Corporations today face the reality that, even if they invest substantially in their own organization’s cybersecurity practices and procedures, vendors pose a serious threat. Companies must evaluate and attempt to address the threat that vendors pose, or risk becoming the next “Panama Papers” case study. Lawyers in particular must pay careful attention to these threats or risk breaching their fiduciary duties.

The truth is that vendors don’t necessarily have the same interest in securing a client’s data as the company itself. One company can have hundreds of vendors, all of which have different risk profiles. Even if a company is able to find vendors with acceptable risk profiles, their subvendors might, unbeknownst to the company, have lax and insufficient information security standards. Moreover, most companies, if they do perform a risk profile assessment or audit, generally do so at the inception of a vendor relationship, which does not account for changes that may occur in a vendor’s risk profile. Without an objective, repeatable process for cybersecurity triage, companies remain exposed to any new risks their vendor may face.

To read the full article, go to Law360.