Unlike the TV show "Mission: Impossible, (where each episode included the phrase "should you decide to accept it..." That's TV. Here, you don't have a choice in accepting this assignment.Sorry!

You are the risk manager for a multi-billion dollar industrial firm with global operations. You have been on vacation for two weeks and took a cruise in the South Pacific. For the first time in a long time, you feel relaxed and rejuvenated. The cruise was wonderful!

Unfortunately, that feeling quickly fades after returning to your desk. You discover that, while you were gone, the corporate General Counsel - whom you've only met once (you report to a Deputy General Counsel) set up a meeting with you in her office - and the meeting starts in five minutes! You have no idea why the CG needs to see you in person.

By the time you get to the executive wing of the building, you can feel the adrenaline in your body, and wish you were back at the Midnight Buffet on the cruise ship. The GC hands you a spreadsheet. She explains that it is a list of all of the outside counsel that have been used in the prior fiscal year, sorted by fees billed by each firm and ordered from largest to smallest total payments. The GC says that while you were gone, she attended a conference run by the Association of Corporate Counsel and sat in a series of presentations on the importance of cybersecurity to law firms.

She says that your assignment isto survey every law firm on the spreadsheet, and report back with a report as to which law firms (if any) have implemented a commercially reasonable cybersecurity program.

In your main post, tell us how you will go about carrying out the mission. How will you assess the various firms? Will large firms be looked at differently than small ones? What tools (if any) would you devise or use?

PLEASE NOTE that I do NOT want you to provide me with the questions on a questionnaire you have identified for use. It is enough to give us a link and explain why you think it is relevant and not overly burdensome to the law firm. What you do need to do is to think about whether you would accept any kind of self-assessment or not (and why) and whether you would accept any third-party assessments or not (and why) or whether you need to make your own assessment to provide a reasonable level of assurance. Once again, do NOT provide a detailed questionnaire as your response. It will not be acceptable.

Provide me with your thinking on methodology, how to match your requirements to the size of the law firm and the volume of your dealings with them. Please remember that you need to be practical! Saying, for example, that we should hire a cybersecurity firm to go out and make a cybersecurity assessment of the firms isn't practical. What would you look for? What could they provide you that would help you to carry out your assignment?