exciting relationship and let’s talk about about some of some of those legal vendor risk intelligence of how how that came about. So, do you want to do you want to kind of talk about how you broached the topic of okay, I’ve got this platform and and service that I’m providing and who do I go to and why? Maybe you can give us a little insight on on your approach. Josh: Sure. One of the things we want to do is is make the procurement cycle for firms uh one of the the greatest problems plaguing technology adop ion for technology organizations within law firms, legal departments throughout the legal industry. It it’s the adoption issue and it starts from the procurement side and the ability for vendors to uh meet the expectations of the firms and for the firms firms to very clearly understand uh the postures and that the vendors are taking uh security uh seriously particularly in an industry where confidentiality and client data And privacy is so important, right? Law firms are dealing with incredibly sensitive data. So, we wanted to reduce the friction uh there while also making it very easy and light to sign up and and tell uh the story for the vendors as well as display for the firms um this badge uh provided by Prevaland associated with the type of assessment that the f the vendor has taken so that the firm can quickly uh see that they have that badge, not have to um you know bring that up uh right away in the conversation and stall the procurement life cycle and stall uh this great problem of technology adoption within the legal industry. Brenda: The one thing that I liked about when you brought us the approach was you kind of explained it as you know with Amazon Prime if you toggled over Prime you got all of these different types of products or services that would be delivered to you with the prime membership. And that’s what it kind of like was really interesting to me to say, okay, here is a an enormous lake of vendors or um applications or technologies that can support the legal industry. And with our legal vendor network that we have at Prevalent, we already know that they’ve been assessed. But in order to present that to all of the firms that are looking for the technologies and the vendors, they’re able to quickly say, “Oh, well, look, they’ve already completed an assessment and I can ask for additional due diligence content in order to look and see if that risk applies to my engagement or so on.” And that’s that’s kind of what I like about the partnership with us is that we’re giving you information about what’s been completed um and a available readily available by different types of due diligence and you’re making it so that if someone’s coming to look at um approaching a certain type of service, product or um vendor that they’re able to see right away the due diligence has already been done and it’s going to be very rapid to do onboarding. So it’s a it’s a good marriage. Josh: Yeah. Brenda: So do you want to talk about um what you have in theorem and the streamlining approach that you’ve taken? Josh: Sure. And and to your point, I think it’s and correct me if I’m wrong. I think it’s the only place where a vendor can come and purchase this standardized assessment prior to a firm’s request of that information which alone would stall the the communication and the you know start of the process for uh procuring any any vendor of technology. Um so our marketplace has grown exponentially. I mean you mentioned our partnership being pretty short. We started this right before the pandemic. So uh interesting time to start to start a partnership. Not something that we foresaw uh but we’ve been able to grow our marketplace and you know, build our business threefold over the last couple months. Um, now hosting over 800 apps, including core business uh suite tools. So, we’re this legal tech uh marketplace integration platform. We’re talking about the shared vendor intelligence and the marketplace aspect. We are so much more than that, but it it we do want to show that we have uh not just legal tech, right, which is the specific, you know, legal practice management stuff that’s specific to the legal industry, but also the core business tools that the clients use in the in-house uh side um you know from the CRM tools to the uh not you know not contract drafting stuff um to uh marketing uh tools like Mailchimp and and that kind of stuff core collaboration suite office tools and the utility front um and that’s uh that’s really what we have there. We we demonst we help vendors demonstrate their their commitment to security with a a prevalent badge after um going through the process and we state at what what their status is that they’re pending through that process or whether that’s uh complete and um yeah that’s and we also allow the firms to request that and I’ll show you what that looks like. Brenda: I’m excited to have you show them some of the screenshots of the platform and to your point with regards to the only platform that has the ability to purchase the SIG light or the SIG core through your um application sign on and onboarding fees or whatever it is that you have for signing up. It’s it’s definitely the only one that we have for legal. Um the marketplaces are starting to pop up everywhere, but you are the very first that has um started that and it’s very um it’s comprehensive to the legal industry. So, good stuff. Now, if we talk about the badges, um we’ve decided now the SIG light and the SIG core for those of you may not know is a questionnaire component of shared assessments. And shared assessments is a membership body that has created industry standards for what kind of content do you need to collect in order to do the proper due diligence. And at Prevalent, we have a legal vendor network and we also have a steering committee of some of the larger firms that make decisions that’s best for the legal community. Whether you’re small, mediumsiz, are large firms and so they have identified what requires a SIG light and they also have identified what types of vendors or services need a SIG core. Now many companies might have both because they have engagements with firms in multiple capacities and some of them have one or the other but we always recommend that you start out with the SIG light and if you have larger engagements the SIG core is important for things like eiscocovery or transcription service. services and HR. So, because that branches out into so many other risks, the 800 questionnaire is flexible. It it expands and contracts based on what questions you answer. And then there’s child questions. So, if you say, “I’m this is a bad example because almost everybody’s using cloud, but if they ever said, I’m not using cloud services,” then all those sub questions would not show up. So, we try to make it that we’re we’re asking for relevant information. It’s not in a spreadsheet. It’s in a nice to use product from Prevalent and we’re able to do it so that it’s easy to follow. You can ask other resources to help complete that questionnaire. So, it’s not just, hey Josh, I’m going to have you finish this questionnaire and you have to do it you alone and you have to go and ask other participants for responses. You’re able to sign out certain sections to people by inviting them to also complete the questionnaire with you. and that shortens up the time. The other thing is in our moderator tenant for the legal vendor network. We also make sure that the content is accurate and up to date every 10 months. So we start that process at least to follow an annual approach of refreshing that data. But also when things get updated, we’re able to have the the firms or the vendors or whoever is filling out these questionnaires. We say firms and vendors because you should fill it out yourself. Prevalent did and so did Josh Per theorem. So when that questionnaire is filled out, you may have something that’s been identified as a vulnerability and once that vulnerability is no longer there because you remediate it that item, you’re able to update that questionnaire. So next time someone looks at it, it won’t have something stale or out there from three months ago or four months ago. Um but these badges are displayed throughout the Theorem product. And uh do you want to do you have anything to say about it or are you ready to dig into showing them what we’ve got? Josh: Happy to get into it. I love uh you know what what you said about you know uh cutting down some of these large questionnaires based on what’s what’s appropriate for you. So um Brenda: the one other thing I’d add before we move on though is GDPR. So we do have GDPR questionnaires and privacy questionnaires as well. So sometimes people will tack on or um add on those question questionnaires and if they’re available then um in the future Josh will have to show that those are available too. Josh: Sounds good. Brenda: All right. So, how does it work? Josh: Yeah. So, uh remember you’re not seeing a live demo of the of the product. So, I’ve done uh my best to display how our marketplace functions. And you’re you’re seeing two things here. The first is on the left bar, right? Aside from the categories, you’re going to see that there’s a section for all vendors. within our ecosystem. Um, you know, talking about shared vendor intelligence, right? When you click on the prevalent assessed, uh, you’re going to see all the vendors that have received at least a SIG white um, assessment and are in the prevalent LBN. Uh, it’s really that simple. In the search bar, um, as soon as you start typing, there is a dropdown where you can toggle for your results um, to see uh, whether or not that particular search um, uh gives back an application that has been assessed uh either with the sig light or sig core um assessment uh as well uh you can search by anything we use machine uh search and uh it learns uh for all users what’s most relevant to you um you can search by the name the business need the matter the task the type of practice group and return all of the um uh you know our large category and catalog of of vendors. That’s it. Brenda: I like how it’s displayed. It’s very visible and it’s easy to see. Okay, they’ve got an active relevant assessment. So, that’s good. It means that Josh: and let’s uh Yeah. And on the previous screen, it’s it’s okay. You could see that you can compare things side to side. So, I wanted to uh show uh this in sort of a agnostic sort of way. It’s our our plan here wasn’t to highlight any particular legal tech company or or vendor in our ecosystem. but to show um generally what the usage looks like. Brenda: But right now, if that’s accurate from your screenshot of your platform, it’s good to show that these ones have already been assessed. So, kudos to them and thumbs up. Josh: Absolutely. Brenda: Oh, I’m going backwards. Go forwards, Brenda. All right. Josh: This is a a simple look at our our comparison engine. Again, we’ve taken out a lot of the data to make this pretty agnostic. Um and what you’re seeing is the ility to compare applications side by side. You can see the prevalence section uh for what uh assessment they they may or may not have. Um and we allow you to uh compare and and see this is sort of the basic offering. Uh but there’s actually much more. If I could scroll down here, I would and show you, but anyone interested, I’m happy happy to do a live demo with. Um but you can compare everything from peer firms using uh the this application, what the uh time for, you know, return on investment is and of course focusing on what we’re doing on the vendor intelligence side uh see what um their prevalent assessment looks like. Brenda: And we went through the um opportunity to create our own page. So filling that out was extremely simple. It’s just making sure that you have the right verbiage that you want to have displayed either from what you show on your own website already or any marketing collateral that you have. But it was very simple and I like how you’ve gotten it to the point where you can see if there’s a comparison, you know, which one do you want to look into further or compare um moving forward. Even if it’s a procurement onboarding situation, this is really nice to have. Brenda: So with that, Amanda, I think we have one poll question before we get to the end of the slide deck and time that bring that up. Amanda: Yes. I’m gonna launch it right now for the folks and what we’re going to be asking is will firms commit to sharing their technology stacks the applications they use to capture more data for assessment and procurement for example pure firm technology stacks number of their peer firms using specific apps cost ROI etc and the answers are yes willing to be completely transparent yes but only to peer firms I’m not sure which would be my answer and No, not interested in this data, which hopefully no one says that. That’s just to be nice, but don’t ever ask. Don’t Josh: That’s okay. It It’s interesting. I wanted to ask this question because of, you know, uh transparency in the legal industry is often um hard to, you know, kind of see and and monitor and um and I think engage. Uh but I think if you want access to a lot of this information, when we talk about vendor intelligence. Um, and you know, I’d be interested in what firms have to say about this, particularly when they take phone calls uh about their technology stacks. Brenda: Five or about five years ago or maybe four years ago when the legal vendor network was built, I was shocked and in awe about how they took the sharing is caring approach and they’ve they turned it from a competitive disadvantage to a helping each other advantage. antage and so um hopefully people will start to share information that’s it’s need to know meaningful use data and um it would be interesting to see if we’ve got some comments yet if if we’re able to share them. Josh: I think it’s about you know it’s about leadership um and not about uh you know control of this data right so if if few firms can lead in that type of transparent uh collaboration I think it’s going to be really big for the legal industry. Brenda: Agreed. Amanda: So, it looks like most only pure firms. Yes, only pure firms and others. I’m not sure. So, I don’t know if you guys can see that, but. Josh: that’s good to know. That’s really Brenda: my eye. Brenda: Yeah. Yeah. So, basically Josh, what I’m I’m sensing from that is there’s still a bit of a culture change that we probably have to take with this community to make sure that they know the meaningful use of the content so that they feel comfortable with it. Josh: Yeah. And the question is who has the authorization to share that maybe may maybe be the question, Brenda: right? It may be. Well, thanks for um participating in that. Let’s go into uh the rest of the screenshots and some more explanations of how the works. Josh: So, here you’re looking at actually a vendor page. Um you know, normally you’d see on the left bar everything about the vendor that we we’ve sort of taken out here and there’s a number of tabs in the center of the console for everything from overview, pricing, integrations, and of course the tab here that’s most relevant is security and compliance. And this is where we display that SIGLite um status. In this case, it was processing. And you would you could uh request um the results of this vendor’s assessment right here from the dashboard. And we would ping Prevalent and Prevalent would if you’re already part of the Prevalent network and you would get this information delivered to you in your inbox I would I would uh hope or in you know in prevalence system um and you know we’re only sort of worried about what what what we do to make that transaction a little easier and as well you can see pure products and um this is our planned uh and actually currently available um pure product comparison directly in the security and compliance page where you can see based on what you need and the infrastructure that you have for CIO, CISO, CTO’s who want to see SOCK 2 compliance ISO, right? The GDPR stuff that Prevalent offers and this is intended to be data that’s shared um at a pre preliminary level with with prevalent that we can offer some you know look in terms of check mark compliant or not compliant that they’ve done these things and then if you want further information you can request that from from the people who really know what they’re doing and that’s that’s uh prevalent that’s you all. Brenda: And then depending on how deep they want to dive into knowing if there is a SOCK 2 or not or an ISO standard compliance mapping depending on the application package that they have with our product is basically where they can dig deep into taking the content that’s been received for the SIG light and the SIG core and how it relates to a view of compliance whether it’s NIST or ISO or privacy or GDPR. Um that way you can share the content with other departments. So all right going into your apps and some of the differences here. Josh: Sure. This is a a very basic law firm portal. Um we enable uh firms to collect their application stack in a very nice friendly easy way. And what you’re seeing here is the ability to review vendors over you know hovering over any of this this iPhone like kind of control panel experience. Uh the ability to review vendors and request the SIG assessment from a vendor that may or may not have it, which is shown at the bottom of this uh drop, you know, this u popup that comes up when you hover over an application um for comparison as well as to see what level of uh SIG assessment they have. It would be grayed out in the case that they did not have that uh badge. And of course, if both were uh grayed out, you may uh wish to request that um you know, provided that they’re in the the prevalent legal vendor network. So, just a quick visualization of what it looks like to be in your home. Uh, finally, a nice place for you to gather your complete text stack, share that across, and we’re going to in this next slide, we’re going to move to the bottom of this current page, which is showing the firm’s apps, uh, if you want to do that. Yep. And you can do the same thing. This is how for the first time, firms can actually look at all of the tech stacks across their their their firm um, or department if they have, you know, different different offices and and see the tech stack by location, by practice group, by person, and actually see what um applications here may require an assessment, have been added by someone in another location or another office location that they’re using that for, you know, say the IP practice group is has changed and is is looking, you know, a partner there is looking at another vendor and has brought that on. It’s pegged right here into the admin panel, uh, where they can see that tech stack there and you know whoever’s in charge of of the information can say hey um this has not been assessed or I want to see what you know stack uh companies have applications have come into our tech stack that are you know need a uh an assessment um just a quick way to do it I think that there’s probably a number of things we could do here uh Brenda and sort of expanding this perhaps they could um you know do some requests from straight from here there’s There’s a lot of different things that we might consider. Brenda: We will be considering as much as possible to help everyone. And I really I’ve fallen in love with the cyber superhero down there. I think that’s what I want to be for Halloween. Josh: That’s that’s actually Baymax. But um yeah, that’s you know, it was a fun thing that I happened to watch with my daughter the other day. So I said, “Hey, this is cool. I’m gonna pop that.” Brenda: All right. So let’s start digging into some of the top five hidden risks that with the partnership of theorem and prevalent we have ways that we can address those items most rapidly and as we’ve been looking at things happening with the pandemic we’ve noticed and Josh had mentioned this earlier that thing people are working from home and we’ve now got regulatory updates and cyber criminal activity and communication applications and and platforms and then lack of continuous evaluation. So we’re wanting you to keep a close eye on as we are doing a hybrid approach in some cases, in some cases, a one-way approach of working from home or working from home and in the office. People are starting to use their personal devices. There’s security risk with that. Um, information exposure based on where you’re processing that information if it is on your personal devices or even going through a channel that might be risky. And then lack of information protection training to the employees. We all of a sudden was everybody go home and work if you can. And if you do do what you need to do, but oh by the way, there was no training on make sure that you’re um in a room if you have uh personal or sensitive information where others can’t see it. It’s even your family members that you have to be protective of. It’s not just you and yourself at the office. The regulatory updates we uh there’s robocalls happening all of the time and that’s actually making it easy for people to get onto the mobile devices. So if there’s some type of a leak or a vulnerability on your mobile apps or your mobile device and you’re using your iPad or some type of a uh platform that’s not a laptop. That could be a very scary situation. And then CCPA is now adding to the 2020 ballot initiative that’s coming up that’s going to better define what is sensitive information versus personal information. So, you want to keep a close um eye on that as well. Now, from a cyber criminal activity, the fishing vulnerabilities we just talked about, those are becoming um something that has increased significantly and that then is turning into a loss situation with cyber insurance coverage that’s on the rise. Brenda: So they’re trying to minimize the impact of the breach by having cyber insurance coverage, but it’s also applying your due diligence to that as well. So making sure that your program is maturing, you have companies that have been assessed or are in the process of being assessed and just not picking them at will by allowing them to just have maybe a score report from open- source threat intelligence. You really need to know what is your governance, what’s your your line of um attack, whether it’s the first line, the second line, and the third line. Uh we also have the universities and the pharmaceutical industries. So law firms are going to see a huge uptick on because of these vaccine efforts that we’re doing, the hacking is increasing towards those companies. So those will be the ones that call up the law firms the most to say what else do I need to do from a privacy and a regulatory perspective. Now on the communication applications today we’re using Zoom. So I’m not going to say anything negative about any sharing platform but there are some that are more secure than others. Uh we are increasing our public facing videos. We’re also doing things like Tik Tok and live uh Facebook live and some companies haven’t taken those away. from the ecosystem um on their platforms and on their um iOS models and then the remote services. So from a health perspective um we’ve got teleaalth and hipaco compliance like what are we sharing over the wire and and how can people get access to those conversations versus just going into a doctor’s office and getting health support in that manner. The virtual meeting software like I said there’s Google Hangouts, there’s WebEx, there’s Zoom, There’s all kinds of different different ones and some companies won’t even allow us to use uh the Zoom. So, for example, there’s a c a couple customers or a handful or more in our organization um that will not let us use Zoom. They have to use Teams or something else. And so, you have to be adaptable and know which ones have security in place and which ones do not um in some areas or are working on it. Lack of continuous evaluation. This is big for me. I have preached to as many choirs as I could. Brenda: I’ve tried to get people to follow my bandwagon, but a lot of companies will do one and done assessments. And we have a philosophy of a continuous evaluation, meaning that you’re going to go and you’re going to assess a firm or you’re going to assess a vendor or an application and it’s always changing, especially when the threat landscape is changing so much or they may have defects that they’ve or risks or vulnerabilities that they’ve mitigated. So, you want to make sure that you take those mitigations into consideration because looking at your entire portfolio of who you use as businesses and partners can eb and flow based on the different uh risk remediations and and positive things that are happening, not so much always negative. We always used to look at it as did they have an incident? Well, really that’s very very important and we’re never going to go away from trying to find out if they had an incident and how they’re mitigating it. But we also want to say Hey, we knew that you had a compensating control that was addressing this risk. Has that compensating control been replaced by a remediation or what are we doing with it moving forward so that your risk posture can show that how great you are? And then um just communicating that a lot a lot of uh companies will do their assessments and then put it on the shelf and then in a year from now or 10 months from now they they’ll go and ask you know did you correct those things? Well, why not find out they corrected them when it happened? because then your security risk posture and tolerance changes with their advancements in risk reduction. If we go into like the strategies of what you want to do in these cases, um we’ve talked a lot about today about onboarding and onboarding um from a sense of understanding the profile and the engagement. Theorem is doing a great job at saying here’s what type of company I have. Here is my um my information that you need to know for a point of contact. Here is the assessment validity that I can show or or if I’m in progress of having an assessment because I am security conscious aware. There are unresponders and those should be identified as high risk um organizations to work with. Brenda: If they’re not doing a security assessment or they’re not able to show evidence and certifications or information that shares how they’re addressing risk, they’re actually one of the highest risk. It’s you can’t really say just because they’re small, medium, or largesiz companies. It’s really are they talking to you and engaged in in telling you what risks they have and how they’re addressing them or even being helped. I always take the the handhold approach that I’m here to help you to secure and mature your risk security posture versus I just want to tell you what you’re doing wrong. I’d really like to say here’s what we know. I’m not sure if you knew it. I remember back in the day when um we were looking at products, we would do assessments on oursel and it literally we would find out things that we didn’t know because it was at the time when open source intelligence was coming at us and I was like this is going to take us a month to get rid of. We’ve got 2,000 employees and a 60,000 employee base that’s using their business email address on LinkedIn. So, we got to go and correct that. Or we had IPs that were out there or some information that you know on a credit check when you buy a house, you have the opportunity to go clean up your credit report. You should have the chance to clean up your risk report. So, we’re doing the same with them as well. Now, from an assessment and compliance insight, when you go through legal theorem and you see that they have a SIG light or a SIG core, you then have the opportunity to look at the information from a reporting perspective or how it relates to compliance. Um, it will say here’s how far they are on their their assessment or it will say, they’ve completed their assessment and do you want to look at it from the holistic view or do you want to look at it from the GDPR view or do you want to look at the content from a past fail on a PCI view and that has the ability to do that. The continuous monitoring insights are critical because you can use that at the beginning of your program to just say here’s what we know from the outside in. We’ve taken all this intelligence. Brenda: It was a non-intrusive scan and these are the ideas um or the information not the ideas, but the facts of what’s out there in the open. Um, and then you can go and look and see what their security posture is even prior to completing a questionnaire. And then now what we do is we harmonize and normalize what we see on the outside and on the inside from the vendor responses. Normalizing those risks is just what I’m talking about. So having the ability to say these companies are um connected with like Lincoln Logs or Legos or however you want to talk about that spiderweb diagram. So that if a breach occurs, then that breach is going to show a domino effect of who’s going to be impacted, whether it’s another third or fourth party, whether it’s a department or an initiative or whether it’s an application that requires that data to be available or the service to be provided. So when you think about supply chain management, product management, app management, this is something that’s really critical for you to see the landscape you’re not blinded by a small perimeter around your castle, but a broad global perimeter around your castle. The playbook automation is um making sure that we are automating workflow as much as possible so that you don’t have to see it step by step by step. Um for every handoff that has to happen in an assessment, whether it’s in risk remediation, you need to notify your business units, you need to notify the vendor and remind them if something is due or coming due or late. So, we try to do a lot of automation with uh active rules and it also can help to change statuses as things modify. And so, that’s going to be something that you’ll want to look into. And then, of course, the reporting, we’ve got some enhanced reportings um through Amazon AWS QuickSite. And it’s it’s like the you might want to call it the monster of reporting, but it’s actually the crystal ball of reporting because you have the ability to filter so many ways to see what’s happening. So, as you’re looking at the strategies for work from home, make sure that your questionnaires are addressing those items. Brenda: So, all of the five things that I listed in the previous slide need to be a part of your questionnaire and content gathering, whether it’s coming from continuous monitoring insight or whether it’s coming from the questionnaires in the SIG light or the SIG core. So, if we go in Josh: Brenda, I have a question for you on that on the monitoring piece. Now, you’re you’re giving a lot of information on vendor to vendor, right? Um security posture. So is that at every every point that there’s a new integration from one vendor, one application to another, is your system picking that up? Brenda: The monitoring system is able to pick up who what companies are working together. Yes. So if it was prevalent, it would show all of the companies, theorem being one of them. So you’re able to do those connections from a visibility perspective. There’s a lot of enhancements that are coming into play. Um whether it’s going to be doing the connect the dots from the business side, some of it’s manual, some of it’s automated, but we’re progressing as quickly and as rapidly as possible just because we want to make sure that what we’re sharing is actionable versus just viewable. And so just keep an eye on our releases. They’re about uh one every six weeks, four weeks to six weeks. And so every single one of them, I’m in awe with what our product team is doing to to tell us how that works. And it would it would actually complement what you’re doing because you’re also showing here are the companies that are associated with this particular law firm or this particular um vendor or application. So, it’s almost the same thing. You show it in icons. We right now show it in uh word bubbles. Josh: Sure. Absolutely. And I just want to make sure that we trigger any sort of communication that we can, you know, uh to to you all to see that, you know, any new integration that happens to to uploaded um that we’re flagging this to say, “Hey, you’ve got a license at prevalent. This this person has not been assessed. They’re now part of your ecosystem, your sort of internal um matrix, if you will, and you know, just want to make sure there’s there’s, you know, we’ve got the right agents there, but the good kind of agents,” Brenda: right? Exactly. I’m I’m all about tell me what I need to see in order to know what I need to do.” Brenda: Love it. Love it. So, sorry about that, but I appreciate the question. No, jump in. This is a engaged type of thing. I like it when it’s back and forth more than it’s just listen to Brenda ramble on. So, one great thing that we’re excited about is um this year we made it into the leader quadrant for Gartner and uh nine months ago we were in the visionary quadrant. Looks pretty bare in the visionary area, but we were very very happy to be where we are today and our strengths were outside of all of the other ones. Whether the bubbles are above us or below us or aside to the left or right, we are the strongest in product service, product strategy and vertical industry strategy, meaning legal industry and others. So, we really like to focus on what’s important for the industries and making sure that we’re giving them what they need for risk. Um, we’re also the strongest among the dedicated VRM companies in the leader quadrant for strategy. That’s one of my favorite things to do. I like to meet with companies and help them to build their program and how to leverage prevalent. And then um demonstrating we’re delivering a vision where we’re recognized um for the last MQ. So we were visionary and now we’re we’re leaders. So we’re very happy about that. So if you need this and efforts to help you to decide what company to go with and do note that all of the companies that are listed in the leader quadrant, there’s only three of us in there that are really doing third party risk governance from a holistic platform perspective or attempting to. So those are the things that you’re going to need to look at. We’re not all GRC’s. We want to play nice with the GRC’s, but just like Josh was saying about legal theor about theorem is that they wanted to pick a company that was standard and doing the best in the business for standardization of assessments and monitoring. Um, and so we’re we’re the same way. We want to do what we do best and and work with others that do what they’re doing best as well. Josh: And I believe you’re used by over 50% of the AML 100. Brenda: Yeah. Yeah. Definitely are. Josh: We have good good to know. Brenda: A great steering committee as well. And the steering committee, what’s interesting, we talked about Josh the other day that there are consortiums and there are steering committees and there are organizations and we we really believe that we want to be a steering committee that helps the community, doesn’t shove or force here’s what you should do and you can’t do it any other way to more of here’s what we recommend that you do and we’re willing to share what we’ve accomplished with you and please come aboard if you can and if you feel that it’s something different then we’re able to flex in order to support those differences. Josh: I love it that’s so consistent with our values leadership over you know over control and and letting the market drive the standard. Brenda: y Well, they know what’s best. I mean, we could all day long and say a process or we could tell them the guidelines, but when they’re in the nitty-gritty and feeling it, when I built my program, I was having vendors tell me, “Well, here is the prescription of what you need to do.” And I felt like telling them, “You don’t even know my symptoms yet in order to tell me what prescribed way to work on this.” Brenda: Sure. Sure. Everything’s different case by case. Lawyers know this more than anyone. So intelligence from every corner is what prevalent is about and we’re we’re making sure that we are working with theorem to get the information to the community so that they can look at when they want to find out intelligence. Do they know if they’re assessed? Do they know if they’re not assessed? Do they know how they’ve been assessed? And what are the things that we found so that they can drive actionable results. So we won’t belabor going into all of these different areas that Prevalent provides. There’s so many questionnaires. Um, however, our legal vendor network has landed on the shared assessment SIG light and SIG core and supplementing with the GDPR questionnaire. U, we will be talking to them about the 2021 uh components that we need to adjust so that we’re getting information that we need for this the different landscape uh opportunities that we’re finding this ing being one of them that’s upticking as well. So there might have to be some more effectiveness controls that are applied to the questionnaires which will help us to say not only do you have a a response of yes or no I have that control in place or the monitoring shows whether it is um a vulnerability or not in the wild. But we also want to say if you do have a control in place how well is that control in place it’s not just as easy as saying I have a policy and I stuck it on my shelf and I look at it every year. We want to know that it’s um used, practiced, governed, so on and so forth. So, um before we get to our last polling question and time for Q&A, uh Josh was nice enough to put something together for you all. So, did you want to announce what this is? Josh: Yeah, sure. So, firms that, uh watch or watch a recording, um you know, can join our weight list at uh theleal.com, it’s up in the right. They can also click on the firms and request access. Uh we have quite an astounding pipeline of firms from you know some of the largest firms to uh some of the smallest uh sole practitioners um who can use our our service and it’s one of the things that we wanted to do in terms of bringing the entire market um you know to to this standard in terms of uh information security that’s that’s provided by um our great partner prevalence. So vendors uh will can can sign up as well. Uh we’ve got a promo for them. This is uh 50% off our pro plan which will include the basic prevalent SIG light uh assessment right with your purchase of your your portal with your dashboard including analytics on your page and everything you might expect uh from you know wanting to set up your profile page. Uh it will also include a prevalent assessment. So you just use the code at the bottom and it’s valid for the first 50 vendors uh that sign up. Brenda: So, be first. Josh: Be first. Brenda: Be first. Be first. 50. Well, great. Thank you. So, Amanda, I believe it’s time for us to have the last polling question and then to open up the Q&A. Amanda: Yep, you got it. Um, real quick, out of curiosity for that um discount rate, that’s not just for who’s joining this webinar, Shay, that like I will we encourage people to take screenshots of that and share that discount code with whomever. Josh: You got it. Yeah, that’s fine. Amanda: All right. Well, let’s pop up that last poll question. And what we’re asking if whoever is listening is if they’re looking to augment or establish a third party versus program in the next several months, um, be honest with this because we do follow up with your answer. So, we would love to just hear from you. guys, what your involvement is, um, how we could be beneficial to help you start your program. Um, if you’re not sure, um, just let us know in the comments or in the chat if you do want to just talk to somebody and just get some insight on how we can potentially help you and and anything like that from a third party risk perspective. So, we’ll leave that poll question open for a little while until we cut to the end, but looks like we have a handful of questions and I’ll get started here. This one’s for Brenda. Um, they would like to know how to get involved in the legal vendor network with us here at Prevalence. So, take it away, Brenda. Brenda: Yeah, there’s a couple different ways. Um, one by answering this polling question, you will have an outreach, of course. And then the other one is, um, if you go to [email protected] and request more information about the legal vendor network, we would be happy to talk to you about all of the different program plans. There’s so many different module packages that you could use that will fit your company. you don’t have to go with the most uh robust third-party uh program. Say for example, you might only have 25 assessments that you need to get done. Um so, not only with what Theorem is doing with us, we’re able to take your entire list of third parties or fourth parties or um businesses that you work with and we can put them through uh an assessment initiative and then take that information back to theorem so that the information will be shared from a badge perspective of SIG light or SIG core on the theorem site. So you would be able to see which ones of your companies had it or not and then you could determine well wait a minute I would probably have to get five licenses or or maybe 10 or however many companies you have that don’t already show the the SIG light and then if you want to dig deeper of course you need a license for those but um it’s it’s a very unique proposition where you can flex it what for whatever is fitting you. Amanda: That’s awesome. Yeah, I mean we just like to make it easier to streamline the process. So that just is a great example of it. Um the next question is how easy is it for them to collect their technology stacks to get started? That’s more for Josh. Um more of a specific question for you if you can kind of dissect that a little bit. Josh: Sure. There’s two ways. Um we actually offer uh one actually which is a a desktop crawler which can um look at your utilization of applications uh to pull them into the system. So if you want to do it in sort of a passive way but the onboarding experience is such that it’s extremely easy to share this across all your practice group heads um wherever they may be across the the world and gather their technology stack in one portal and be able to see that and it’s a living breathing document. You know there’s no longer going to be the need for a tech survey across your firm or even across the industry. A lot of that’s just going to be right at your fingertips um for a very cost-effective, easy to implement sort of way. Amanda: That sounds so much better than what people are probably stuck with doing right now, right? Um next one is, am I only able to complete a SIG light or SIG core or both? I guess I’ll give that over to Brenda. Brenda: Yeah, so um many companies will have both, but depending on the service you provide, you may only need the SIG light unless you are an eiscocovery an HR or a transcription type of company, those require a core um questionnaire to be completed for content gathering because of the threat landscape additives that need to be known. So, at present, you can have both or you can have one or you could have the other and they’re nicely displayed on theorem for you to tell you if they’re there in tandem or either. Amanda: Perfect. It’s like Oprah, you get a sig, you get a sig. whatever you want. Great. Brenda: Awesome. Amanda: Um, and our last question, I’m gonna give this one over to Josh. It um pertains more to you. So, how many vendors um if they already have in their catalog or marketplace? Josh: Okay. So, we have uh I’m just give you some estimates here. We have over 300 of the legal specific vendors um and just over 500 uh and and it’s constantly growing. and we’re moving um as as we go but just over 500 of the core business suite. Brenda: and then 800 applications and that’s just since the time we talked in the beginning of co Josh: right Josh: yeah so I would I would say if I were to look at it now we don’t you know we don’t put too much stock in in the numbers it’s all about the content and it’s all about the you know the collaboration experience but um it’s it’s growing pretty pretty exponentially. Amanda: yeah that says a lot because how long do you I don’t even know what how many months you’re You see the memes where it’s like it was March and now it’s October. What is going to happen? So in that time frame, we’ve got a lot done and a lot cooking. All right. Well, everyone, that is all we have for today. Um, thank you all so much for joining. Josh, thank you so much. Brenda, as always, a pleasure to see you. Um, Josh, nice meeting you. Um, if anyone has any other questions, feel free to use the email in that slide below or um Feel free to just, you know, hop on the chat or whatever it is. You have all of our names, so you could probably internet search us and we’re here for you. All right. Thanks everyone so much. Brenda: Thank you, Amanda. Thank you, Josh. Josh: Thank you. Really appreciate it. Amanda: No problem. Bye, guys. Bye. Josh: Bye.