Outside Counsel Guidelines / client security-audit failure
A major client sent a security addendum the firm can't meet. The engagement is now at risk.
A corporate client's security addendum, questionnaire, or SOC 2 demand the firm can't meet, putting the engagement at risk. The remediation path that converts a 'we'll have to find other counsel' letter into a passing response.
The first hour
What to do, in order.
- 01
Read the addendum end-to-end before answering anything. Mark items as: met, met-with-evidence-needed, not met, not applicable.
- 02
Identify the client's escalation path and request a 30-day window to respond with evidence rather than a yes/no.
- 03
Pull the firm's WISP, MFA posture, backup posture, training records, and incident-response plan — the evidence pack the addendum will ask for.
- 04
Treat the addendum as a recurring obligation, not a one-off — the next client will ask the same things.
Key decisions
The questions you'll be asked.
- Do we need SOC 2?
- Usually no for small firms — most addenda accept a CIS Controls v8.1–aligned WISP, evidence pack, and signed security questionnaire. SOC 2 is appropriate when multiple large clients require it.
Regulatory & ethical hooks
What the rules say.
- Client Outside Counsel Guidelines (contractual)
- CIS Controls v8.1 — baseline reference
- NIST Cybersecurity Framework 2.0
Cited for orientation, not as legal advice. Your firm's ethics counsel and LPL carrier should be consulted on every specific incident.