Part 3 – Managing Your Vendors—and Others
The recent wave of cybersecurity breaches at our country’s largest law firms makes it evident that the way the legal sector secures our digital assets must change. The White House’s National Cybersecurity Strategy (“NCS”) seeks to address this. In this series of articles, telecom veteran and legal tech CISO David Roberts offers his thoughts on what the NCS, its implementation strategy, its five pillars of cybersecurity structure, and the evolving threats it hopes to thwart, mean for law firms, their clients, and the future of law in the digital age.
Part 2 of this series explored the rise and risk of ransomware attacks.
It was, according to NPR, a hack “unlike any other.” In 2020, SolarWinds, a Texas-based company, conducted a seemingly routine software update to its network management system. However, what happened next was anything but routine. As it turned out, hackers had inserted a code into that update that unleashed a massive cyberattack against the United States. And SolarWinds is still feeling the repercussions of that attack, known as Sunburst. In June, SolarWinds revealed that several current and former executives, including the CFO and CISO, received Wells Notices from the U.S. Securities and Exchange Commission indicating the intent to bring charges.
For many law firms and their publicly traded clients, a Wells Notice for a cyberbreach should be a serious wakeup call. In our last article, we discussed the perils of ransomware attacks and what law firms need to know about this in light of the White House’s National Cybersecurity Strategy. In this article, we discuss the cybersecurity perils involved with vendor management and the increasing liability that C-suite executives face when vendor management goes wrong.
The decision to serve a Wells Notice to SolarWinds’ CISO has sent shockwaves through the industry and raised substantial concerns about liability for those in that role. Smart law firms will start working very closely with their clients who have CIOs and CISOs to do a top-down reevaluation of reporting structures, insurance, portfolios and many other factors. Consider that many CISOs report to their CFOs; this type of organizational approach has always been problematic and now is increasingly a bad idea. As the SolarWinds situation demonstrates, CISOs need a seat on the board in order to do their job effectively—they don’t just need responsibility, they need authority to manage vendor relationships and ensure that vendors have the types of security protocols, such as SOC 2 and others, that can ensure the types of approaches the National Cybersecurity Strategy is designed to support. This type of approach is addressed in several of those pillars:
Pillar 4, Invest in a Resilient Future, includes a strategic objective to develop a national strategy to strengthen our cyber workforce.
Pillar 2, Disrupt and Dismantle Threat Actors, also addresses this in several strategic objectives, including increasing the speed and scale of intelligence sharing. The strategy also lays out strategic objectives to countering cybercrime.
Defeating ransomware by mounting disruption campaigns that are so effective that ransomware attacks are no longer profitable is another focus of this pillar. As discussed in the second article, ransomware is the number one cybersecurity breach portal today. It usually breaks down at a human level and via simple social engineering techniques.
Pillar 2 also lays out ways that federal disruption activities will be integrated; for law firms, that means they should expect that federal cyber regulations will start to flow down into the private sector. Pillar 2, in Section 2.2, also focuses on this public-private operational collaboration. This will not be a “make a law and require it to be met” methodology. Rather, it will be a working collaboration at the operational level.
Pillar 5, which deals with forging international partnerships to pursue shared goals, represents another area that will have a profound impact on large law firms, particularly those that represent clients that have their own international presences. The strategic objectives of this pillar address securing global supply chains for information, communications and operations technology products and services—in other words, vendor management. The focus here on Cybersecurity Supply Chain Risk Management, or C-SCRM, is critical. Although data privacy laws don’t always cover smaller business such as law firms, privately held corporations or companies with limited data, it is an opportunity for law firm leaders to get ahead of the coming regulatory curve by voluntarily meeting or exceeding current requirements for larger organizations.
Law firms not only must be prepared to respond to today’s threats, they need to consider what the future holds. In our next article, we will look at the threats we are about to face, including a post-quantum computing world.
David Roberts recently completed a stint as the CISO for a legal technology startup with an access-to-justice social mission. David is a highly credentialed cybersecurity and security framework expert with entrepreneurial and C-level experience in multiple technical organizations spanning over 2 decades. Most recently, he achieved system-wide FISMA Moderate certification covering all security, compliance, and regulatory components for the companies winning part of the GSA EIS contract, a 15-year, $50 billion technology services contract (IDIQ) covering 37 technical categories. He holds multiple degrees including a MAR from Liberty University, MATS from American University of Biblical Studies, BBA from Clayton State University, and recent programs in Technology Leadership from Cornell University. He currently holds the following industry credentialing: CISSP, CCSP, SSCP, CAP, CSM®, CCP, & AZ-900.