To help protect attorneys and those they serve, the ABA’s cybersecurity task force released the Vendor Contracting Project: Cybersecurity Checklist, Second Edition—an update to the 2016 version—to assist lawyers negotiating vendor contracts on behalf of clients.
“The updated checklist provides guidance in plain language for those solo and small-firm lawyers advising clients who need to incorporate cybersecurity protections in their contracts with third-party vendors,” said Claudia Rast, co-chair of the task force, in a statement. “It gives lawyers insight into the potential threats and vulnerabilities when negotiating with third-party suppliers, both on behalf of their clients and themselves.”
According to the ABA, third-party vendor attacks are difficult to sniff out and mitigate. In 2016, notes the group, Target was attacked via stolen credentials used to access its gateway server. In order to pull off the attack, the cybercriminals targeted the retailer’s HVAC vendor, and the case was eventually settled for $18.5 million, according to the ABA.
From Twitter:
The New York Times @nytimes May 29
"Once, criminals had to trick people into handing over passwords. Now, virtually anyone can obtain ransomware and load it into a compromised computer system with the help of YouTube tutorials and groups like DarkSide. The New York Times got an inside look. https://t.co/su74E5ORkW?amp=1"
Ransomware attacks are designed to lock users out of computer systems until they pony up the “ransom” needed to unlock the system. This could mean major headaches for legal services providers. “The cybersecurity threat landscape is constantly evolving, and it’s crucial for lawyers to stay current on the latest methods used by hackers,” according to the ABA. “The checklist covers vendor selection, including how to conduct a risk management assessment of potential vendors to identify risks and vulnerabilities. It also covers contract preparation with customizable sample contracts and vendor management best practices.”
Recent cybersecurity attacks have prompted President Joe Biden to issue an executive order aimed at bolstering the national response to such attacks, which could have major impacts on both infrastructure and security. “The United States faces persistent and increasingly sophisticated malicious cyber campaigns that threaten the public sector, the private sector, and ultimately the American people’s security and privacy. The Federal Government must improve its efforts to identify, deter, protect against, detect, and respond to these actions and actors,” according to the President’s order. “The Federal Government must also carefully examine what occurred during any major cyber incident and apply lessons learned.”
Biden added that the government alone cannot withstand the threats from cyber criminals facing the country. In order to win that war, he argues, a joint effort between the public and private sectors must be forged.
“ … cybersecurity requires more than government action. Protecting our Nation from malicious cyber actors requires the Federal Government to partner with the private sector. The private sector must adapt to the continuously changing threat environment, ensure its products are built and operate securely, and partner with the Federal Government to foster a more secure cyberspace,” reads the order.