Business law firms handle highly sensitive data from their clients, such as trade secrets, mergers and acquisitions deals, non-public stock information, and patent trademark applications. As they engage with third party vendors for key activities such as accounting, cloud storage or e-discovery, these vendors with access to the network might increase the risk of client data exposure.
Third party risk management (TPRM) becomes, then, a crucial component of a robust security approach for the legal services industry.
This case study shows how a scalable, custom vendor risk assessment program helped an Am Law 200 firm achieve a 50% TPRM workload reduction to better understand and monitor risk across their supply chain, using ThirdPartyTrust:
Oftentimes a firm ends up in the headlines not because it was attacked, but because a third party vendor was breached and exposed data from the firm and its clients. Attorneys need to prove that they’ll go the extra mile to protect client data, and that includes conducting thorough vendor risk assessments.
Below is a recap of our conversation with the firm’s Applications & Security Specialist, who is in charge of assessing, controlling and monitoring risk across the vendor ecosystem of the law firm.
Q: Why does a law firm need to perform vendor risk assessments?
Our clients would always perform assessments on us to decide if they could trust us with their data. At some point, they started asking about what type of assessments we do on our own vendors, and it became clear that we needed to formalize a vendor risk assessment process.
At first we would do a somewhat basic vetting of vendors that were accessing our computer network, based on the SANS Top 20 critical security control questionnaire (CIS Controls). But we didn’t deep dive into what their security processes were: Do they have a penetration test? Do they have cyber insurance?
Data is our crown jewels and our business is about building trust. If any of that data gets lost or compromised in any way, it would affect our reputation, but also other firms and their clients. A data breach can expose who’s working with who and have devastating effects.
Q: How did you decide that ThirdPartyTrust was the right tool?
I noticed that instead of using spreadsheets, the trend was to use dedicated tools to centralize and automate the vendor risk assessment process.
After some demos, it was clear that ThirdPartyTrust would make it very easy for us to conduct risk assessments and have an overview of our vendor assessment lifecycle. It’s simple to use and it centralizes all of our vendor data in one spot instead of sitting in different silos.
Another interesting side of it is that you can even share your own data as a vendor if you are being evaluated. Instead of having to fill out 20 different spreadsheets, we could share our security profile and data from the platform to any of our clients. (Learn how to build your own security profile with Beacon by ThirdPartyTrust.)
Q: How did this new risk assessment workflow help you achieve a TPRM workload reduction?
We created our own simple questionnaire with help from the ThirdPartyTrust team, to give us a basic understanding of what our engagement is with a particular third party vendor and monitor risk across the supply chain.
The tool has made the vendor risk assessment process a lot easier and streamlined, and we achieved a 50% workload reduction. With our current process, we invite vendors to the ThirdPartyTrust platform to complete our requirements, and we have a 95% acceptance rate.
Before, some vendors would send their own spreadsheet with common answers to security questions, but they were never specific to our engagement. Now, we have built custom requirements according to our labels. Our vendor categorization goes from tier 1 to tier 4; since the first one has the highest access to critical client data, it has the most requirements.
The visual layout of the tool is very friendly and I use color labels to get a glance of vendors by different criteria, such as:
- Vendors with access to PHI and PII
- Departments that the vendor works for internally at the firm
- Vendor’s main point of contact
- Vendor’s impact rating
Q: Why would you recommend ThirdPartyTrust to other law firms?
We’d recommend ThirdPartyTrust because it’s simple to use, it makes it visually easy to see where things are in the process of assessing a vendor, and it centralizes all of our vendor data in one risk dashboard.
In addition to the overall TPRM workload reduction, the findings are a very useful feature. When I have questions or requests for additional information from a vendor I can ask within the platform and keep everything in one place for future reference, instead of opening a new email thread that might get lost.
ThirdPartyTrust has helped us simplify our vendor assessment process and it allows us to compare our different vendors with their impact and risk to our law firm. In a business that’s based on building trust, we need to show that we’ll take care of client data. Having a robust TPRM program in place actually helps us attract new customers.
Ready to take your TPRM to the next level?
Requesting vendors to complete risk assessments should not be a killer.
Get your free strategy guide and learn how to boost efficiency, transparency, and control over your risk management process and business bottom line.
