Attorney Cybersecurity and Supply Chain Risk
Attorneys from solo practices to large firms generate, modify, collect, exchange, and store both practice information (client lists, escrow account information, etc.) as well as client confidential information using the online services of cloud-based vendors and accordingly are at high risk for cyber-attacks such as data breaches, ransomware attacks, business email compromise, and wire transfer fraud.
Attorneys are also routinely both consumers of vendor-provided technology (practice management, financial, communications, and security) as well as providers of technology to clients through online service platforms (e.g., information sharing) that are typically provided to vendors “in the cloud.”
For attorneys, “software supply chain” risks are those that involve the exchange of information associated with the provision of legal services. Moreover, because attorneys are both technology consumers and providers, they are in the center of what is known as the “software supply chain.”
The Software Supply Chain
Most software today is not developed by a single developer sitting at his or her desk. In reality, the developer is likely incorporating snippets of code from other sources into the application being developed. These snippets may be viewed as “components” of software applications.
Think of it this way: Compare software development to baking a cake. A baker might grind his own flour for the cake, but he will also use additional ingredients made by others (yeast, flavorings, sugar, etc.). These other ingredient makers might also be using ingredients (colorings, preservatives) made by still others (let’s call them “sub-ingredients”) that are combined to create the baker’s additional cake ingredients. The cake will not bake properly unless the ingredients provided by others directly to the baker work properly, but this also means that the cake will not bake properly unless the sub-ingredients comprising the primary ingredients are also functioning properly. It is important, therefore, to the baker, that he vets the sources of his or her ingredients and sub-ingredients to ensure that the cake will bake as expected.
Now, let’s substitute software-specific terms as appropriate: A software developer might develop her own code, but she will also incorporate snippets of code from other developers (let’s call them “components”) into her application’s code. These other developers may in turn incorporate snippets of code from yet a third set of developers (let’s call them “sub-components”) into the component provided to the software developer. Any one of these components, or sub-components may be defective and present a cybersecurity risk.
Each of these “components” may be viewed as a link forming what is known as a software supply chain. The software supply chain operates in much the same fashion as a real chain.
Similar to a real chain, a software supply chain is only as strong as its weakest link. If a component, or subcomponent, of a software application has defective coding or operates in a manner that creates a cybersecurity risk, the entire software application creates a cybersecurity risk.
Software Supply Chain and the Practice of Law
Does the software supply chain have an impact on an attorney’s ethical and professional obligations?
Is there a connection between an attorney’s use of a service provided by a managed service provider and an attorney’s obligations under Florida RPC 4-1.1 and 4-1.3 (competence, maintaining competence maintaining competence and diligence), Florida RPC 4-1.6 (confidentiality of information), and Florida RPC 4-5.3 (Non-lawyer assistants)?
The answer to both questions is yes.
Defective software provided by a managed service provider might disclose client confidential information in a breach, or disclose such information and then encrypt it, with the upshot that the attorney, in turn, cannot provide services to his or her entire client base. If, as a result, a statutory deadline, litigation or deal information submission deadline cannot be met, the consequences are grave for both client and attorney.
Managed Service Provider (MSP or “Vendor”) Risk Management
One might think that managed service providers (e.g., cloud providers) offering such software suites, (including practice, document, storage, and client relationship management) to attorneys would 1) vet the software components and sub-components for potential cybersecurity risk and 2) make representations to attorneys purchasing or licensing these offerings. In many instances, however, they do not.
Although attorneys are by training neither technologists nor cybersecurity specialists we nevertheless must comply with ethical as well as professional obligations directed to the use of software — including those offered by managed service providers that may adversely affect an attorney’s ethical obligation to maintain client confidences, her supervisory responsibility over non-lawyers providing services to her and/or her clients, and even her ability to practice.
Managing the Managed Service Providers
The following is a sampling of the recommendations (which may or may not be applicable based on specific circumstances) that can enhance an attorney’s due diligence when engaging with managed service providers:
1) Vetting: Obtain and contact references from other customers.
2) Written Assurances: Obtain representations in writing that the MSP (a) has, and will continue to have “commercially reasonable security,” that include technical, administrative and physical controls intended to protect the confidentiality, integrity, and availability of both practice and client information and (b) will provide timely, detailed and continuing notification and detailed description of any cybersecurity incident affecting the MSP’s services to the attorney or to the attorney’s client.
3) Require Proof of MSP Cyberinsurance: Cybersecurity insurance may help limit monetary or financial liability. It does not, however, address or prevent problems arising from all consequences of a cyber incident-related financial compromise or an unauthorized confidential information disclosure.
4) Require a Software Bill of Materials: By Executive Order and the National Institute of Standards and Technology (NIST) all software providers to federal agencies (including MSP’s) must provide a list of software components from third party sources. This list, known as a Software Bill of Materials (SBOM) “has emerged as a key building block in software security and software supply chain risk management. A SBOM is a nested inventory, a list of ingredients that make up software components.” The utility of requiring MSP submission of an SBOM is that it provides the attorney with a list of those third-party software components and subcomponents present in a particular software codebase. It will also list the licenses that govern those components, the versions of the components used in the software codebase, and their patch status. This permits quick identification of any associated security or license risks.
Managed Service Provider/Vendor Risk Management Policy
For small to medium size law firms, it is also a good idea to have a vendor risk management policy. Below is an example of a more formalized approach to vendor risk management.
A software supply chain vendor risk management policy outlines the procedures and controls that an organization has in place to identify, assess, and manage risks associated with third-party vendors that provide software or services that are used within an attorney’s or firm’s IT systems. The policy should include the following components:
1) Vendor selection: The policy should outline the criteria that vendors must meet before they can be considered for selection, including financial stability, security practices, and compliance with relevant laws and regulations.
2) Vendor due diligence: The policy should describe the process for conducting due diligence on vendors, including reviewing their security and compliance policies, performing on-site inspections, and obtaining references from other organizations.
3) Risk assessment: The policy should outline the process for assessing the risks associated with each vendor, including identifying potential vulnerabilities, threats, and impacts to the attorney or firm.
4) Risk management: The policy should describe the procedures that the attorney or firm will use to manage risks associated with vendors, including implementing security controls, monitoring vendor activities, and conducting regular reviews of vendor security and compliance.
5) Incident management: The policy should outline the steps that the attorney or firm will take in the event of a security incident involving a vendor, including incident response, reporting, and communication.
6) Continuous monitoring: The policy should include a requirement for continuous monitoring of vendor activities to identify any changes that could impact the attorney’s or firm’s security or compliance.
7) Communication: The policy should include a requirement for regular communication with vendors to ensure that they are aware of the attorney’s or firm’s security and compliance requirements and to obtain updates on their security practices.
8) Review and update: The policy should include a requirement for regular review and update to ensure that it remains current and effective.
Overall, the software supply chain vendor risk management policy should be designed to help attorneys and firms identify and mitigate risks associated with third-party vendors, and to ensure that vendors comply with the attorney’s or firm’s security and compliance requirements.
 Executive Office of the President. (2021). Executive Order 14028 on Improving the Nation’s Cybersecurity. https://www.federalregister.gov/documents/2021/05/17/2021-10460/improving-the-nations-cybersecurity ; See also, Software Security in Supply Chains: Software Bill of Materials (SBOM), https://www.nist.gov/itl/executive-order-14028-improving-nations-cybersecurity/software-security-supply-chains-software-1