Vendor Security Requirements

Cooley requires all of its vendors that have access to Cooley data or systems to go through a data security assessment managed by our information security team. Depending on the type of data involved and the services that a vendor is contracted to supply, vendors that do not pass the security assessment to Cooley’s satisfaction may not be onboarded to provide services. These vendor security requirements provide a general overview of the security obligations with which Cooley vendors must comply. The requirements are subject to change and are not a substitute for a vendor passing the security assessment.

1. Compliance with privacy laws

Cooley and its vendors must comply with all applicable data privacy and protection laws. Cooley has offices in the US, UK, European Union, China, Hong Kong and Singapore. Vendors should anticipate complying with the California Consumer Privacy Act, the UK Data Protection Act of 2018, the General Data Protection Regulation, China’s Personal Information Protection Law, the Personal Data (Privacy) Ordinance of Hong Kong and Singapore’s Personal Data Protection Act.

Vendors will only process or transfer personal data for the purpose of providing services to Cooley or its clients. If the vendor is a data processor or service provider, as defined in applicable data privacy and protection laws, then Cooley may require the vendor to enter into a data processing agreement. Vendors will at all times comply with a client’s written instructions regarding the processing of personal data.

2. Data security program

Where applicable to the type of data held and the vendor’s network and system architecture, the vendor should establish:

  • Logical system architecture: The vendor should maintain Cooley data in hardened SOC 1 Type 2 certified data centers with replication and backup to secondary data centers. Regarding perimeter security, the vendor should have a documented and fully implemented data security program to protect data, servers and endpoints on its network using a variety of best-of-breed security controls, including next-generation firewalls, web-filtering gateways, email gateways, honeypots and targeted attack protection to block access to suspicious and malicious sites, internet protocols, emails, and attachments. The vendor should maintain targeted attack protection to find and mitigate zero-day attacks through email by using URL rewrites, attachment sandboxing and email recalling.
  • Data controls: Where applicable to the data held, the vendor should ensure that Cooley data is classified, protected according to its classification, encrypted at rest and in transit, and logically separated. Access should be granted to authorized users only, and file integrity monitoring systems should be used to log and monitor access to data, while data loss prevention systems control the movement of data inside and outside of the vendor’s systems and networks.
  • Access controls: Access and processing capabilities should be limited to authorized users from authorized devices. A unique user ID with a complex password that expires after a time frame approved through the Cooley security assessment should be assigned to every authorized user and required for logging in. Remote access should require two-factor authentication using tokens that randomly regenerate at designated intervals.
  • Endpoint security: The vendor should ensure all workstations and mobile devices are encrypted and require a password, pin, or biometric access. The vendor should only allow software authorized for business purposes to be installed on vendor workstations, and control software development and inventories through a secure configuration manager. All mobile devices should require registration with the vendor’s mobile device management system.
  • Incident response: The vendor should establish a security incident response plan that ensures all security events are evaluated and escalated when appropriate. The vendor should utilize a security information and event management system to maintain and analyze all security logs. Logs should be reviewed regularly by dedicated security personnel for suspicious activity and unusual behavior.
  • Cyber insurance: The vendor should carry cyber insurance appropriate to the type of data it processes, and as applicable to the architecture and security of its systems.
  • Business continuity and disaster recovery plan: The vendor should maintain a documented business continuity and disaster recovery plan that is regularly tested. The vendor should protect Cooley data by employing high-availability systems, backup services, data replication and redundant, co-located data centers.

3. Human resources requirements

 

Background checks

Subject to applicable law, the company will not permit any of its personnel to perform services for a client if such person has been convicted of, pled guilty or no contest to, or participated in a pretrial diversion program for felony or multiple misdemeanor offenses involving crimes of dishonesty or breach of trust – including, but not limited to, fraud, theft, money laundering, embezzlement, sale, distribution of or trafficking in drugs or controlled substances, or criminal conspiracy. Any personnel who do not successfully meet or comply with any of these requirements will not be assigned or, if applicable, will not continue in an assignment, to provide services to the firm, and the company will promptly replace such personnel at no additional charge to the firm. No such replaced personnel will have access to any information or data relating to the firm. The company will conduct background checks to enforce these provisions or submit to have these checks conducted by the firm.

Employee confidentiality

The vendor will ensure that employees sign confidentiality agreements with the company.

Employee training

The vendor will conduct security awareness training for all employees and contractors with annual refreshes of training for all employees on topics, including but not limited to:

  • Secure logon procedures.
  • Best password practices.
  • Identifying malicious and phishing emails.
  • Reporting a security incident.
  • Data-handling procedures.

4. Policies and procedures

The vendor shall establish documented policies and procedures governing the acceptable use of its systems and networks, as well as documented security policies.

Acceptable use policies should cover:

  • System access.
  • Passwords.
  • Mobile device/bring your own device (BYOD).
  • Remote access.
  • Electronic communication.
  • Internet usage.
  • Data and information.
  • Media handling.

Security policies should cover:

  • Asset and risk management.
  • Human resource security.
  • Awareness and education.
  • Physical and environmental security.
  • Operational security.
  • Privileged account management.
  • Vendor and supplier management and onboarding.
  • Security incident response.

5. Risk management program

The vendor will maintain a risk management program that aligns to ISO 27005 or NIST 800-37. This should include at a minimum:

  • Annual risk reviews.
  • Documentation on risk decisions.
  • Senior leadership approval of risk mitigations and acceptance.

6. Encryption

The vendor must encrypt Cooley data while in transit on any network or stored on any device. Use of encryption products must comply with local restrictions and regulations on the use of encryption in the relevant jurisdiction.

7. Logical access control

The vendor will ensure authentication and authorization controls are appropriately robust for the risk of the data, application and platform. The vendor will monitor access rights to ensure they are the minimum required for the current business needs of the users, but not more than required. Access and security events should be logged, and software that enables rapid analysis of user activities should be deployed.

8. Password policy

The vendor will maintain and enforce a complex password policy for systems maintaining and/or accessing Cooley data that includes:

  • Forced or initial password change.
  • Minimum password length.
  • Password complexity.
  • Password history.
  • A prohibition against shared passwords.
  • Procedures for deactivating accounts and removing users after allowed thresholds.
  • A multifactor authentication requirement for remote access.

9. Cloud file sharing

The vendor will not store or transfer Cooley data through the use of commercial cloud file-sharing services.

10. Security controls

The vendor will maintain minimum security controls applicable to:

  • Endpoint security software on all workstations and servers (i.e., anti-malware).
  • Anti-spam filters.
  • Perimeter firewalls.
  • Logical access controls.
  • Logging of access to all client data.
  • Intrusion prevention and/or detection systems.
  • Security event and information management.

11. Vulnerability scanning and patching

The vendor will:

  • Conduct monthly internal and external vulnerability scans.
  • Conduct annual external penetration tests.
  • Correct critical findings from vulnerability scans and penetration tests within 30 days.
  • Apply critical patches within 30 days.

12. Data breach notification

The vendor should establish a data breach notification process if it learns, or has reason to believe, that any person or entity has breached or attempted to breach its security measures, or gained unauthorized access to Cooley data. The vendor will immediately notify Cooley’s information security team in the time frame as contracted between Cooley and the vendor, or documented in the Cooley security assessment. The vendor will investigate, remediate and mitigate the effect of any data security breach in cooperation with Cooley’s information security team to ensure such remediation reasonably satisfies Cooley that a data security breach will not recur. Additionally, if and to the extent that any information security breach or other unauthorized access, acquisition, or disclosure of personal information occurs as a result of the vendor’s act or omission, the vendor should take reasonable measures, in cooperation with Cooley, to provide notice or other remedial measures to individuals affected by the breach (including credit monitoring services, fraud insurance and processes to respond to inquiries from affected individuals) as are warranted by the situation – and at the vendor’s cost and expense.

13. Audits

Upon Cooley’s request with reasonable notice, the vendor will permit technical and operational audits of the company and its affiliates, related to the subject matter of the services provided or any engagement. Auditors may conduct on-site security reviews and vulnerability testing for the company’s systems containing client data, and otherwise audit the company’s operations for compliance with the information security requirements. If vulnerabilities are identified, the company will promptly document and implement a mutually agreed-upon remediation plan, and upon the client’s request, provide the client with the status of the implementation.

If the company has a certified independent public accounting firm or other independent third party conduct and provide any of the following attestations, reviews, or tests, the company will provide all findings to the client upon receipt from the third party:

  • SSAE 16 SOC 2.
  • ISO 27000.
  • Independent network and application penetration test.