Three important ways legal organizations can rein in third-and fourth-party cybersecurity risk.  


Clearly, there’s a good reason that Chief Legal Officers (CLO) rank cybersecurity and data privacy among the top three issues most important to their business.  Extending those security concerns to third and fourth parties is more important than ever as outsourcing volume continues to grow. Forty-one percent of CLOs surveyed in the ACC Chief Legal Officers survey anticipate sending more work to law firms this year, and 24 percent expect to increase the amount of work outsourced to other legal service providers. 

The good news is that there are highly effective ways to mitigate this risk for companies willing to make doing so a priority.  

#1. Develop a set of cybersecurity and data privacy best practices for your CLO to share with all outside counsel.  

The 2021 ABA Cybersecurity Tech Report found that clients are focusing more on the cybersecurity programs and policies of the law firms representing them and are more frequently using security requirements documents, questionnaires, and guidelines to enforce standards. However, security preparedness may still fall short, considering that barely one-quarter of law firms reported they had undergone a full security assessment by an independent third party. 

In addition to assessing security preparedness, other best practices for law firms include implementing technology- and data-related security policies, training employees on security awareness, and developing an incident response plan. Law firms should also deploy a broad spectrum of security tools, including multi-factor authentication, encryption, firewalls, and intrusion detection and prevention systems.  

#2. Set requirements. 

A good start would be for legal organizations to begin using a modified version of the contract that requires outside counsel to engage only those vendors that meet enterprise security standards. Entrusting vetting to the outside counsel provides law firms greater flexibility but also forces your company to relinquish some control over security protocols. 

#3. Conduct a thorough risk analysis of all vendors (both third and fourth party).  

Partnering with a vulnerable legal services provider can quickly compromise a law firm’s carefully executed cybersecurity strategy, putting sensitive client data at risk. If not using a pre-approved provider, outside counsel should conduct their own risk analysis. 

Key questions to ask as part of this process include: 

  • Do all transmitted files have end-to-end encryption to protect data from being read or modified by unauthorized parties? 
  • Do you follow an established cybersecurity framework such as National Institute of Standards and Technology (NIST), Center for Internet Security (CIS), or International Organization for Standardization (ISO)? 
  • Do you maintain redundant datacenters to support uninterrupted data availability? 
  • Do you have a 24/7 Network & Security Operations Center to prevent and detect malicious activity? 
  • Has an independent auditor verified SOC 2 Type 2 compliance with best-in-class procedures, safeguards, and technologies to safeguard data? What about HIPAA compliance to ensure the integrity of all protected health information? 
  • Do you conduct third-party penetration testing? 
  • Do you have an incident response plan? And a disaster recovery plan? 

Goodbye hidden risk, hello peace of mind 

With cyberthreats growing more pervasive, ignoring weak links can imperil even the most robust defenses. Act now to close the gaps in your cybersecurity strategy. Your reputation, customer loyalty and bottom line could depend on it.

Editoral Policy

Content published on the U.S. Legal Support blog is reviewed by professionals in the legal and litigation support services field to help ensure accurate information.