A lack of formal cybersecurity requirements for outside counsel doesn't necessarily equate to higher cyberrisks.

In the aftermath of the ransomware attack on DLA Piper, many legal departments may be reviewing their outside counsel's security protections, not just in terms of the technology their firms have, but also the processes and policies they put in place. Such cybersecurity best practices, however, are often not codified in legal departments' outside counsel guidelines, according to a Gartner and Wolters Kluwer report.

Titled "Unlock Insights Into Outside Counsel Billing and Staffing Guidelines," the report analyzed the results of a survey of 51 legal departments at various mid- to large-sized global corporations. The report found that of the 75 percent of respondents that had outside counsel guidelines in place, only 31 percent had guidelines that included formal data security requirements.

But some believe that this is not necessarily a bad omen. Such an oversight is unlikely to expose legal departments to higher cyberrisk, given the nature of their law firms' obligations, and the general lack of enforcement of such guidelines in the first place. William A. Sowinski, director of decision support services at Wolters Kluwer's ELM Solutions, noted that because "law firms are required to keep information confidential," many of their clients already assume they have robust cybersecurity protections in place from the start.