Attorney Cybersecurity and Supply Chain Risk.

• Author: Teppler, Steven W.

Attorneys from solo practices to large firms generate, modify, collect, exchange, and store both practice information (client lists, escrow account information, etc.) as well as client confidential information using the online services of cloud-based vendors and accordingly are at high risk for cyber-attacks such as data breaches, ransomware attacks, business email compromise, and wire transfer fraud.

Attorneys are also routinely both consumers of vendor-provided technology (practice management, financial, communications, and security) as well as providers of technology to clients through online service platforms (e.g., information sharing) that are typically provided to vendors "in the cloud."

For attorneys, "software supply chain" risks are those that involve the exchange of information associated with the provision of legal services. Moreover, because attorneys are both technology consumers and providers, they are in the center of what is known as the "software supply chain."

The Software Supply Chain

Most software today is not developed by a single developer sitting at his or her desk. In reality, the developer is likely incorporating snippets of code from other sources into the application being developed. These snippets may be viewed as "components" of software applications.

Think of it this way: Compare software development to baking a cake. A baker might grind his own flour for the cake, but he will also use additional ingredients made by others (yeast, flavorings, sugar, etc.). These other ingredient makers might also be using ingredients (colorings, preservatives) made by still others (let's call them "sub-ingredients") that are combined to create the baker's additional cake ingredients. The cake will not bake properly unless the ingredients provided by others directly to the baker work properly, but this also means that the cake will not bake properly unless the sub-ingredients comprising the primary ingredients are also functioning properly. It is important, therefore, to the baker, that he vets the sources of his or her ingredients and sub-ingredients to ensure that the cake will bake as expected.

Now, let's substitute software-specific terms as appropriate: A software developer might develop her own code, but she will also incorporate snippets of code from other developers (let's call them "components") into her application's code. These other developers may in turn incorporate snippets of code from yet a third set of...