6047580v.5 2189/00001

SIFMA COMPLIANCE AND LEGAL SOCIETY

2020 ANNUAL SEMINAR

COMPLEX MATTER MANAGEMENT: Selecting and Managing Outside Counsel, Experts and Vendors

Moderator: Rose Battaglia

Deutsche Bank AG

Panelists: Dan Jackson Norton Rose Fulbright US LLP Jeff Isaacs Goldman, Sachs & Co. Joseph Polizzotto QuisLex, Inc. Lani Quarmby Bank of America Corporation.

Jim Walker Richards Kibbe & Orbe LLP

2 6047580v.5 2189/00001

Table of Contents

I. REGULATORY FOCUS ON VENDOR RISK MANAGEMENT .............................3 a. Management of Confidential Supervisory Information b. Vendor Risk Management c. Outside Counsel Management a. Cybersecurity b. GDPR and data privacy a. Artificial Intelligence and Risk Management c. Consideration of Diversity in Vendor Selection

II. TO BUNDLE, OR NOT TO BUNDLE?: DIFFERENT APPROACHES TO OBTAINING THE FULL RANGE OF VENDOR SERVICES ...................................8 a. “Unbundling” in Complex Matters b. Bundled vs. Unbundled Services: Pros and Cons

III. REGIONAL FLIGHT: THE RISK MANAGEMENT IMPLICATIONS IN THE SHIFT FROM USING OUTSIDE COUNSEL LOCATED IN NEW YORK AND LONDON TO USING REGIONAL LAW FIRMS.....................................................12 a. Factors driving law firm selection b. Factors driving increased use of regional firms.

3 6047580v.5 2189/00001

I. Regulatory Focus on Vendor Risk Management

A. Management of Confidential Supervisory Information

1. Regulators have focused on the protection of confidential supervisory information (“CSI”) by supervised financial institutions.

(a) CSI refers to information prepared by, on behalf of, or for the use of federal and state financial regulatory agencies in connection with bank oversight. CSI includes information relating to an examination, inspection or other visitation of an institution by its regulator and the institution’s supervisory rating (such as BOPEC (Bank subsidiaries, Other subsidiaries, Parent, Earnings, Capital), CAMELS (Capital adequacy, Asset quality, Management, Earnings, and Liquidity) or ROCA (Risk management, Operational controls, Compliance and Asset quality).1

(b) CSI is the property of the regulator, and is protected from disclosure by the bank examination privilege to encourage candor between bank regulators and supervised financial institutions. Regulators holding the bank examination privilege include:

(i) Office of the Comptroller of the Currency (“OCC”) (12 C.F.R. § 4.36 et seq.)

(ii) Federal Reserve Board of Governors (“Federal Reserve”) (12 C.F.R. § 261.20 et seq.)

(iii) Federal Deposit Insurance Corporation (“FDIC”) (12 C.F.R. § 309.1 et seq.)

(iv) The Consumer Financial Protection Bureau (“CFPB”) (12 C.F.R. § 1070.40 et seq.)

(v) State banking agencies

Not all regulators of financial institutions hold a bank examination privilege, including but not limited to, DOJ, DOL, SEC, CFTC, FINRA, and state attorneys generals.

2. Regulators are inconsistent as to which agents of a financial firm are permitted access to CSI material without prior approval. This confusion regarding what is and is not permitted under the governing rules can lead to improper disclosure.

1 See 12 CFR § 261.2(b).

4 6047580v.5 2189/00001

(a) For example, OCC, FDIC and CFPB rules permit disclosure to outside counsel without prior approval. The same is not true under the Federal Reserve’s rules.

(i) 12 C.F.R. § 4.37 (OCC permits disclosure to outside counsel or independent auditors without requiring prior written approval, provided the consultant is under a written contract to provide services to the covered institution, and the contract states the consultant’s “awareness of, and agreement to comply with, the prohibition on the dissemination of nonpublic OCC CSI”).

(i) 12 C.F.R. § 261.20 (g) (Federal Reserve permits disclosure to public accountants and attorneys, but only after obtaining prior written approval from the Fed’s General Counsel, review of CSI must occur at the financial institution and accountants and attorneys may not make or retain copies of the CSI material for their files.

(ii) 12 C.F.R. § 309.6 (FDIC permits disclosure of CSI only to those directors, employees or agents “who have a need for such records in the performance of their official duties).

(iii) 12 CFR § 1070.42(b) (CFPB permits disclosure of CSI to a “certified public accountant, legal counsel, contractor, consultant or service provider” without prior approval from the CFPB).

(b) Moreover, the inconsistency among bank regulators in providing access to outside counsel, and the limitations that apply even where access is permitted, creates incredible challenges to counsel’s ability to assist their clients with regulatory compliance.

3. Bank regulators take failure to abide by these restrictions very seriously.

(a) In In the Matter of Youlei Tang, aka Alex Tang (Docket Nos. 19-010 B-I), the Fed issued a cease and desist order against a former employee of a non-bank subsidiary of a bank holding company for violation of CSI rules.

(i) The former employee, while employed at the company, removed CSI from the office without authorization and in violation of company policy. The employee sent CSI to his personal email address and kept copies of documents at his residence as a matter of convenience so he could work from home. Notably, 12 CFR § 261.20(g) expressly prohibits making a personal copy of CSI or removing it from the institution’s premises.

5 6047580v.5 2189/00001

(b) In 2013, consulting firm Deloitte Financial Advisory Services LLP (“Deloitte FAS”) entered into a settlement agreement the New York State Department of Financial Services (“DFS”).2 The agreement described violations of New York banking law by Deloitte FAS, specifically the knowing disclosure of Deloitte FAS clients’ CSI to a third party.

(i) Deloitte FAS’s predecessor entity was engaged by Standard Chartered Bank (“SCB”) to consult on anti-money laundering and suspicious activity reporting issues. During the course of the engagement, a Deloitte FAS employee sent SCB two e-mails containing transaction review reports that Deloitte FAS had previously performed for other client banks. The reports contained client CSI.

(ii) As a condition of the settlement with DFS, Deloitte FAS agreed to pay a $10 million penalty and strengthen its internal policies and procedures for safeguarding client CSI.

4. Financial institutions supervised by bank regulators must provide ongoing training to their employees and those agents permitted to view CSI to prevent inadvertent disclosure or mishandling of CSI.

B. Vendor Risk Management

1. Regulators are increasingly focused on ensuring that regulated entities reduce the risk of vendors disclosing customer information.

2. In the SEC’s 2020 Examination Priorities report, the SEC’s Office of Compliance, Inspections and Enforcement (“OCIE”) noted that increased use of third-party service providers and other vendors improves expertise and effectiveness but carries additional challenges and risks.3

3. OCIE has committed to continuing to focus on third-party risk management in 2020.

(a) In connection with OCIE”s prioritization of information security in its examination programs, OCIE indicated it will focus its examination on six areas, including vendor management.

(b) Specifically, “[i]n the area of third-party and vendor risk management, OCIE will focus on oversight practices related to certain service providers and network solutions, including those

2 In the Matter of Deloitte Financial Advisory Services LLP, 2013 WL 3147251 (NY.Bnk.Dept.). 3 U.S. Securities and Exchange Commission 2020 Examination Priorities, Office of Compliance Inspections and Examinations, at 5.

6 6047580v.5 2189/00001

leveraging cloud-based storage.4

4. Examinations likely will focus on:

(a) Vendor selection process;

(b) Negotiation of appropriate contract terms;

(c) Monitoring protocols;

(d) Overall vendor oversight.

5. Monitoring of vendors should be risk-based, prioritizing vendors who are

(a) critical risks (critical to the institution’s operation, i.e. whose failure to deliver contracted services would have a material effect on the company);

(b) high risk (vendors with access to customer data and have a high risk of information loss, or where the company is highly dependent on the vendor’s operationally);

(c) medium risk (vendors with limited customer information access or whose loss of services would be disruptive to the organization, but not crippling); and

(d) low risk (vendors who do not have access to customer data and whose loss of services would not disrupt the company).

6. Vendor risk reviews should

(a) Identify potential vendor risks;

(b) Evaluate the vendor’s ability to eliminate risks;

(c) Monitor risks that cannot be eliminated;

(d) Assess the impact of vendor risks on the institution.

7. Institutions should reject vendors who do not have written policies for safeguarding confidential data, do not perform internal risk assessments and security checks, lack a disaster recovery plan and/or cannot describe an adequate process for safeguarding confidential information.

8. In addition, in-house lawyers should encourage vendors to consider implementation of the following measures:

4 2020 Examination Priorities at 13.

7 6047580v.5 2189/00001

(a) Updated encryption methodology;

(b) Expanded cloud-based security;

(c) Heightened third-party monitoring.

(d) Alternative authentication tools (e.g., avoiding harm from password theft by using tokens, password generators, knowledge-based authentication, biometric authentication or other methods.

C. Outside Counsel Management

1. Outside counsel guidelines typically set standards for client communications, billing, information governance and security. Often these guidelines are circulated to firms that represent financial institutions with the understanding that if the firm cannot assure 100% compliance, it risks losing a client.

2. Moreover, guidelines are circulated without any discussion of how the guidelines reveal the company’s needs with respect to its own risk management. Clients may consider using distribution of the guidelines as an opportunity to check-in with outside counsel, particularly regarding the risks that are in-house counsel’s priority concerns.

3. Effective use of outside counsel guidelines can assist companies with counsel oversight and risk management. Benefits may include:

(a) Improving productivity;

(b) More efficient document storage and retrieval;

(c) Streamlining allocation of work resources;

(d) Improving security and information flow control;

(e) Enhancing collaboration and mobility across the legal team.

(i) Enforcement of billing guidelines was reported as the most effective cost control measure by 89% of legal departments.5

4. Institutional clients should consider actively requiring regular budgets that are:

5 Thomson Reuters, “2019 Legal Tracker LDO Index Benchmarking and Trends Report” (4th Ed.) (“Thomson Reuters”), reprinted at

https://www.legaltracker.com/en/insights/white-papers-and-reports/ldo-index-benchmarking-and-trends?gatedContent=%252Fcontent%252Fewp-marketing-websites%252Flegal-tracker%252Fgl%252Fen%252Finsights%252Fwhite-papers-and-reports%252Fldo-index-benchmarking-and-trends. Other practices deemed effective were regular review of budgets to actual spending on high-cost matters (50%), volume discount (36%), and fixed or flat fees for matters (32%).

https://www.legaltracker.com/en/insights/white-papers-and-reports/ldo-index-benchmarking-and-trends?gatedContent=%252Fcontent%252Fewp-marketing-websites%252Flegal-tracker%252Fgl%252Fen%252Finsights%252Fwhite-papers-and-reports%252Fldo-index-benchmarking-and-trendshttps://www.legaltracker.com/en/insights/white-papers-and-reports/ldo-index-benchmarking-and-trends?gatedContent=%252Fcontent%252Fewp-marketing-websites%252Flegal-tracker%252Fgl%252Fen%252Finsights%252Fwhite-papers-and-reports%252Fldo-index-benchmarking-and-trendshttps://www.legaltracker.com/en/insights/white-papers-and-reports/ldo-index-benchmarking-and-trends?gatedContent=%252Fcontent%252Fewp-marketing-websites%252Flegal-tracker%252Fgl%252Fen%252Finsights%252Fwhite-papers-and-reports%252Fldo-index-benchmarking-and-trends

8 6047580v.5 2189/00001

(a) Sufficiently detailed (not merely overestimates intended to protect counsel fees);

(b) Assess important milestones; and

(c) Qualify estimates (e.g., indicate where figures are highly susceptible to identifiable contingencies).

5. Outside Counsel Guidelines can serve as an important management tool to help avoid misunderstandings and set expectations.

(a) Agree on rates or alternative fee arrangements;

(b) Understand who will work on the matter;

(c) Understand billed costs vs. overhead;

(d) Determine frequency of billing;

(e) Establish policies on legal research (e.g., management of online research expenses);

(f) Have expert and vendor policies;

(g) Establish document protocols;

(h) Establish security protocols; and

(i) Provide periodic feedback on outside counsel case and cost management.

6. Alternative fee arrangements and outside counsel management.

(a) A Thomson Reuters survey reported that 60% of companies only have between 1% and 20% of their outside counsel spend through alternative fee arrangements; only 11% of companies have more than 40% of their outside counsel spend through alternative fee arrangements.6

(b) However, Altman Weil reports that 64% of firms are collaborating with clients on creative alternative fee options.7

(i) 42% have trained their lawyers to talk with clients about pricing.

(ii) 30% added a pricing director or assigned pricing support

6 Thomson Reuters at 12. 7 See “2019 Law Firms in Transition: An Altman Weil Flash Survey” (“Altman Weil”), May 2019,, reprinted at www.altmanweil.com/LFiT2019.

9 6047580v.5 2189/00001

responsibilities to a firm staff member.8

(c) Risk is an important factor in assessing alternative fee arrangements.

(i) A significant factor in the cost/benefit analysis of a proposed alternative fee arrangement (any arrangement that moves away from hourly fee billing) should be the risk that may be associated with a proposed alternative billing arrangement based on the conduct that it incentivizes.

Management of timekeeper rate increases

– 44% of respondents to the Thomson Reuters survey saw reduction of timekeeper rate increases and/or standard discounts on proposed timekeeper rates as an effective method of effective cost management.9

(a) Provided that rate reductions or discounts do not undermine the firm’s cost structure, lawyers will provide the same level of service regardless of the agreed-upon rate.

– Notably, Altman Weil reports that 61% of firms increased their billing rates more aggressively in the last few years.

(a) Firms should be prepared to justify rate increases if they wish to maintain client relationships, perhaps touting increased value based on specific factors (e.g., talent cost, service provided or unique experience); demonstrable improvements in service delivery in a way that the client can directly experience and measure.10

Volume discounts

– This method of cost control only seems effective where the client and outside law firm are confident that there will be

8 Altman Weil at viii. 9 Thomson Reuters at 12. 10 Altman Weil at iv.

10 6047580v.5 2189/00001

sufficient volume to make the arrangement beneficial on both sides (e.g., achieving discounted rates for the client and repeat client business for the outside firm).

– 36% of respondents to the Thomson Reuters survey saw this as an effective means of cost control.11

Fixed or flat fee billing.

– Fixed or flat fee billing works best in matters that are predictable as to the overall work involved and duration. These matters tend to be more straightforward, with fewer contingencies that could cause litigation costs to increase precipitously.

– To the extent that the work required under the fixed or flat fee starts to greatly exceed the hourly billing cost, in-house counsel should be concerned about the extent to which outside counsel may be motivated to minimize loss rather than maximize quality.

(a) Notably, fixed or flat fee billing was deemed effective in controlling costs by only 32% of respondents to the Thomson Reuters survey.12

Capped fee arrangements

– Similar to fixed or flat fee billing, caps are more effective to the extent that there is greater predictability regarding the work required for matter.

– Either the client or outside counsel may be disserved if the cap is reached before the matter is substantially completed.

(a) If the agreement provides that work ceases upon reaching the cap (pending renegotiation of fees for further work), the client faces the

11 Thomson Reuters at 12. 12 Thomson Reuters at 12.

11 6047580v.5 2189/00001

consequences of work interruption at a critical stage. Ethically, however, the lawyer may be prohibited from limiting the scope of work such that the client is left unrepresented through completion of a critical point in the matter under Model Rule 1.2.

(b) The client similarly should be concerned about the quality of the work done by a law firm that is forced to continue a representation beyond a cap, arguably without further compensation.

7. Other considerations for managing outside counsel

(a) How can in-house legal staff best assess the right firm for the job? What information is needed?

(b) How can companies weed out poorer-performing law firms without access to real-time data on their matter outcomes?

(c) How can companies better utilize higher-performing firms?

(d) How can companies best leverage relationships with outside law firms to negotiate a better rate?

D. Cybersecurity

1. There may be no area where appropriate vendor management is more critical than cybersecurity given the potential harm to investors arising from data breaches.

(a) Lawyers have an ethical duty of technological competence that obligates them to protect client confidential information from cybersecurity risk.13

(b) Cybersecurity is a $120 billion industry.14

(i) One study calculates that the average total cost of a data breach in the United States has grown from $3.54 million in

13 New York Cty. Formal Op. 749 (Feb. 21, 2017) (describing a lawyer’s duty of technological competence in protecting confidential

information from cybersecurity risk when representing clients in a litigation or government investigation); see also ABA Formal Op. 483 (Oct. 17, 2018) (discussing a lawyer’s obligation to develop sufficient competence in technology to meet their obligations under the rules of professional conduct after a data breach).

14 Interfor, “6 Cybersecurity Trends to Follow in 2020,” reprinted at https://www.interforinternational.com/6-cybersecurity-trends-to-follow-in-2020/

https://www.interforinternational.com/6-cybersecurity-trends-to-follow-in-2020/https://www.interforinternational.com/6-cybersecurity-trends-to-follow-in-2020/

12 6047580v.5 2189/00001

2006 to $8.19 million in 2019 – a 130% increase.15

(ii) Law firms are particularly susceptible.

Law firms typically host corporate confidential information, information regarding proposed or consummated corporate transactions, privileged communications, intellectual property, personal information, and other sensitive client data – all of which is of great interest to hackers.

In the first half of 2019, data breaches exposed more than 4 billion data records, and companies that experienced data breaches lost an average of $ 4 million.

2. Cybercrime is increasingly more sophisticated. As a result, financial institutions are under pressure to enhance their efforts to protect against breaches either directly or through vendors who access their customer information.

(a) On September 2018, the SEC resolved an enforcement action against Voya Financial Advisors, imposing a $1 million fine for Voya’s alleged failure to protect confidential consumer information and prevent identity theft in connection with a 2016 cybersecurity breach.16

(i) The Voya matter involved independent contractor representatives who had access to Voya’s brokerage customer and advisory client information through a proprietary web portal.

(ii) Over a six-day period, one or more persons impersonated these independent contractor representatives and contacted Voya’s technical support line to request password resets, and thereby gained access to 5600 customers’ personally identifiable information. Fraudsters also were able to create new customer profiles.

(iii) Voya was alleged to have violated the Safeguards Rule (which requires every broker-dealer and registered investment adviser to adopt written policies and procedures

15 https://www.ibm.com/security/data-breach?cm_mmc=Search_Google-_-Security_Optimize+the+Security+Program-_-WW_NA-_-

%2Bcosts%20of%20%2Bdata%20%2Bbreach_b&cm_mmca1=000000NJ&cm_mmca2=10000253&cm_mmca7=9012018&cm_mmca8=aud-351659880851:kwd-295901325299&cm_mmca9=Cj0KCQjw3JXtBRC8ARIsAEBHg4n1_Ed_ukhrUwmIpR23NaGFaOBqZ4fLF7f4UKkbqVkfZWnMOVW6axwaAic6EALw_wcB&cm_mmca10=253508236949&cm_mmca11=b&gclid=Cj0KCQjw3JXtBRC8ARIsAEBHg4n1_Ed_ukhrUwmIpR23NaGFaOBqZ4fLF7f4UKkbqVkfZWnMOVW6axwaAic6EALw_wcB&gclsrc=aw.ds

16 In re Voya financial Advisors, Inc., Admin. Proc. File No. 3-18840 (Sept. 26, 2018).

https://www.ibm.com/security/data-breach?cm_mmc=Search_Google-_-Security_Optimize+the+Security+Program-_-WW_NA-_-%2Bcosts%20of%20%2Bdata%20%2Bbreach_b&cm_mmca1=000000NJ&cm_mmca2=10000253&cm_mmca7=9012018&cm_mmca8=aud-351659880851:kwd-295901325299&cm_mmca9=Cj0KCQjw3JXtBRC8ARIsAEBHg4n1_Ed_ukhrUwmIpR23NaGFaOBqZ4fLF7f4UKkbqVkfZWnMOVW6axwaAic6EALw_wcB&cm_mmca10=253508236949&cm_mmca11=b&gclid=Cj0KCQjw3JXtBRC8ARIsAEBHg4n1_Ed_ukhrUwmIpR23NaGFaOBqZ4fLF7f4UKkbqVkfZWnMOVW6axwaAic6EALw_wcB&gclsrc=aw.dshttps://www.ibm.com/security/data-breach?cm_mmc=Search_Google-_-Security_Optimize+the+Security+Program-_-WW_NA-_-%2Bcosts%20of%20%2Bdata%20%2Bbreach_b&cm_mmca1=000000NJ&cm_mmca2=10000253&cm_mmca7=9012018&cm_mmca8=aud-351659880851:kwd-295901325299&cm_mmca9=Cj0KCQjw3JXtBRC8ARIsAEBHg4n1_Ed_ukhrUwmIpR23NaGFaOBqZ4fLF7f4UKkbqVkfZWnMOVW6axwaAic6EALw_wcB&cm_mmca10=253508236949&cm_mmca11=b&gclid=Cj0KCQjw3JXtBRC8ARIsAEBHg4n1_Ed_ukhrUwmIpR23NaGFaOBqZ4fLF7f4UKkbqVkfZWnMOVW6axwaAic6EALw_wcB&gclsrc=aw.dshttps://www.ibm.com/security/data-breach?cm_mmc=Search_Google-_-Security_Optimize+the+Security+Program-_-WW_NA-_-%2Bcosts%20of%20%2Bdata%20%2Bbreach_b&cm_mmca1=000000NJ&cm_mmca2=10000253&cm_mmca7=9012018&cm_mmca8=aud-351659880851:kwd-295901325299&cm_mmca9=Cj0KCQjw3JXtBRC8ARIsAEBHg4n1_Ed_ukhrUwmIpR23NaGFaOBqZ4fLF7f4UKkbqVkfZWnMOVW6axwaAic6EALw_wcB&cm_mmca10=253508236949&cm_mmca11=b&gclid=Cj0KCQjw3JXtBRC8ARIsAEBHg4n1_Ed_ukhrUwmIpR23NaGFaOBqZ4fLF7f4UKkbqVkfZWnMOVW6axwaAic6EALw_wcB&gclsrc=aw.dshttps://www.ibm.com/security/data-breach?cm_mmc=Search_Google-_-Security_Optimize+the+Security+Program-_-WW_NA-_-%2Bcosts%20of%20%2Bdata%20%2Bbreach_b&cm_mmca1=000000NJ&cm_mmca2=10000253&cm_mmca7=9012018&cm_mmca8=aud-351659880851:kwd-295901325299&cm_mmca9=Cj0KCQjw3JXtBRC8ARIsAEBHg4n1_Ed_ukhrUwmIpR23NaGFaOBqZ4fLF7f4UKkbqVkfZWnMOVW6axwaAic6EALw_wcB&cm_mmca10=253508236949&cm_mmca11=b&gclid=Cj0KCQjw3JXtBRC8ARIsAEBHg4n1_Ed_ukhrUwmIpR23NaGFaOBqZ4fLF7f4UKkbqVkfZWnMOVW6axwaAic6EALw_wcB&gclsrc=aw.dshttps://www.ibm.com/security/data-breach?cm_mmc=Search_Google-_-Security_Optimize+the+Security+Program-_-WW_NA-_-%2Bcosts%20of%20%2Bdata%20%2Bbreach_b&cm_mmca1=000000NJ&cm_mmca2=10000253&cm_mmca7=9012018&cm_mmca8=aud-351659880851:kwd-295901325299&cm_mmca9=Cj0KCQjw3JXtBRC8ARIsAEBHg4n1_Ed_ukhrUwmIpR23NaGFaOBqZ4fLF7f4UKkbqVkfZWnMOVW6axwaAic6EALw_wcB&cm_mmca10=253508236949&cm_mmca11=b&gclid=Cj0KCQjw3JXtBRC8ARIsAEBHg4n1_Ed_ukhrUwmIpR23NaGFaOBqZ4fLF7f4UKkbqVkfZWnMOVW6axwaAic6EALw_wcB&gclsrc=aw.dshttps://www.ibm.com/security/data-breach?cm_mmc=Search_Google-_-Security_Optimize+the+Security+Program-_-WW_NA-_-%2Bcosts%20of%20%2Bdata%20%2Bbreach_b&cm_mmca1=000000NJ&cm_mmca2=10000253&cm_mmca7=9012018&cm_mmca8=aud-351659880851:kwd-295901325299&cm_mmca9=Cj0KCQjw3JXtBRC8ARIsAEBHg4n1_Ed_ukhrUwmIpR23NaGFaOBqZ4fLF7f4UKkbqVkfZWnMOVW6axwaAic6EALw_wcB&cm_mmca10=253508236949&cm_mmca11=b&gclid=Cj0KCQjw3JXtBRC8ARIsAEBHg4n1_Ed_ukhrUwmIpR23NaGFaOBqZ4fLF7f4UKkbqVkfZWnMOVW6axwaAic6EALw_wcB&gclsrc=aw.ds

13 6047580v.5 2189/00001

to address safeguards of customer information) and the Identity Theft Red Flags Rule (requiring certain financial institutions and creditors to develop and implement a written Identity Theft Prevention Program to detect, prevent and mitigate identity theft in connection with covered accounts).

(b) Reports emerged in August 2019 of a cyber-fraud in which the perpetrators used artificial intelligence voice-impersonation software to impersonate the voice of a company’s CEO in order to call a subsidiary and arrange for a $243,000 wire transfer.

(i) This suggests that telephone verification may no longer be a reliable back-up to verify a suspicious email or other messaging; more sophisticated procedures may be required to prevent theft.17

(c) September 12, 2019, the CFTC imposed $1.5 million in fines and restitution against a futures commission merchant for failing to prevent and disclose a successful phishing attack that resulted in the fraudulent withdrawal of $1 million in customer funds.18

(i) The CFTC charged violation of Regulations 166.3 and 1.55(i), which required mechanisms for the detection and deterrence of cybersecurity breaches and impose an obligation to disclose breaches.

3. The National Futures Association (“NFA”) has taken steps to ensure members actively protect information accessed electronically.

(a) In 2019, the NFA amended its 2016 Interpretive Notice, NFA Compliance Rules 2-9, 2-36 and 2-49: Information Systems Security Programs, to require all members to adopt and enforce a written information systems security program (“ISSP”) “designed to provide safeguards, appropriate to the Member’s size, complexity of operations, type of customers and counterparties, the sensitivity of the data accessible within its systems, and its electronic interconnectivity with other entities, to protect against security threats or hazards to their technology systems.”

(b) The ISSP “should address in its security risk assessment risks posed by critical third-party service providers that have access to a Member’s systems, operate outsourced systems for the Member or provide cloud-based services such as data storage or

17 https://www.wsj.com/articles/fraudsters-use-ai-to-mimic-ceos-voice-in-unusual-cybercrime-case-11567157402 18 In re Phillip Capital Inc., CFTC No. 19-22 (Sept. 12, 2019).

https://www.wsj.com/articles/fraudsters-use-ai-to-mimic-ceos-voice-in-unusual-cybercrime-case-11567157402

14 6047580v.5 2189/00001

application software to the Member.”

(c) In general, members are expected to perform due diligence on critical service provider’s security practices and avoid using third parties whose security standards are not comparable to the member’s standards.

(d) Arrangements with third-party service providers should include measures designed to protect customer and firm confidential data, and should have appropriate access controls to their information systems and data, including procedures to restrict or remove a third-party provider’s access.

4. State regulators similarly are focused on cybersecurity and vendor management.

(a) With respect to cybersecurity, for example, the New York Department of Financial Services cybersecurity rules (22 NYCRR 500, et seq.) required regulated entities to have a vendor diligence program in place by March 1, 2019, which would include:

(i) Procedures to identify and assess vendor risks;

(ii) Policies outlining the “minimum cybersecurity practices” and cooperation obligations required of vendors;

(iii) Due diligence procedures to evaluate vendor cybersecurity practices; and

(iv) Procedures to complete periodic tests of the risks and cybersecurity practices of vendors.

DFS recognizes there is no “one-size fits all solution.” Instead, each company must take a risk-based approach to determine the obligations they will impose on vendors to ensure efforts to secure their data will be supported.

5. Cybersecurity audits of law firms have become common. Issues that should be covered in these audits include:

(a) Does the firm have an information governance plan that permits the firm to quickly identify who has access to sensitive client information, and for what purpose?

(b) Can the firm quickly locate and secured sensitive client data?

(c) Does the firm have a data breach plan?

15 6047580v.5 2189/00001

(d) Does the firm adequately secure information for employees accessing data with mobile or BYOD devices?

(e) Does the firm ensure that employees are not using unsecured means to handle client work?

(f) Does the firm employ adequate technology to protect client information?

E. GDPR and Data Privacy

1. GDPR is yet another significant area of oversight. GDPR compliance requires that companies only use vendors that can ensure implementation of appropriate measures to protect the personal data processed by the vendors on behalf of the regulated entities.

(a) Companies must enter into written agreements with their vendors with respect to any processing of personal data on their behalf, including specific requirements relating to data security, use of sub-processors, data breach notification obligations and cooperation in connection with data subject requests.

F. Artificial Intelligence and Risk Management

1. While artificial intelligence software is increasingly used in various aspects of transactional and litigation matters, there is continued reticence to adopting artificial intelligence tools as a regular part of practice.

(a) Concern that AI tools take shortcuts that lead to “artificial” and unreliable results.

(b) Concern that AI-driven decisionmaking will undermine a lawyer’s professional judgment.

2. As these tools are more seamlessly used in practice, lawyers handling complex litigation matters will necessarily need to adopt these tools in order to work efficiently and remain competitive.

(a) In addition, the Altman Weil survey revealed that 48% of respondents are using technology to replace human resources in order to increase the efficiency of legal service delivery.19

3. AI technology is being used with increasing regularity in litigation matters:

(a) E-discovery: Technology assisted review (“TAR”) provides a means of sorting documents into categories to achieve a more

19 Altman Weil at vii.

16 6047580v.5 2189/00001

efficient document review than manual document-by-document review. Programs such as Brainspace review documents at rates up to one million per hour, , identify key phrases, and cluster related documents for review.

(b) Outcome prediction: Programs such as Lex Machina apply natural language processing to mine mines court dockets in order to predict decision outcomes, favorable jurisdictions in which to bring a lawsuit, and successful motions and arguments before particular judges.

4. There are numerous other AI applications for litigation and transactional matters.

(a) AI-driven software permits lawyers to ask a legal research question in natural language, reviews more than a million pages of caselaw per second and constructs an answer.

(b) Other software analyzes briefs, checks cites and identifies similar cases.

(c) Still other software aggregates data from contracts to draft “best practice” contract clauses.

5. How does TAR work, and what implications for risk management?

(a) TAR begins with identifying the pertinent document custodians and download their documents to a review database to create the “master” collection that will be the source for all future searches.

(i) Rather than relying on a team of temporary attorneys and/or paralegals to conduct a manual review of documents that are responsive to search terms, TAR relies on one attorney (who has the best grasp of the underlying facts and legal issues), working closely with an eDiscovery technical expert (who can guide the lawyer in how best to train the system to achieve optimal results), to oversee the review process through interactive testing, using search terms or establish criteria to create a seed set.

(ii) The entire collection of electronically stored information (“ESI”) is compared to the seed set, and a responsiveness score is assessed for each document based on the review algorithm. Documents that score above a responsiveness threshold are marked responsive. The lawyer checks the adequacy of the scoring by reviewing a sample of the documents tagged as responsive or unresponsive, and will re-code documents as needed.

17 6047580v.5 2189/00001

(iii) Machine learning takes over at this point, using the expanded set of attorney-reviewed documents as the basis for the computer to automatically learn filtering rules, which will be applied to generate a new set of responsiveness scores. The process will be repeated until the adequacy is acceptable to the lawyer. The resulting set of documents can be produced, subject to a privilege review.

(iv) TAR can substantially reduce the number of attorneys and paralegals involved in the review process while potentially increasing the quality and breadth of the review.

(b) Significantly, courts have made clear that using TAR to complete e-discovery may increase the reliability of a litigant’s search process, and certainly does not increase the risk of any shortcomings.

(i) Courts have assessed whether TAR satisfies the “reasonable inquiry” standard under Fed. R. Civ. P. Rule 26(g).

(ii) With a sufficiently large volume of documents, “reasonable inquiry” is satisfied if the responding party is enabled to produce a higher volume of responsive material more quickly than otherwise would be possible, especially if the cost of the production is substantially lower because of the need for fewer attorney reviewers.

The larger the review, the more likely that humans faced with the monotonous task of reviewing thousands of documents electronically – will make errors. By comparison, the computer never tires of reviewing thousands of documents, and is consistent in its approach.

The scientific approach to TAR, which involves iterative quality-checking of search results to establish the responsive document set, compares favorably to a document-by-document manual review, where quick and possibly inconsistent judgments are made by multiple reviewers.

(c) Courts have consistently lauded the advantages of TAR (or predictive coding) over manual review.

(i) Winfield v. City of New York, 15-CV-05236 (LTS)(KHP), 2017 WL 5664852, at *4 (S.D.N.Y. Nov. 27, 2017) (court

18 6047580v.5 2189/00001

ordered TAR, which “hasten[ed] the identification, review, and production” of responsive documents and allows parties to “prioritize and/or categorize documents for purposes of document review and has been shown to produce more accurate results than manual review.”).

(ii) Rabin v. PriceWaterHouseCoopers LLP, Case No. 16-cv-02276-JST, 2017 WL 4876780, at *2 (N.D. Cal. Aug. 8, 2017) (court accepted Defendants’ argument that “TAR process is capable of achieving an exceptionally high level of accuracy” and that its use would expedite discovery).

(iii) In re Actos (Pioglitazone) Products Liability Litig., MDL No. 6:11-md-2299, 2017 WL 3033134, at *10 (W.D. La. July 17, 2017) (court noted that “[d]espite the initial ‘front loaded” investment of time, although not perfect or fully realized, [predictive coding] provided an innovative efficiency to the discovery process when compared to the existing, prevailing methods of review.”).

(iv) Duffy v. Lawrence Mem’l Hosp., No. 14-Civ-2256-SAC-TJJ (D. Kansas, Mar. 31, 2017), ECF No. 157 (“Overall, the myth that exhaustive manual review is the most effective . . . approach to document review is strongly refuted. [TAR] can (and does) yield more accurate results than exhaustive manual review, with much lower effort.”).

(v) Hyles v. New York City, 10 Civ. 3119 (AT)(AJP), 2016 WL 4077114, at *2-3 (S.D.N.Y Aug. 1, 2016) (concluded that generally TAR is “cheaper, more efficient and superior to keyword searching”).

See Maura R. Grossman & Gordon Cormack, Technology – Assisted Review in E-Discovery can be more Effective and More Efficient Thank Exhaustive Manual Review, XVII Richmond J. L. & Tech. 1, 37 (2011) (observed that manual reviews identified 25% to 80% of responsive documents, and TAR identified 67% to 86% of responsive documents).

See also In October 2018, the New York Courts adopted a new Commercial Division Rule providing that “parties are encouraged to use the most efficient means to review documents,” noting that TAR may be the most efficient means in appropriate cases. Rule 11-e of the Rules of Practice for the NYS

19 6047580v.5 2189/00001

Commercial Division (22 NYCRR §202.70(g)).

(vi) At the same time, neither TAR nor manual review should be expected to achieve perfection.

The production of documents in litigation . . . is a herculean undertaking, requiring an army of personnel and the production of an extraordinary volume of documents. Clients pay counsel vast sums of money in the course of this undertaking, both to produce documents and to review documents received from others. Despite the commitment of these resources, no one would or should expect perfection from this process.” Federal Housing Finance Agency v. HSBC North America Holdings, 2014 WL 584300 (S.D.N.Y. Feb. 14, 2014).

(vii) Ultimately, lawyers should assess whether AI tools will assist in the management of a complex matter, with due consideration of the following factors:

Whether the technology is recognized in the industry to facilitate the specific task;

Whether the technology is priced competitively as compared to older software or a manual approach;

Whether the technology is supported by the institution’s or outside vendor’s technology, or will require an investment in technology that is cost-effective;

Whether there is a foreseeable benefit to the delivery of legal services based on the cost, scope, accuracy, efficiency or other important factors pertinent to the particular matter; and

Whether the technology can create greater efficiencies in the management of workstreams. 20

G. Consideration of Diversity in Vendor Selection

1. Research has consistently demonstrated that diverse teams outperform non-diverse teams in every aspect of performance, including quality and

20 James Q. Walker, “What’s Artificial About Intelligence? The Ethical and Practical Considerations When Lawyers Use AI Technology,”

Bloomberg Law: Digital Discovery & e-Evidence (April 4, 2018).

20 6047580v.5 2189/00001

value.

2. Nevertheless, a Thomson Reuters 2019 survey revealed that only 45% of legal departments reported that it was a priority to use diversity data as a factor in firm selection.

(a) Only 30% of legal departments require diversity information from law firms, although 9% of organizations were newly launching diversity reporting.

(b) Interestingly, 64% of large legal departments reported diversity as a priority.21

II. To Bundle, or Not to Bundle? Different Approaches to Obtaining the Full Range of Vendor Services

A. “Unbundling” in Complex Matters.

1. “Unbundling” in the context of complex matter management refers to selection of outside counsel separate from a range of other required services (e.g., e-discovery, document storage, forensic accountants and other experts). This is compared to law firms that offer “bundled” services, where a range of required services are offered as a package.

2. This is different from “unbundled legal services,” which refers to lawyers limiting their representation so that they are hired only to perform a specific task or handle a single issue.

B. Bundled v. Unbundled Services: Pros and Cons

1. As with everything, there are costs and benefits to bundled and unbundled approaches.

2. For example, an unbundled approach to complex matter management would be warranted where the client already has a list of preferred vendors or panel program covering the range of services required for the representation.

(a) Pros

(i) The institutional client’s panel of vendors has already been vetted by the client, so there is an assumption that the quality of service and cost for each approved vendor are up to the client’s standards.

21 2019 Legal Tracker LDO Index: Benchmarking and Trends Report (4th ed.), reprinted at https://www.legaltracker.com/en/insights/white-

papers-and-reports/ldo-index-benchmarking-and-trends?gatedContent=%252Fcontent%252Fewp-marketing-websites%252Flegal-tracker%252Fgl%252Fen%252Finsights%252Fwhite-papers-and-reports%252Fldo-index-benchmarking-and-trends.

https://www.legaltracker.com/en/insights/white-papers-and-reports/ldo-index-benchmarking-and-trends?gatedContent=%252Fcontent%252Fewp-marketing-websites%252Flegal-tracker%252Fgl%252Fen%252Finsights%252Fwhite-papers-and-reports%252Fldo-index-benchmarking-and-trendshttps://www.legaltracker.com/en/insights/white-papers-and-reports/ldo-index-benchmarking-and-trends?gatedContent=%252Fcontent%252Fewp-marketing-websites%252Flegal-tracker%252Fgl%252Fen%252Finsights%252Fwhite-papers-and-reports%252Fldo-index-benchmarking-and-trendshttps://www.legaltracker.com/en/insights/white-papers-and-reports/ldo-index-benchmarking-and-trends?gatedContent=%252Fcontent%252Fewp-marketing-websites%252Flegal-tracker%252Fgl%252Fen%252Finsights%252Fwhite-papers-and-reports%252Fldo-index-benchmarking-and-trends

21 6047580v.5 2189/00001

(ii) Having a range of vendors on an approved list allows for greater quality control matrix across vendors, which could be different from a law firm that offers one-stop bundled services.

An alternative legal service provider (ALSP) that has a steady stream of work from a corporate client may better grasp the client’s perspective on various issues than a law firm that has less experience with the client. For example, the ALSP may have a better sense of the client’s position on privilege designations, and thus ensure that the review of a proposed document production for privileged communications is consistent with the client’s past practice.

(b) Cons

(i) The preferred law firm for a particular representation may not have a prior relationship with the other service providers on the vendor list, and may have a set of other vendors with whom the firm regularly works and provides quality and seamless service. There may be a cost in climbing the learning curve of creating new relationships among vendors.

(ii) Imposing an approved list of vendors on the preferred law firm means the institution may miss out on the benefits of the bundled service plan presented by the law firm, which may range from cost savings to additional pre-packaged services.

(iii) Only 28% of respondents to the Thomson Reuters survey cited utilization of a preferred vendors/panel program as an effective cost savings tool.22

C. Project management: focuses on proactively scoping, planning, budgeting, evaluating, executing and communicating in connection with a client representation.

1. Outside counsel who either employ, affiliate with, or serve as project managers determine how to plan, manage and resolve legal matters successfully, on time and on budget.

(a) Some larger firms offer bundled project management services (often with technology solutions and e-discovery services) through

22 Thomson Reuters at 12.

22 6047580v.5 2189/00001

affiliate companies that tout the ability to provide flexible, innovative services in conjunction with the firm’s lawyers to ensure better overall service with respect to managing eDiscovery, document review, and effective use of technology in connection with the representation of clients.

(b) These affiliate firms also assist with flexible, value-based billing arrangements and staffing with the promise that this will result in greater predictability as to the legal spend associated with a representation.

2. As in-house counsel face increased pressure to reduce or justify legal costs, they in turn demand more proactive project management and quality service from their outside lawyers. Benefits include:

(a) alignment of client and outside counsel goals;

(b) informed risk sharing and well-considered alternative fee arrangements;

(c) more accurate budgeting;

(d) better timelines and task management;

(e) more flexible adjustment to contingencies;

(f) more effective communication between in-house and outside legal teams.

III. Regional Flight: The Risk Management Implications in the Shift from Using Outside Counsel Based in New York and London to Using Regional Law Firms

A. To begin the discussion of “regional flight,” it is useful to focus first on the client’s key objectives in retaining legal service.23

1. Relevant expertise

2. Quality service

3. Effective communication

4. Efficient process

5. High-value outcomes – desired outcomes achieved through cost-effective service.

23 See “2019 Law Firms in Transition: An Altman Weil Flash Survey” (“Altman Weil”), May 2019,, reprinted at

www.altmanweil.com/LFiT2019..

23 6047580v.5 2189/00001

(a) Institutional clients typically will pay for specialized expertise – the skills, experience, informed judgment, industry knowledge and proven track record – and therefore have traditionally been less sensitive to the higher-priced law firms located in metropolitan centers such as New York and London.

(i) However, these same institutions are constantly under pressure to manage legal spending, which has been a factor in the increase in the use of regional law firms.

(b) Efficiency will be rewarded – those firms that provide great service and are creative in finding ways to provide top service in a more cost-effective way, and with greater predictability, will be rewarded over their competitors. This creatively may be achieved through:

(i) Staffing;

– 42% of lawyers reported using staff lawyers;

– 48% reported using contract lawyers,

– 57% reported using part-time lawyers;

– 40% reported shifting work from lawyers to para-professionals;

– all of these firms reported significant improvement in firm performance as a result of these staffing approaches.24

(ii) Use of technology;

– 70% of legal departments responding to the Thomson Reuters survey identified using technology to simplify workflow and manual processes as a high priority.

– 48% of the 2019 Altman Weil survey respondents reported using technology tools to replace human resources and increase efficiency. 15% reported creation of a low-cost service center for back-office functions, with significant performance improvements.25

24 Altman Weil at vii. 25 Altman Weil at iv.

24 6047580v.5 2189/00001

(iii) In-sourcing: Asked whether their firms are losing business from other legal service providers, 60.4% reported that they were losing work from law departments of under 250 lawyers, and 70% reported losing work from in-house law departments of 250 or more lawyers.

The same survey reported little loss of work attributed to client use of technology, use of alternative legal service providers, or outsourcing work to the big four accounting firms (ranging from 6.5-23.6%).

6. What factors are driving increased use of regional law firms?

(a) Greater familiarity with regional regulatory staff.

(b) Lower billing rates.

(c) Reduced travel expense.

(d) Improving the regional diversity among trusted advisors.

7. What challenges are presented by using regional law firms?

(a) Loss of concentrated knowledge in a fewer number of tier 1 law firms.

(b) Necessity to teach regional lawyers the client’s business and priorities.

(c) Increased management burden on in-house counsel who are now overseeing the work of a larger number of law firms.

(d) Loss of uniformity of approach in response to similar regulatory challenges.

I. Regulatory Focus on Vendor Risk ManagementA. Management of Confidential Supervisory Information1. Regulators have focused on the protection of confidential supervisory information (“CSI”) by supervised financial institutions.(a) CSI refers to information prepared by, on behalf of, or for the use of federal and state financial regulatory agencies in connection with bank oversight. CSI includes information relating to an examination, inspection or other visitation of an ins...(b) CSI is the property of the regulator, and is protected from disclosure by the bank examination privilege to encourage candor between bank regulators and supervised financial institutions. Regulators holding the bank examination privilege include:(i) Office of the Comptroller of the Currency (“OCC”) (12 C.F.R. § 4.36 et seq.)(ii) Federal Reserve Board of Governors (“Federal Reserve”) (12 C.F.R. § 261.20 et seq.)(iii) Federal Deposit Insurance Corporation (“FDIC”) (12 C.F.R. § 309.1 et seq.)(iv) The Consumer Financial Protection Bureau (“CFPB”) (12 C.F.R. § 1070.40 et seq.)(v) State banking agencies Not all regulators of financial institutions hold a bank examination privilege, including but not limited to, DOJ, DOL, SEC, CFTC, FINRA, and state attorneys generals.

2. Regulators are inconsistent as to which agents of a financial firm are permitted access to CSI material without prior approval. This confusion regarding what is and is not permitted under the governing rules can lead to improper disclosure.(a) For example, OCC, FDIC and CFPB rules permit disclosure to outside counsel without prior approval. The same is not true under the Federal Reserve’s rules.(i) 12 C.F.R. § 4.37 (OCC permits disclosure to outside counsel or independent auditors without requiring prior written approval, provided the consultant is under a written contract to provide services to the covered institution, and the contract stat...(i) 12 C.F.R. § 261.20 (g) (Federal Reserve permits disclosure to public accountants and attorneys, but only after obtaining prior written approval from the Fed’s General Counsel, review of CSI must occur at the financial institution and accountants a...(ii) 12 C.F.R. § 309.6 (FDIC permits disclosure of CSI only to those directors, employees or agents “who have a need for such records in the performance of their official duties).(iii) 12 CFR § 1070.42(b) (CFPB permits disclosure of CSI to a “certified public accountant, legal counsel, contractor, consultant or service provider” without prior approval from the CFPB).

(b) Moreover, the inconsistency among bank regulators in providing access to outside counsel, and the limitations that apply even where access is permitted, creates incredible challenges to counsel’s ability to assist their clients with regulatory com...

3. Bank regulators take failure to abide by these restrictions very seriously.(a) In In the Matter of Youlei Tang, aka Alex Tang (Docket Nos. 19-010 B-I), the Fed issued a cease and desist order against a former employee of a non-bank subsidiary of a bank holding company for violation of CSI rules.(i) The former employee, while employed at the company, removed CSI from the office without authorization and in violation of company policy. The employee sent CSI to his personal email address and kept copies of documents at his residence as a matte...

(b) In 2013, consulting firm Deloitte Financial Advisory Services LLP (“Deloitte FAS”) entered into a settlement agreement the New York State Department of Financial Services (“DFS”).1F The agreement described violations of New York banking law by De...(i) Deloitte FAS’s predecessor entity was engaged by Standard Chartered Bank (“SCB”) to consult on anti-money laundering and suspicious activity reporting issues. During the course of the engagement, a Deloitte FAS employee sent SCB two e-mails contai...(ii) As a condition of the settlement with DFS, Deloitte FAS agreed to pay a $10 million penalty and strengthen its internal policies and procedures for safeguarding client CSI.

4. Financial institutions supervised by bank regulators must provide ongoing training to their employees and those agents permitted to view CSI to prevent inadvertent disclosure or mishandling of CSI.

B. Vendor Risk Management1. Regulators are increasingly focused on ensuring that regulated entities reduce the risk of vendors disclosing customer information.2. In the SEC’s 2020 Examination Priorities report, the SEC’s Office of Compliance, Inspections and Enforcement (“OCIE”) noted that increased use of third-party service providers and other vendors improves expertise and effectiveness but carries addit...3. OCIE has committed to continuing to focus on third-party risk management in 2020.(a) In connection with OCIE”s prioritization of information security in its examination programs, OCIE indicated it will focus its examination on six areas, including vendor management.(b) Specifically, “[i]n the area of third-party and vendor risk management, OCIE will focus on oversight practices related to certain service providers and network solutions, including those leveraging cloud-based storage.3F

4. Examinations likely will focus on:(a) Vendor selection process;(b) Negotiation of appropriate contract terms;(c) Monitoring protocols;(d) Overall vendor oversight.

5. Monitoring of vendors should be risk-based, prioritizing vendors who are(a) critical risks (critical to the institution’s operation, i.e. whose failure to deliver contracted services would have a material effect on the company);(b) high risk (vendors with access to customer data and have a high risk of information loss, or where the company is highly dependent on the vendor’s operationally);(c) medium risk (vendors with limited customer information access or whose loss of services would be disruptive to the organization, but not crippling); and(d) low risk (vendors who do not have access to customer data and whose loss of services would not disrupt the company).

6. Vendor risk reviews should(a) Identify potential vendor risks;(b) Evaluate the vendor’s ability to eliminate risks;(c) Monitor risks that cannot be eliminated;(d) Assess the impact of vendor risks on the institution.

7. Institutions should reject vendors who do not have written policies for safeguarding confidential data, do not perform internal risk assessments and security checks, lack a disaster recovery plan and/or cannot describe an adequate process for safeg...8. In addition, in-house lawyers should encourage vendors to consider implementation of the following measures:(a) Updated encryption methodology;(b) Expanded cloud-based security;(c) Heightened third-party monitoring.(d) Alternative authentication tools (e.g., avoiding harm from password theft by using tokens, password generators, knowledge-based authentication, biometric authentication or other methods.

C. Outside Counsel Management1. Outside counsel guidelines typically set standards for client communications, billing, information governance and security. Often these guidelines are circulated to firms that represent financial institutions with the understanding that if the fir...2. Moreover, guidelines are circulated without any discussion of how the guidelines reveal the company’s needs with respect to its own risk management. Clients may consider using distribution of the guidelines as an opportunity to check-in with outsi...3. Effective use of outside counsel guidelines can assist companies with counsel oversight and risk management. Benefits may include:(a) Improving productivity;(b) More efficient document storage and retrieval;(c) Streamlining allocation of work resources;(d) Improving security and information flow control;(e) Enhancing collaboration and mobility across the legal team.(i) Enforcement of billing guidelines was reported as the most effective cost control measure by 89% of legal departments.4F

4. Institutional clients should consider actively requiring regular budgets that are:(a) Sufficiently detailed (not merely overestimates intended to protect counsel fees);(b) Assess important milestones; and(c) Qualify estimates (e.g., indicate where figures are highly susceptible to identifiable contingencies).

5. Outside Counsel Guidelines can serve as an important management tool to help avoid misunderstandings and set expectations.(a) Agree on rates or alternative fee arrangements;(b) Understand who will work on the matter;(c) Understand billed costs vs. overhead;(d) Determine frequency of billing;(e) Establish policies on legal research (e.g., management of online research expenses);(f) Have expert and vendor policies;(g) Establish document protocols;(h) Establish security protocols; and(i) Provide periodic feedback on outside counsel case and cost management.

6. Alternative fee arrangements and outside counsel management.(a) A Thomson Reuters survey reported that 60% of companies only have between 1% and 20% of their outside counsel spend through alternative fee arrangements; only 11% of companies have more than 40% of their outside counsel spend through alternative f...(b) However, Altman Weil reports that 64% of firms are collaborating with clients on creative alternative fee options.6F(i) 42% have trained their lawyers to talk with clients about pricing.(ii) 30% added a pricing director or assigned pricing support responsibilities to a firm staff member.7F

(c) Risk is an important factor in assessing alternative fee arrangements.(i) A significant factor in the cost/benefit analysis of a proposed alternative fee arrangement (any arrangement that moves away from hourly fee billing) should be the risk that may be associated with a proposed alternative billing arrangement based o... Management of timekeeper rate increases– 44% of respondents to the Thomson Reuters survey saw reduction of timekeeper rate increases and/or standard discounts on proposed timekeeper rates as an effective method of effective cost management.8F(a) Provided that rate reductions or discounts do not undermine the firm’s cost structure, lawyers will provide the same level of service regardless of the agreed-upon rate.

– Notably, Altman Weil reports that 61% of firms increased their billing rates more aggressively in the last few years.(a) Firms should be prepared to justify rate increases if they wish to maintain client relationships, perhaps touting increased value based on specific factors (e.g., talent cost, service provided or unique experience); demonstrable improvements in se...

Volume discounts– This method of cost control only seems effective where the client and outside law firm are confident that there will be sufficient volume to make the arrangement beneficial on both sides (e.g., achieving discounted rates for the client and repeat cl...– 36% of respondents to the Thomson Reuters survey saw this as an effective means of cost control.10F

Fixed or flat fee billing.– Fixed or flat fee billing works best in matters that are predictable as to the overall work involved and duration. These matters tend to be more straightforward, with fewer contingencies that could cause litigation costs to increase precipitously.– To the extent that the work required under the fixed or flat fee starts to greatly exceed the hourly billing cost, in-house counsel should be concerned about the extent to which outside counsel may be motivated to minimize loss rather than maximize ...(a) Notably, fixed or flat fee billing was deemed effective in controlling costs by only 32% of respondents to the Thomson Reuters survey.11F

Capped fee arrangements– Similar to fixed or flat fee billing, caps are more effective to the extent that there is greater predictability regarding the work required for matter.– Either the client or outside counsel may be disserved if the cap is reached before the matter is substantially completed.(a) If the agreement provides that work ceases upon reaching the cap (pending renegotiation of fees for further work), the client faces the consequences of work interruption at a critical stage. Ethically, however, the lawyer may be prohibited from li...(b) The client similarly should be concerned about the quality of the work done by a law firm that is forced to continue a representation beyond a cap, arguably without further compensation.

7. Other considerations for managing outside counsel(a) How can in-house legal staff best assess the right firm for the job? What information is needed?(b) How can companies weed out poorer-performing law firms without access to real-time data on their matter outcomes?(c) How can companies better utilize higher-performing firms?(d) How can companies best leverage relationships with outside law firms to negotiate a better rate?

D. Cybersecurity1. There may be no area where appropriate vendor management is more critical than cybersecurity given the potential harm to investors arising from data breaches.(a) Lawyers have an ethical duty of technological competence that obligates them to protect client confidential information from cybersecurity risk.12F(b) Cybersecurity is a $120 billion industry.13F(i) One study calculates that the average total cost of a data breach in the United States has grown from $3.54 million in 2006 to $8.19 million in 2019 – a 130% increase.14F(ii) Law firms are particularly susceptible. Law firms typically host corporate confidential information, information regarding proposed or consummated corporate transactions, privileged communications, intellectual property, personal information, and other sensitive client data – all of which... In the first half of 2019, data breaches exposed more than 4 billion data records, and companies that experienced data breaches lost an average of $ 4 million.

2. Cybercrime is increasingly more sophisticated. As a result, financial institutions are under pressure to enhance their efforts to protect against breaches either directly or through vendors who access their customer information.(a) On September 2018, the SEC resolved an enforcement action against Voya Financial Advisors, imposing a $1 million fine for Voya’s alleged failure to protect confidential consumer information and prevent identity theft in connection with a 2016 cybe...(i) The Voya matter involved independent contractor representatives who had access to Voya’s brokerage customer and advisory client information through a proprietary web portal.(ii) Over a six-day period, one or more persons impersonated these independent contractor representatives and contacted Voya’s technical support line to request password resets, and thereby gained access to 5600 customers’ personally identifiable info...(iii) Voya was alleged to have violated the Safeguards Rule (which requires every broker-dealer and registered investment adviser to adopt written policies and procedures to address safeguards of customer information) and the Identity Theft Red Flags ...

(b) Reports emerged in August 2019 of a cyber-fraud in which the perpetrators used artificial intelligence voice-impersonation software to impersonate the voice of a company’s CEO in order to call a subsidiary and arrange for a $243,000 wire transfer.(i) This suggests that telephone verification may no longer be a reliable back-up to verify a suspicious email or other messaging; more sophisticated procedures may be required to prevent theft.16F

(c) September 12, 2019, the CFTC imposed $1.5 million in fines and restitution against a futures commission merchant for failing to prevent and disclose a successful phishing attack that resulted in the fraudulent withdrawal of $1 million in customer ...(i) The CFTC charged violation of Regulations 166.3 and 1.55(i), which required mechanisms for the detection and deterrence of cybersecurity breaches and impose an obligation to disclose breaches.

3. The National Futures Association (“NFA”) has taken steps to ensure members actively protect information accessed electronically.(a) In 2019, the NFA amended its 2016 Interpretive Notice, NFA Compliance Rules 2-9, 2-36 and 2-49: Information Systems Security Programs, to require all members to adopt and enforce a written information systems security program (“ISSP”) “designed to...(b) The ISSP “should address in its security risk assessment risks posed by critical third-party service providers that have access to a Member’s systems, operate outsourced systems for the Member or provide cloud-based services such as data storage o...(c) In general, members are expected to perform due diligence on critical service provider’s security practices and avoid using third parties whose security standards are not comparable to the member’s standards.(d) Arrangements with third-party service providers should include measures designed to protect customer and firm confidential data, and should have appropriate access controls to their information systems and data, including procedures to restrict or...

4. State regulators similarly are focused on cybersecurity and vendor management.(a) With respect to cybersecurity, for example, the New York Department of Financial Services cybersecurity rules (22 NYCRR 500, et seq.) required regulated entities to have a vendor diligence program in place by March 1, 2019, which would include:(i) Procedures to identify and assess vendor risks;(ii) Policies outlining the “minimum cybersecurity practices” and cooperation obligations required of vendors;(iii) Due diligence procedures to evaluate vendor cybersecurity practices; and(iv) Procedures to complete periodic tests of the risks and cybersecurity practices of vendors. DFS recognizes there is no “one-size fits all solution.” Instead, each company must take a risk-based approach to determine the obligations they will impose on vendors to ensure efforts to secure their data will be supported.

5. Cybersecurity audits of law firms have become common. Issues that should be covered in these audits include:(a) Does the firm have an information governance plan that permits the firm to quickly identify who has access to sensitive client information, and for what purpose?(b) Can the firm quickly locate and secured sensitive client data?(c) Does the firm have a data breach plan?(d) Does the firm adequately secure information for employees accessing data with mobile or BYOD devices?(e) Does the firm ensure that employees are not using unsecured means to handle client work?(f) Does the firm employ adequate technology to protect client information?

E. GDPR and Data Privacy1. GDPR is yet another significant area of oversight. GDPR compliance requires that companies only use vendors that can ensure implementation of appropriate measures to protect the personal data processed by the vendors on behalf of the regulated ent...(a) Companies must enter into written agreements with their vendors with respect to any processing of personal data on their behalf, including specific requirements relating to data security, use of sub-processors, data breach notification obligations...

F. Artificial Intelligence and Risk Management1. While artificial intelligence software is increasingly used in various aspects of transactional and litigation matters, there is continued reticence to adopting artificial intelligence tools as a regular part of practice.(a) Concern that AI tools take shortcuts that lead to “artificial” and unreliable results.(b) Concern that AI-driven decisionmaking will undermine a lawyer’s professional judgment.

2. As these tools are more seamlessly used in practice, lawyers handling complex litigation matters will necessarily need to adopt these tools in order to work efficiently and remain competitive.(a) In addition, the Altman Weil survey revealed that 48% of respondents are using technology to replace human resources in order to increase the efficiency of legal service delivery.18F

3. AI technology is being used with increasing regularity in litigation matters:(a) E-discovery: Technology assisted review (“TAR”) provides a means of sorting documents into categories to achieve a more efficient document review than manual document-by-document review. Programs such as Brainspace review documents at rates up t...(b) Outcome prediction: Programs such as Lex Machina apply natural language processing to mine mines court dockets in order to predict decision outcomes, favorable jurisdictions in which to bring a lawsuit, and successful motions and arguments before...

4. There are numerous other AI applications for litigation and transactional matters.(a) AI-driven software permits lawyers to ask a legal research question in natural language, reviews more than a million pages of caselaw per second and constructs an answer.(b) Other software analyzes briefs, checks cites and identifies similar cases.(c) Still other software aggregates data from contracts to draft “best practice” contract clauses.

5. How does TAR work, and what implications for risk management?(a) TAR begins with identifying the pertinent document custodians and download their documents to a review database to create the “master” collection that will be the source for all future searches.(i) Rather than relying on a team of temporary attorneys and/or paralegals to conduct a manual review of documents that are responsive to search terms, TAR relies on one attorney (who has the best grasp of the underlying facts and legal issues), worki...(ii) The entire collection of electronically stored information (“ESI”) is compared to the seed set, and a responsiveness score is assessed for each document based on the review algorithm. Documents that score above a responsiveness threshold are mar...(iii) Machine learning takes over at this point, using the expanded set of attorney-reviewed documents as the basis for the computer to automatically learn filtering rules, which will be applied to generate a new set of responsiveness scores. The pro...(iv) TAR can substantially reduce the number of attorneys and paralegals involved in the review process while potentially increasing the quality and breadth of the review.

(b) Significantly, courts have made clear that using TAR to complete e-discovery may increase the reliability of a litigant’s search process, and certainly does not increase the risk of any shortcomings.(i) Courts have assessed whether TAR satisfies the “reasonable inquiry” standard under Fed. R. Civ. P. Rule 26(g).(ii) With a sufficiently large volume of documents, “reasonable inquiry” is satisfied if the responding party is enabled to produce a higher volume of responsive material more quickly than otherwise would be possible, especially if the cost of the pro... The larger the review, the more likely that humans faced with the monotonous task of reviewing thousands of documents electronically – will make errors. By comparison, the computer never tires of reviewing thousands of documents, and is consistent ... The scientific approach to TAR, which involves iterative quality-checking of search results to establish the responsive document set, compares favorably to a document-by-document manual review, where quick and possibly inconsistent judgments are mad...

(c) Courts have consistently lauded the advantages of TAR (or predictive coding) over manual review.(i) Winfield v. City of New York, 15-CV-05236 (LTS)(KHP), 2017 WL 5664852, at *4 (S.D.N.Y. Nov. 27, 2017) (court ordered TAR, which “hasten[ed] the identification, review, and production” of responsive documents and allows parties to “prioritize and/o...(ii) Rabin v. PriceWaterHouseCoopers LLP, Case No. 16-cv-02276-JST, 2017 WL 4876780, at *2 (N.D. Cal. Aug. 8, 2017) (court accepted Defendants’ argument that “TAR process is capable of achieving an exceptionally high level of accuracy” and that its us...(iii) In re Actos (Pioglitazone) Products Liability Litig., MDL No. 6:11-md-2299, 2017 WL 3033134, at *10 (W.D. La. July 17, 2017) (court noted that “[d]espite the initial ‘front loaded” investment of time, although not perfect or fully realized, [pre...(iv) Duffy v. Lawrence Mem’l Hosp., No. 14-Civ-2256-SAC-TJJ (D. Kansas, Mar. 31, 2017), ECF No. 157 (“Overall, the myth that exhaustive manual review is the most effective . . . approach to document review is strongly refuted. [TAR] can (and does) yi...(v) Hyles v. New York City, 10 Civ. 3119 (AT)(AJP), 2016 WL 4077114, at *2-3 (S.D.N.Y Aug. 1, 2016) (concluded that generally TAR is “cheaper, more efficient and superior to keyword searching”). See Maura R. Grossman & Gordon Cormack, Technology – Assisted Review in E-Discovery can be more Effective and More Efficient Thank Exhaustive Manual Review, XVII Richmond J. L. & Tech. 1, 37 (2011) (observed that manual reviews identified 25% to 80%... See also In October 2018, the New York Courts adopted a new Commercial Division Rule providing that “parties are encouraged to use the most efficient means to review documents,” noting that TAR may be the most efficient means in appropriate cases. ...

(vi) At the same time, neither TAR nor manual review should be expected to achieve perfection. The production of documents in litigation . . . is a herculean undertaking, requiring an army of personnel and the production of an extraordinary volume of documents. Clients pay counsel vast sums of money in the course of this undertaking, both to...

(vii) Ultimately, lawyers should assess whether AI tools will assist in the management of a complex matter, with due consideration of the following factors: Whether the technology is recognized in the industry to facilitate the specific task; Whether the technology is priced competitively as compared to older software or a manual approach; Whether the technology is supported by the institution’s or outside vendor’s technology, or will require an investment in technology that is cost-effective; Whether there is a foreseeable benefit to the delivery of legal services based on the cost, scope, accuracy, efficiency or other important factors pertinent to the particular matter; and Whether the technology can create greater efficiencies in the management of workstreams. 19F

G. Consideration of Diversity in Vendor Selection1. Research has consistently demonstrated that diverse teams outperform non-diverse teams in every aspect of performance, including quality and value.2. Nevertheless, a Thomson Reuters 2019 survey revealed that only 45% of legal departments reported that it was a priority to use diversity data as a factor in firm selection.(a) Only 30% of legal departments require diversity information from law firms, although 9% of organizations were newly launching diversity reporting.(b) Interestingly, 64% of large legal departments reported diversity as a priority.20F

II. To Bundle, or Not to Bundle? Different Approaches to Obtaining the Full Range of Vendor ServicesA. “Unbundling” in Complex Matters.1. “Unbundling” in the context of complex matter management refers to selection of outside counsel separate from a range of other required services (e.g., e-discovery, document storage, forensic accountants and other experts). This is compared to law...2. This is different from “unbundled legal services,” which refers to lawyers limiting their representation so that they are hired only to perform a specific task or handle a single issue.

B. Bundled v. Unbundled Services: Pros and Cons1. As with everything, there are costs and benefits to bundled and unbundled approaches.2. For example, an unbundled approach to complex matter management would be warranted where the client already has a list of preferred vendors or panel program covering the range of services required for the representation.(a) Pros(i) The institutional client’s panel of vendors has already been vetted by the client, so there is an assumption that the quality of service and cost for each approved vendor are up to the client’s standards.(ii) Having a range of vendors on an approved list allows for greater quality control matrix across vendors, which could be different from a law firm that offers one-stop bundled services. An alternative legal service provider (ALSP) that has a steady stream of work from a corporate client may better grasp the client’s perspective on various issues than a law firm that has less experience with the client. For example, the ALSP may ha...

(b) Cons(i) The preferred law firm for a particular representation may not have a prior relationship with the other service providers on the vendor list, and may have a set of other vendors with whom the firm regularly works and provides quality and seamless ...(ii) Imposing an approved list of vendors on the preferred law firm means the institution may miss out on the benefits of the bundled service plan presented by the law firm, which may range from cost savings to additional pre-packaged services.(iii) Only 28% of respondents to the Thomson Reuters survey cited utilization of a preferred vendors/panel program as an effective cost savings tool.21F

C. Project management: focuses on proactively scoping, planning, budgeting, evaluating, executing and communicating in connection with a client representation.1. Outside counsel who either employ, affiliate with, or serve as project managers determine how to plan, manage and resolve legal matters successfully, on time and on budget.(a) Some larger firms offer bundled project management services (often with technology solutions and e-discovery services) through affiliate companies that tout the ability to provide flexible, innovative services in conjunction with the firm’s lawyer...(b) These affiliate firms also assist with flexible, value-based billing arrangements and staffing with the promise that this will result in greater predictability as to the legal spend associated with a representation.

2. As in-house counsel face increased pressure to reduce or justify legal costs, they in turn demand more proactive project management and quality service from their outside lawyers. Benefits include:(a) alignment of client and outside counsel goals;(b) informed risk sharing and well-considered alternative fee arrangements;(c) more accurate budgeting;(d) better timelines and task management;(e) more flexible adjustment to contingencies;(f) more effective communication between in-house and outside legal teams.

III. Regional Flight: The Risk Management Implications in the Shift from Using Outside Counsel Based in New York and London to Using Regional Law FirmsA. To begin the discussion of “regional flight,” it is useful to focus first on the client’s key objectives in retaining legal service.22F1. Relevant expertise2. Quality service3. Effective communication4. Efficient process5. High-value outcomes – desired outcomes achieved through cost-effective service.(a) Institutional clients typically will pay for specialized expertise – the skills, experience, informed judgment, industry knowledge and proven track record – and therefore have traditionally been less sensitive to the higher-priced law firms locate...(i) However, these same institutions are constantly under pressure to manage legal spending, which has been a factor in the increase in the use of regional law firms.

(b) Efficiency will be rewarded – those firms that provide great service and are creative in finding ways to provide top service in a more cost-effective way, and with greater predictability, will be rewarded over their competitors. This creatively m...(i) Staffing;– 42% of lawyers reported using staff lawyers;– 48% reported using contract lawyers,– 57% reported using part-time lawyers;– 40% reported shifting work from lawyers to para-professionals;– all of these firms reported significant improvement in firm performance as a result of these staffing approaches.23F

(ii) Use of technology;– 70% of legal departments responding to the Thomson Reuters survey identified using technology to simplify workflow and manual processes as a high priority.– 48% of the 2019 Altman Weil survey respondents reported using technology tools to replace human resources and increase efficiency. 15% reported creation of a low-cost service center for back-office functions, with significant performance improvemen...

(iii) In-sourcing: Asked whether their firms are losing business from other legal service providers, 60.4% reported that they were losing work from law departments of under 250 lawyers, and 70% reported losing work from in-house law departments of 25... The same survey reported little loss of work attributed to client use of technology, use of alternative legal service providers, or outsourcing work to the big four accounting firms (ranging from 6.5-23.6%).

6. What factors are driving increased use of regional law firms?(a) Greater familiarity with regional regulatory staff.(b) Lower billing rates.(c) Reduced travel expense.(d) Improving the regional diversity among trusted advisors.

7. What challenges are presented by using regional law firms?(a) Loss of concentrated knowledge in a fewer number of tier 1 law firms.(b) Necessity to teach regional lawyers the client’s business and priorities.(c) Increased management burden on in-house counsel who are now overseeing the work of a larger number of law firms.(d) Loss of uniformity of approach in response to similar regulatory challenges.