1. How should I reply constructively, In order to assess the law firms my company has worked with over the last year, I would begin by engaging a cross-discipline committee comprised of legal, procurement, IT, and risk management. This team will be tasked with developing the benchmarks for each law firm we have engaged. As with any other cyber security policy, it is important to consider the size of the law firm itself, the volume of business we've done with them, and the type of work we're doing with them. For example, are they our defense attorney who handles our bodily injury and property damage lawsuits, or are they our patent or employment attorney? We need to verify the type of information that they will be handling on our behalf to determine what is commercially reasonable in conjunction with the size of our dealings and the size of the firm. Firms that handle HIPAA or PII should be held to a different standard than firms that handle only real estate matters and don't process any sensitive information.

Regardless of the size of the firm, size of work with our company, or type of work with our company there are some basic requirements that the ABA suggests. It recommends that all law firms implement appropriate cybersecurity practices including risk assessments and response plans to comply with their legal and ethical obligations to protect client's information (Braithwaite, 2023). I would request that our committee puts together a basic requirement list for all the law firms regardless of size. These would include four broad components focused on Confidentiality, Integrity, Availability, and Controls. Specifics within these components would be password requirements, access management, incident management, asset management, etc. (Hill, 2023). Most of these requirements would be inexpensive and easy to implement for any firm but can have a big impact in protecting the security of our information.

Even though there are some basic requirements we would want to see from all of the law firms, I would also ask our committee to review each firm based on its size, size of our business with them, and the type of information handled and then assign a hazard level to each firm on the list. For large firms, that conduct a lot of business with us, and handle sensitive data we would need to assign a higher hazard level than we would for a smaller firm, that has less business with our company, and that doesn't handle sensitive information.

I would then recommend that we creat a questionnaire based on each hazard level and send this out to all the law firms. For this step in the process, it will probably be beneficial to employ a 3^rd party vendor to assist with the management of the responses and grading of each firm's response. There are many firms that offer these services including Bitsight (2023), Security Scorecard (2023), and Venminder (2023). These firms have the capability to offer customized platforms to view vendor compliance and ratings that are developed based on the completed questionnaires and which can be customized based on industry and preferred cybersecurity methods (NIST, CIS, etc.). (Venminder, Bitsight, Security Scorecard, 2023). Bitsight provides an excellent, free 40-question sample that can be used to develop a vendor assessment (Bitsight, 2023). A 40-question survey about the firm's cybersecurity practices would be considered reasonable to others, which can be hundreds of questions (Bitsight, 2023).

The committee will then need to review the results of the surveys and reach out for clarification or discussion of improvement if necessary. If it's determined that a firm's practices are not commercially reasonable based upon responses to the questionnaire then the work should not continue with the firm.

2. How Should I reply constructively, Initially, I would subdivide the firms by their areas of practice and expertise. My intent is to give deference and more scrutiny to those firms that have cybersecurity as their "wheelhouse" specialty. The size of these firms will be of importance because it will signify the volume of business they deal in and the magnitude of the data derived therefrom.[1] Larger firms that cater to clients with sensitive data (hospitals, government agencies etc.) and clean breach histories will get the highest grades within my report. From here I would narrow down the area of cybersecurity that I would like to zero in on. Sensitive data protection, secure communication, and encryption (file sharing) would be the metrics of importance during my assessment.

As covered in the lecture, I would utilize and reference an established cybersecurity framework such as NIST Cybersecurity Framework or the CIS Controls to further assist in my assessment process.[2] Self-assessments from the firms will be useful in understanding what framework they use and the structure of their organization. I would not go beyond those metrics when weighing a self-assessment as they can be biased and easily manipulated. Third-party assessments would hold greater weight because they will demonstrate how the firm stands up to the established industry standards. This metric will allow me to independently evaluate the firms on equal footing.[3] I will want to know how they rack and stack within the cybersecurity realm. Time permitting, it would be best to conduct my own assessment in addition to the two aforementioned sources. Due diligence in this matter would require me to "trust but verify" in person. I would like to interview key personnel within the law firm, including IT and security staff, to gain insights into their cybersecurity practices, incident response capabilities, and their approach to securing client data.

My methodology would be to evaluate the cybersecurity policies, incident response plans, data encryption practices, access controls, contractor (vendor) management, and firm culture.[4] The thinking behind this is that the law firms who score the highest in these areas should be ranked favorably and then further evaluated in order to render the GC with a thorough report that will allow them to make an informed decision. The billings list would be bumped against my assessment to determine if the juice was worth the squeeze in the prior year. Overall, I am looking for austerity in governance and pragmatism in the firm's operations. It would be helpful if each of the top firms ranked could provide detailed reports of their cybersecurity programs, replete with a history of breaches, thwarted attacks, cybersecurity insurance carriers, and names of the information officer that I can speak directly with to ask further questions. Larger firms with low incidents and lower costs would be ideal, but a smaller firm with a more robust and efficient framework with a lower price tag could also fit the bill.