Vendor Management: Is Outsourcing Putting Your Firm at Risk?

As the number and complexity of security audits continue to expand, law firms must pay more attention than ever to the risks posed by their vendors. In an increasingly outsourced world, law firms have to ensure their vendor partners closely guard the private and confidential information entrusted to them.

Outsourcing doesn’t absolve you of the obligation to keep your clients’ data secure or to comply with regulations. From your clients’ perspective, the ultimate responsibility for security and compliance lies with your firm, not the vendors to whom you outsource work.

That’s why it is so important to have a reliable system in place to ensure your vendors are secure and adhere to all industry, regulatory and client compliance requirements.


Outsourcing to vendors that haven’t been properly vetted could put your firm at significant risk. Even if you haven’t yet been audited by current or prospective clients, it is in your best interest to be proactive and conduct a review of your vendors. Do they meet all the security and compliance requirements that you and your clients expect? If they don’t, you may need to find new vendors who demonstrate the first-class compliance and security practices you demand.

A key component of any outsourcing strategy is regular and thorough risk reviews of your vendors. An outside firm that specializes in security and vendor management is a great option for firms that don’t have a full-time Information Security Officer (ISO).

Firms that advertise the thoroughness of their vendor screening and management are more desirable.


Effective vendor management is a must to protect your firm and its reputation in the marketplace. Law firms are expected and even required to protect the privacy and confidentiality of their clients’ information, so the unauthorized leakage of data cannot be tolerated.

Countless stories tell of security breaches originating with third-party suppliers. Such a security breach could have disastrous consequences not only for your clients, but also for your firm. The disclosure of a data breach could do serious damage to your reputation, harming the relationships you have with your current clients and making it difficult for you to attract new ones.


The creation and maintenance of an effective vendor management program can increase your firm’s attractiveness to prospective clients. Your clients may be subject to industry regulations that specify how they store, share and manage data. As their law firm and custodian of their information, you — and your vendors — are also subject to those regulations.

Assurance that your vendors have been properly screened to ensure they comply with these regulations can give you an advantage over other firms with whom you compete. Even clients in unregulated industries want their confidential information to be in good hands, and firms that advertise the thoroughness of their vendor screening and management are more desirable.


When you decide to seek assistance from an outside vendor management partner, there are several things to consider.

First, does the vendor management company regularly review your vendors or just provide a one-off service? Do their reviews take into account the various industry regulations that your clients face? Are they experienced with vendor management, or is this a new venture? If the answer to any of these questions is no, keep looking for a partner. The ideal partner will be an expert in law firm vendor management and familiar with the various regulations your clients face.

Just as law firms depend on vendors to provide necessary products and services, clients depend on law firms to ensure those vendors are secure. Vendors with access to private and confidential information must comply with industry and governmental regulations.

An effective vendor review and management program is the only way to protect clients’ data and your firm’s reputation.