Due Diligence and Ongoing Monitoring

Hard to tell from question if the "attorney" is a solo practitioner, part of a larger law firm (both of which would be third party vendors) or a new hire. The below addresses the first two possibilities.

In addition to any existing third party procedures, worth researching the firm (and the attorney(s) that would be doing the work) on your state's bar association (or equivalent licensing agency's) website. You're looking for (a) they're licensed to practice law and (b) no disciplinary history (or none that troubles your firm). Suggest you require an engagement letter (any reputable law firm has and uses one). Ask about their malpractice insurance.

You'll find that law firms don't like the "how's your system for preventing ransomware, other hacking etc." set of questions. The large majority of firms will, at most, provide an attestation that they have a system to prevent such things. They likely won't have or share SIG report and will raise attorney client privilege as their fundamental duty to protect information.

You should not be surprised when the attorney(s) push back harder on your requests than most outsourced service providers. 

Finally, different from many other third party relationships, this attorney likely is better known by your business people than most third party relationships. Prepare for stiffer pushback from your internal people too. This attorney likely does what they want and need and is not something/someone that just happened along. (Again: a generality. But that's my experience.)

Good luck.

Hard to tell from question if the "attorney" is a solo practitioner, part of a larger law firm (both of which would be third party vendors) or a new hire. The below addresses the first two possibilities.

In addition to any existing third party procedures, worth researching the firm (and the attorney(s) that would be doing the work) on your state's bar association (or equivalent licensing agency's) website. You're looking for (a) they're licensed to practice law and (b) no disciplinary history (or none that troubles your firm). Suggest you require an engagement letter (any reputable law firm has and uses one). Ask about their malpractice insurance.

You'll find that law firms don't like the "how's your system for preventing ransomware, other hacking etc." set of questions. The large majority of firms will, at most, provide an attestation that they have a system to prevent such things. They likely won't have or share SIG report and will raise attorney client privilege as their fundamental duty to protect information.

You should not be surprised when the attorney(s) push back harder on your requests than most outsourced service providers. 

Finally, different from many other third party relationships, this attorney likely is better known by your business people than most third party relationships. Prepare for stiffer pushback from your internal people too. This attorney likely does what they want and need and is not something/someone that just happened along. (Again: a generality. But that's my experience.)

Good luck.

Very timely that I'm seeing this because I've been trying to enhance our due diligence on cybersecurity for this type of vendor.  We did develop an addenda that we have any attorney/law firm sign that states that they have controls in place to maintain confidentiality/safeguarding of information, includes a privacy disclosure, incident response notification requirements and a clause about background checks.  We don't have too many people who push back on it.  

Hard to tell from question if the "attorney" is a solo practitioner, part of a larger law firm (both of which would be third party vendors) or a new hire. The below addresses the first two possibilities.

In addition to any existing third party procedures, worth researching the firm (and the attorney(s) that would be doing the work) on your state's bar association (or equivalent licensing agency's) website. You're looking for (a) they're licensed to practice law and (b) no disciplinary history (or none that troubles your firm). Suggest you require an engagement letter (any reputable law firm has and uses one). Ask about their malpractice insurance.

You'll find that law firms don't like the "how's your system for preventing ransomware, other hacking etc." set of questions. The large majority of firms will, at most, provide an attestation that they have a system to prevent such things. They likely won't have or share SIG report and will raise attorney client privilege as their fundamental duty to protect information.

You should not be surprised when the attorney(s) push back harder on your requests than most outsourced service providers. 

Finally, different from many other third party relationships, this attorney likely is better known by your business people than most third party relationships. Prepare for stiffer pushback from your internal people too. This attorney likely does what they want and need and is not something/someone that just happened along. (Again: a generality. But that's my experience.)

Good luck.

I can share with your the suite of due diligence documentation that we send out for our corporate litigation firms if you would like to cobble from it to meet your needs. We risk tier our firms by file counts and spend- The fewer files the less risk of widespread impact if they experience a breach.  The greater the files the higher the risk.  If you want to reach out to me directly I can send you what we send out to those firms to review. 

Hi Jennifer, Are you happy if i email you on this?  I am currently building a new TPRM program for Broker company which involves a lot of M&A, so trying to navigate how we apply our due diligence in the legal counsel space. 

Original Message:
Sent: 08-06-2024 09:18 AM
From: Jennifer Wilkinson
Subject: Attorneys for Loans

I can share with your the suite of due diligence documentation that we send out for our corporate litigation firms if you would like to cobble from it to meet your needs. We risk tier our firms by file counts and spend- The fewer files the less risk of widespread impact if they experience a breach.  The greater the files the higher the risk.  If you want to reach out to me directly I can send you what we send out to those firms to review. 

------------------------------
Jenn Wilkinson
Vice President
Third Party Risk Management
Cenlar FSB
jwilkinson@cenlar.com