Vendor Risk Management in Complex Matters (acc sa presentation)
1. Norton Rose Fulbright US LLP
Vendor Risk Management
in Complex Matters
Dan Jackson
Senior Associate, Norton Rose Fulbright US LLP
Ashley Senary Dahlberg
Senior Associate, Norton Rose Fulbright US LLP
Marissa Helm
Senior Counsel, Parallon
2. 1 – Vendor Selection
2 – To “Bundle” or Not to “Bundle”?
3 – Ongoing Vendor Risk Assessment
5. • Consumer privacy laws (GDPR,
CCPA, Regulation S-P)
• Nearly half of firms suffer data loss
through dealings with vendors
• Opus Study: 59% vs. 16%
• NRF Litigation Trends Annual
Survey
Cybersecurity and Data Privacy
5
6. • Key considerations in the selection of vendors include:
–Enterprise expectations regarding vendor risk
–Regulatory requirements
–Cybersecurity
–Vendor’s policies and internal risk assessments
–Ability to monitor risks that cannot be eliminated
–Cost and contract terms
Selection Criteria
6
8. • Outside counsel guidelines
• Information security protocols
–Cybersecurity certifications
–CSI
• Alternative fee arrangements
• “Bundling” of legal services
“More than 100
law firms have
reported data
breaches” since
2014 (law.com).
Outside Counsel Management
8
10. Unbundling
• Outside counsel retained for
specific legal advice
• Other vendors (and often ALSPs)
retained separately by client
Bundling
• Experts, consultants, web hosting,
etc. all under “one umbrella”
• Typically managed and billed as a
package, through outside counsel
Unbundling of Legal Services
10
14. • Client-dependent
• Matter-dependent
• Trend may be slowing, as large law firms begin
to launch their own on-demand services to
compete with ALSPs
Unbundling: The Panel’s Verdict
14
16. • Data and information sharing
• Oversight of fourth-party vendors (e.g.,
experts retained by outside counsel)
• Strong communication between in-house
and outside lawyers
Ongoing Risk
16
18. Law around the world
nortonrosefulbright.com
Norton Rose Fulbright US LLP, Norton Rose Fulbright LLP, Norton Rose Fulbright Australia, Norton Rose Fulbright Canada LLP and Norton Rose Fulbright South Africa Inc are separate legal entities
and all of them are members of Norton Rose Fulbright Verein, a Swiss verein. Norton Rose Fulbright Verein helps coordinate the activities of the members but does not itself provide legal services to
clients.
References to ‘Norton Rose Fulbright’, ‘the law firm’ and ‘legal practice’ are to one or more of the Norton Rose Fulbright members or to one of their respective affiliates (together ‘Norton Rose
Fulbright entity/entities’). No individual who is a member, partner, shareholder, director, employee or consultant of, in or to any Norton Rose Fulbright entity (whether or not such individual is
described as a ‘partner’) accepts or assumes responsibility, or has any liability, to any person in respect of this communication. Any reference to a partner or director is to a member, employee or
consultant with equivalent standing and qualifications of the relevant Norton Rose Fulbright entity.
The purpose of this communication is to provide general information of a legal nature. It does not contain a full analysis of the law nor does it constitute an opinion of any Norton Rose Fulbright entity
on the points of law discussed. You must take specific legal advice on any particular matter which concerns you. If you require any advice or further information, please speak to your usual contact at
Norton Rose Fulbright.
Editor's Notes
Note advent of specific regulatory guidance regarding cyber-related vendor risk from financial services regulators since 2012-2013.
Steep penalties for noncompliance. Cite examples.
Spans multiple industries – financial services, healthcare, etc.
https://www.helpnetsecurity.com/2019/04/24/nearly-half-of-firms-suffer-data-breaches-at-hands-of-vendors/
https://www.businesswire.com/news/home/20181115005665/en/Opus-Ponemon-Institute-Announce-Results-2018-Third-Party
In the first half of 2019, data breaches exposed more than 4 billion data records, and companies that experienced data breaches lost an average of $4 million.
Institutions should reject vendors who cannot meet these criteria.
PANEL QUESTION: Do you require outside counsel to formally certify cybersecurity capabilities?
ABA Formal Opinion 477R (2017): Firms must “take special precautions to protect against inadvertent or unauthorized disclosure(s).”
“Pressure on budgets, together with a business-minded, procurement-influenced approach, will naturally influence in-house buyers to consider innovative providers in a way they might not have 15 years ago. ALSPs in particular are set up to deliver against the factors that vendors are looking for: business-focused, data-driven, transparent, tech-enabled, budget-minded - run like a business, not a law firm. Emotional intelligence is also a factor companies can pay for when considering an outside resource, and there’s a much greater awareness that huge legal projects are often actually about change management as much as they are about legal process - finding people who can deliver that change sensitivity is extremely valuable. Finally, flexible lawyering has also forced its way into a profession that hasn’t always been keen to adopt new practices; this was ALSP-led, but its success can be measured by the fact that a whole host of top-20 law firms now offer their own on-demand services.”
https://blog.juro.com/2018/12/03/legal-operations-vendor-management/
Only 28% of respondents to the Thomson Reuters survey cited utilization of a preferred vendors/panel program as an effective cost savings tool.
https://www.legaltracker.com/en/insights/white-papers-and-reports/ldo-index-benchmarking-and-trends?gatedContent=%252Fcontent%252Fewp-marketing-websites%252Flegal-tracker%252Fgl%252Fen%252Finsights%252Fwhite-papers-and-reports%252Fldo-index-benchmarking-and-trends.
As in-house counsel face increased pressure to reduce or justify legal costs, they in turn demand more proactive project management and quality service from their outside lawyers. Benefits include:
alignment of client and outside counsel goals;
informed risk sharing and well-considered alternative fee arrangements;
more accurate budgeting;
better timelines and task management;
more flexible adjustment to contingencies;
more effective communication between in-house and outside legal teams.
Some larger firms offer bundled project management services (often with technology solutions and e-discovery services) through affiliate companies that tout the ability to provide flexible, innovative services in conjunction with the firm’s lawyers to ensure better overall service with respect to managing eDiscovery, document review, and effective use of technology in connection with the representation of clients.
These affiliate firms also assist with flexible, value-based billing arrangements and staffing with the promise that this will result in greater predictability as to the legal spend associated with a representation.