Law firms need to ensure the resilience of their supply chains in the face of increasing cyber incidents, writes Lorenzo Grillo of Alvarez & Marsal
When a company in the supply chain is affected by a cyber breach, as seen with the recent CTS breach, customers may encounter significant service disruptions. Switching to paper-based systems to maintain service continuity can lead to additional problems and delays. Failure to adapt quickly or lack of business continuity plans can result in reputational damage. High-profile incidents should prompt affected and unaffected firms to conduct reviews and update processes, emphasizing the importance of business continuity plans, incident response, and backup service provisioning.
The legal sector, being an attractive target for threat actors due to the sensitive information it holds, must prioritize supply chain resilience. The best-prepared organisations not only have a well-developed cyber incident response plan but also conduct regular exercises to ensure employee confidence in executing the plan. Learning from incidents involves developing and discussing incident response capability within the firm’s supply chain, acknowledging that firms are only as strong as their weakest link. Building good working relationships with suppliers, auditing stakeholders’ incident response plans, and conducting supply chain provider reviews are crucial steps in ensuring resilience.
Incident response plans should be viewed as ongoing components of employee education and business enablement, extending to key providers to maintain company resilience. Recognising the importance of interpersonal dynamics within incident response teams is vital. With third-party cyber vulnerabilities posing significant risks, companies must have a clear methodology for understanding, evaluating, and managing the associated risks. Effective third-party risk management is now a crucial aspect of cybersecurity.
In the aftermath of incidents, firms should revisit vulnerabilities and threats. Key questions include assessing the comprehensiveness of cyber risk management, checking the cyber posture of key suppliers regularly, and avoiding overconfidence in suppliers’ ability to manage cyber risk. While certain services can be outsourced, companies must not delegate responsibility for comprehensive cybersecurity protection to avoid reputational consequences when threat actors strike.
Lorenzo Grillo, a managing director in Alvarez & Marsal’s disputes and investigations practice, emphasizes the importance of these considerations.
