Share on social..
In the digital age, safeguarding sensitive data and protecting against cyber threats are paramount concerns for law firms and businesses alike. Directors play a pivotal role in upholding compliance, security, and cybersecurity within their firms/organisations.
In this blog post, we explore the critical importance of directors’ due diligence when selecting third-party providers and the personal accountability they bear in safeguarding their firms against potential risks.
Directors’ Responsibility and Accountability:
Directors of law firms and businesses are entrusted with significant responsibilities, including ensuring compliance with legal and regulatory requirements, safeguarding sensitive data, and protecting against cybersecurity threats. This responsibility extends to the selection and oversight of third-party providers, like IT service providers and digital marketing agencies etc, who handle critical business functions and sensitive client information.
As Lumina Technologies are an IT managed service provider, this blog will focus on examples of needing to show due diligence when choosing an external IT provider for your law firm/business.
Most directors are not technical experts and that’s okay.
Butmost also understand that they need an IT department and outsourcing to an external provider is almost always the most cost-effective option to fulfil this need.
However, choosing an external IT provider can be one of the most challenging business decisions to make, given the risk involved with the level of client data they are entrusted to secure.
Despite the Department for Digital, Culture, Media, and Sport stating that ‘MSPs [IT Managed Service Providers] are key to the functioning of essential services that keep the UK economy running’, the IT service provider industry is still not regulated.[1]
Not all providers are created equally, so it’s crucial to ensure due diligence when choosing which service provider to work with.
The Significance of Due Diligence in Vendor Selection:
Due diligence should not be merely a procedural formality but a fundamental aspect of a director’s duties. When choosing third-party providers, like an IT provider, directors must exercise due care and diligence to mitigate risks and protect the interests of their firms and clients. Failure to conduct thorough due diligence can result in severe consequences, including financial penalties, legal liabilities, and reputational damage.
When talking about the catastrophic cyber incident that plunged multiple law firms in the UK into crisis after their IT provider was breached in November 2023, cybersecurity expert Peter Wright stated:
‘Law firms need to be carrying out the same level of due diligence with regard to their IT suppliers as they would advise their own clients to do before undertaking a serious transaction.’[2]
This incident led to a multitude of conveyance firms being unable to complete house sales which left some of their clients emotionally distressed.
A prospective house buyer tweeted on X about the incident:
‘Meant to complete yesterday. Your inability to keep your cyber security in place is causing a lot of distress’.[3]
Directors’ Liability in Data Breach Incidents:
In the event of a data breach caused by a third-party provider’s security lapse, directors can face personal liability and regulatory scrutiny. Regulatory bodies such as the Information Commissioner’s Office (ICO) hold directors accountable for ensuring adequate cybersecurity measures and vendor oversight. Directors must demonstrate proactive efforts to mitigate risks and uphold compliance standards to fulfil their legal obligations.
In the example given above referring to the high-profile cyber-attack on the IT provider that impacted multiple law firms, although the law firms impacted were not directly at fault for the attack, they still had to bear the brunt of distressed clients which affected their reputation, and in some cases, may have even been threatened with legal action.
These examples serve as cautionary tales, emphasising the need for directors to prioritise due diligence and proactive risk mitigation.
Mitigating Risk Through Due Diligence:
Thorough due diligence on third-party vendors, like IT providers, is essential for mitigating the risk of data breaches and cybersecurity incidents. Directors should assess suppliers’ security practices, evaluate compliance with regulatory standards, and scrutinise contractual agreements to minimise potential vulnerabilities. By taking proactive measures to vet and monitor third-party providers, directors can safeguard their organisations and protect against legal and regulatory risks.
But HOW do you do this as a director?
Most directors reading this have probably already outsourced their IT to a third-party provider, so the best place to start is with our guide: 14 Questions To Ask Your IT Provider.
This guide includes insightful questions to not only ask your IT provider about some of their practises, but also to ask yourself about your business relationship with them.
Conclusion:
Directors of law firms and businesses shoulder a significant responsibility for ensuring compliance, security, and cybersecurity within their organisations, and this can be very stressful. The selection and oversight of third-party providers demand diligence to mitigate risks and protect against potential liabilities. By prioritising thorough vendor management practices and proactive risk mitigation, directors can uphold their duties and safeguard the interests of their firms and clients.
Call to Action:
In the dark over your IT? You need to start taking responsibility!
Here’s how you can start WITHOUT becoming a tech expert…
Discover your business IT health score with our FREE, no tech jargon, audit report.
Ignoring IT responsibilities is a common mistake made by many directors, and understanding your IT health score is a great starting point to reclaiming control of this critical business function.
It should take you between 5 and 10 minutes!
Click here to take it now!
[1] Cyber laws updated to boost UK’s resilience against online attacks – GOV.UK (www.gov.uk)
[2] News focus: Cyber-attack on law firm IT provider CTS hits conveyancing firms – what lessons need to be learned? | Law Gazette