The Top 10 Third-Party Risks in the Legal Industry (and What to Do About Them)

In order to provide a more economical approach to third-party risk management (TPRM) in the legal industry, Prevalent partnered with top law firms in the United States to launch the Legal Vendor Network (LVN)
in 2017. The LVN is designed to enable vendors of all types – eDiscovery, human resources, translation services and many others – to complete standardized security control assessments once and share them with all law firm members of the LVN community. This approach reduces the cost and time required for law firms to assess critical service providers.

Since its launch, the LVN has gathered data pertaining to vendor security practices using the Shared Assessments Standard Information Gathering (SIG) questionnaires. This blog summarizes the top ten risks discovered from an analysis of 344 randomly sampled completed questionnaires and prescribes recommendations on how law firms can mitigate these risks.

Top 10 Legal Vendor Risks

In analyzing the results from the random sample we learned third-parties pose the most risk to law firms in the following areas:

1. Application Security – Data handling in applications – 67%
2. Access Control – Remote access – 65%
3. Business Resilience – Third party service is a critical dependency – 64%
4. Physical and Environmental Security – Visitors are permitted – 62%
5. Asset and Information Management – Scored data is electronically stored – 61%
6. Application Security – Application development – 61%
7. Asset and Information Management – Data is stored in a database – 58%
8. Server Security – Data is stored on a server – 57%
9. Application Security – Data handling using websites – 54%
10. Application Security – Application vulnerability management – 52%

The rest of this blog will focus on the three common categories of these top ten risks: application security, asset and information management, and areas such physical and logical access to data.

Application Security Risks and Remediations

Because applications are often available across networks and connected to the cloud, they are vulnerable to security threats that could result in breaches. Since law firms have a responsibility to protect their clients’ data, it’s no wonder that application security comes under such scrutiny. Let’s take a look at what the four application security-related risks noted in the top ten list above tell us.

Our analysis of the Legal Vendor Network shows that:

• Lack of strong security controls for applications that transmit, process, or store data can increase the risk of data exposure and network infiltration.
• Lack of security controls for application development can leave exposure points within the application.
• Lack of known un-remediated vulnerabilities not communicated to security monitoring and response groups for awareness and monitoring leaves the potential for exposure. This is primarily due to a lack of process within the software development lifecycle (SDLC).
• Lack of security controls for web sites can leave data and network infiltration points exposed.

To address application security risks, law firms should:

• Evaluate the security controls in place for the application, development process and web sites of their vendors, and identify specific controls that require remediation or maturity.
• Identify if vendor vulnerabilities are monitored and tracked via a different group, such as a Risk Management group. If vulnerabilities are not being monitored, require the implementation of a process that enforces the communication, tracking, monitoring and remediation of these vulnerabilities.
• Evaluate documentation, such as access management policies, network diagrams, network penetration reports, incident response policies, secure software development lifecycle (SSDLC), code scans (static or dynamic), and application penetration reports. Code scans and application penetration reports should be from an automated tool set and/or external company.

For critical and/or restricted/confidential data handling, law firms should consider performing additional due diligence such a completing a vendor Building In Security Maturity (vBSIMM) review. For external facing applications use Prevalent’s Vendor Risk Monitoring to identify issues such as IP threats, exposed credentials and typosquatting.

Asset and Information Management Risks and Remediations

Storing and managing data securely is the centerpiece of multiple privacy and data protection regulatory requirements, including GDPR, CCPA and others. As with application security, it’s essential that law firms ensure that their vendors have the protections in place to adequately secure their client’s data – otherwise they’ll face penalties. Two of the top ten risks relate to information management, in that a lack of strong protocols to protect data could result in data compromise and regulatory penalties.

To address asset and information management risks, law firms should:

• Evaluate the security controls in place for the storage of the data. Begin with requiring evidence such as an encryption policy, access management policy and a network diagram.
• Identify specific regulatory requirements and controls that must be in place and ensure the third party has the appropriate controls in place. Consider additional due diligence for high risk third parties by requiring a network penetration report completed by an external company.

The Prevalent Legal Vendor Network provides the capability to address these recommendations.

Access Control, Business Resilience, Physical and Environmental Security; Server Security Risks and Remediations

This final category of risks analyzed from the Legal Vendor Network carries important data access implications if not addressed.

• Physical and Environmental Security: Lack of strong protocols to prevent unauthorized physical facility access could result in an array of security exposure points such as data loss, network compromise and unauthorized access.
• Server Security: Lack of strong protocols to protect server access and data exposure could result in data compromise.
• Business Resilience: Dependencies on critical third-party service providers can result in an array of potential risks such as an inability to provide a product or a services and data exposure.
• Remote Access: Exposes the potential for outsider access if it lacks appropriate controls and monitoring is not implemented.

To address these risks law firms should:

• Evaluate the security controls in place surrounding access – both physical and logical. Begin with requiring evidence such as the physical security policy, access management policy and details pertaining to their use of VPN and multi-factor authentication controls. Ensure the policy includes details such as visitor logs, badges, employee escort, video surveillance and locking mechanisms to restricted areas. For high risk third parties consider requiring additional due diligence by requiring an onsite security report, such a SOC2 Type II.
• Evaluate the security controls in place surrounding the server and access to the server. Require evidence such as an encryption policy, access management policy and network diagram. Consider additional due diligence for high risk third parties by requiring a network penetration report completed by an external company.
• Require evidence pertaining to their business continuity/resilience plan. For third parties that are high risk and/or your company has a critical dependency on them, consider performing additional due diligence such as performing a scenario-based test or red team exercise that specifically target the third-party’s critical service provided to test impact readiness. Make sure all third parties have contractual requirements surrounding service availability.

Next Steps

Law firms have stringent client cybersecurity and compliance requirements over access to data. The results of this analysis show that the primary areas of concern for law firms is how their vendors handle data – whether it be in applications, assets or residing in servers or physical spaces. The Prevalent Legal Vendor Network, with a foundation on the Prevalent Third-Party Risk Management Platform, has been built from the ground up to assess, manage and monitor these risks. Our unified platform combines the power of the SIG assessments with Prevalent Vendor Risk Assessment Services to collect and analyze vendor data on the law firms’ behalf. With this model, legal teams have assurance of visibility into their vendors’ security and compliance practices and can take informed action.

If you’re a law firm wanting more control over your vendors, request a demo today.