Our General Counsel team screens all law firms which includes a specialized (very short) data security questionnaire. THe process requires completion and re-attest at least every 3 years. The questionnaire is reviewed by out InfoSec team just like the SOC reviews etc. for gap identification and remediation.
TPRM has oversight (scheduling, review coordination, etc.) of the law firm data security review process, but otherwise the law firms are exempt.
We have a few similar exempt carveouts for Line 1 managed qualification processes (panel real-estate appraisers, etc.)
Sent: 11-15-2022 12:52 PM
From: Jeremy Pelkey
Subject: Attorney Due Diligence
As part of a recent discussion, post exam, it was recommended that we classify our Attorneys as significant. Our Attorney inventory has been classified as Non-Essential and I am curious what others are doing with attorneys in regards to requesting Due Diligence documentation and the overall classifications for TPRM, outside of the items recommended for DD/RA.