Byte of Prevention Blog

by Jay Reeves |

ABA Cybersecurity Checklist May Help Shore Up Your Defenses

cyber securityBetween 40 and 80 percent of law firm data breaches are the result of an attack on an outside service provider.

This means that no matter how secure your inside defenses, you are only as safe as your email account, or your online banking service, or the searchable database you use every day.

To counter this threat, there are vendor risk assessment tools like this one and this one. Which raises the question: who is assessing the risk of the risk assessors?

Now comes the ABA, offering its free Cybersecurity Checklist for selecting and working with outside vendors.

“Your security is only as strong as your weakest link, and increasingly, that weak link is an outside vendor that may or may not have adequate cyber protection against hackers and other malicious infiltrators,” says the ABA. “The checklist is a way to manage cybersecurity risk when working with third-party vendors – from vendor selection, to contracting and vendor management.”

Everybody is Online

Every law firm, in ways large and small, conducts business electronically through third-party vendors. As this becomes the new normal, firms are increasingly vulnerable to cyber-attacks on these outside sources.

A vivid example was the attack on Equifax in 2016, which exposed data on millions of customers who had visited the site. Another was the 2013 attack on Target, where the criminals gained access through one of the retailer’s vendors, an HVAC company.

The ABA checklist – drafted by its Cybersecurity Legal Task Force – provides guidance on:

  • Conducting a risk management assessment of potential vendors. The goal is to identify threats, vulnerabilities and the likelihood of harm.
  • Reviewing vendor security practices. Does the vendor have an incident management plan that complies with relevant laws? Is it regularly tested and updated?
  • Examining the contracting process. This includes setting expectations, mitigating risk and allocating liability. How will the contracting parties interact, share and manage information? What is the vendor’s commitment to an appropriate security program? How will the vendor’s compliance to that program be assessed, and if necessary, remediated?

The checklist also contains valuable pointers for analyzing vendors for compliance with HIPAA and consumer finance laws.

But be forewarned: the 27-page checklist is not an easy read. It is chock full of phrases like “effective management of vendor interdependencies” and “undisclosed functionality.”

Still, too much information is better than too little. And perhaps best part of the checklist is its suggestions for creating a “culture of cybersecurity” in your firm.

Cybersecurity is not a one-size-fits-all proposition. But this checklist is a good start – and it’s free.

How do you safeguard against attacks on outside vendors? What advice would you offer?


About the Author

Jay Reeves

Jay Reeves practiced law in North Carolina and South Carolina. He was Legal Editor at Lawyers Weekly and Risk Manager at Lawyers Mutual. He is the author of The Most Powerful Attorney in the World, a collection of short stories from a law life well-lived, which as the seasons pass becomes less about law and liability and more about loss, love, longing, laughter and life's lasting luminescence.

Read More by Jay >

Related Posts