Posted by Justin Cohen, Craig Carpenter, and Vlad Markovic - IS Security Manager
When we think about cybersecurity, we often focus on our own people and systems. However, our vendors play a critical part of cybersecurity given how often we share data and integrate our IT systems with others. The 2018 Ponemon statistics estimated that over 50% of organizations have experienced a data breach due to a vendor’s security shortcomings. Here are some recent examples of breaches caused by third parties:
- Hanna Anderson (over 10,000 California customers affected due to alleged malware in Salesforce Commerce Cloud’s e-commerce platform)(2019)
- Quest Diagnostics (11.9M records via American Medial Collection Agency)(2019)
- US Customs and Border Protection (Lost 100,000 records via a subcontractor network)(2019)
- FBI (Lost 3 terabytes of confidential information – including FBI investigation records, millions of department files, personal data, system credentials, and even internal communication records)(2019)
So what should we do first?
Ensure you have a risk assessment and mitigation plan in place for managing vendors. Some may categorize vendors by risk and develop specific policies, procedures, and technical measures to reduce cyber risks for categories of vendors.
Then what?
Ensure proper vetting to understand the risk posed by new and existing vendors. Such vetting can be done in-house through cybersecurity and data privacy questionnaires, or via legal counsel and/or other third parties that assess cyber risks posed by vendors. While initial vetting is critical, routine vendor audits are recommended to ensure that each continues complying with your company’s policies, processes, procedures, and technical measures deployed for purposes of safeguarding their data.
What about their contracts?
Like anything else, if it’s important, put it in writing. Ensure that each vendor contract specifically addresses and allocates the costs and risks associated with that engagement. Common contractual provisions include representations and warranties to abide by your company’s cyber and data privacy policies and procedures. Depending on the circumstances, a warranty regarding compliance with industry standards (e.g. SOC2 or PCI-DSS) with data security audit rights and certifications may be appropriate. Depending on the circumstances, you should also consider including prompt notice provisions when a breach involving your company’s data is suspected. You may also want to allocate the costs of a data breach investigation and remediation in the agreement to avoid unknowns if an incident occurs, including which party should be responsible for the fees and costs associated incident investigation and remediation. If this engagement poses a significant data privacy risk (e.g., your company’s most sensitive data is involved), you should consider requiring that a vendor maintain a certain level of cyber insurance that covers your costs should a breach investigation take place. Finally, specifying the procedures for handling a suspected data privacy or cyber breach in your vendor contracts can save valuable time when an incident occurs.
Comments