ABA Cybersecurity Checklist May Help Shore Up Your Defenses

Between 40 and 80 percent of law firm data breaches are the result of an attack on an outside service provider.

This means that no matter how secure your inside defenses, you are only as safe as your email account, or your online banking service, or the searchable database you use every day.

To counter this threat, there are vendor risk assessment tools like this one and this one. Which raises the question: who is assessing the risk of the risk assessors?

Now comes the ABA, offering its free Cybersecurity Checklist for selecting and working with outside vendors.

“Your security is only as strong as your weakest link, and increasingly, that weak link is an outside vendor that may or may not have adequate cyber protection against hackers and other malicious infiltrators,” says the ABA. “The checklist is a way to manage cybersecurity risk when working with third-party vendors – from vendor selection, to contracting and vendor management.”

Everybody is Online

Every law firm, in ways large and small, conducts business electronically through third-party vendors. As this becomes the new normal, firms are increasingly vulnerable to cyber-attacks on these outside sources.

A vivid example was the attack on Equifax in 2016, which exposed data on millions of customers who had visited the site. Another was the 2013 attack on Target, where the criminals gained access through one of the retailer’s vendors, an HVAC company.

The ABA checklist – drafted by its Cybersecurity Legal Task Force – provides guidance on:

• Conducting a risk management assessment of potential vendors. The goal is to identify threats, vulnerabilities and the likelihood of harm.
• Reviewing vendor security practices. Does the vendor have an incident management plan that complies with relevant laws? Is it regularly tested and updated?
• Examining the contracting process. This includes setting expectations, mitigating risk and allocating liability. How will the contracting parties interact, share and manage information? What is the vendor’s commitment to an appropriate security program? How will the vendor’s compliance to that program be assessed, and if necessary, remediated?

The checklist also contains valuable pointers for analyzing vendors for compliance with HIPAA and consumer finance laws.

But be forewarned: the 27-page checklist is not an easy read. It is chock full of phrases like “effective management of vendor interdependencies” and “undisclosed functionality.”

Still, too much information is better than too little. And perhaps best part of the checklist is its suggestions for creating a “culture of cybersecurity” in your firm.

Cybersecurity is not a one-size-fits-all proposition. But this checklist is a good start – and it’s free.

How do you safeguard against attacks on outside vendors? What advice would you offer?

Sources:

• Prevalent https://www.prevalent.net/blog/law-firms-establish-legal-vendor-network-to-manage-3rd-party-vendor-risk/
• Privva https://www.privva.com/legal-risk-management
• ABA News Release http://www.americanbar.org/news/abanews/aba-news-archives/2017/03/new_aba_checkliste.html
• ABA Cybersecurity Checklist http://www.americanbar.org/content/dam/aba/images/law_national_security/Cybersecurity%20Task%20Force%20Vendor%20Contracting%20Checklist%20v%201%2010-17-2016%20cmb%20edits%20clean.pdf