Printed from

Examine cyber exposures of vendor law firms: Report

Posted On: Jul. 9, 2019 2:17 PM CST

Law firm cyber risks

Companies are not paying enough attention to the cyber vulnerabilities that stem from their legal vendors, warns a report.

More than 50% of legal department budgets are spent on outside law firms, yet their outside counsel management programs “often lack the risk management components that are typically part of the procurement function, with any cyber risk assessment of outside counsel and other legal vendors often conspicuously missing from the list of (outside counsel management) activities,” says the report, Legal Vendor Cyber Risk Management, An In-Depth Guide, issued Tuesday by New York-based Kroll LLC, a unit of Duff & Phelps LLC.

“This absence is notable not only because risk management is often a critical step of a traditional procurement process, but also because of the nature of data transferred to outside counsel,” says the report.

“In many organizations, this is a treasure trove of highly sensitive and privileged data, representing a relevant and curated list of a company’s litigation, mergers and acquisitions, intellectual property, lobbying activities, and more,” says the report.

With budgets shrinking, “law firms have not prioritized or allocated adequate resources to securing their client data,” says the report, which cites an American Bar Association report as stating 23% of respondents in 2018 reported their firms had experienced a data breach.

In addition to loss or theft of data, business interruption poses “an equally significant risk to organizations,” says the report, which offers advice on developing a legal vendor cyber risk management program.

More companies are insisting their vendors have cyber insurance, as the risks associated with these third-party firms rise, say experts.