Managing Third-Party Vendor Cybersecurity Risks (Part II of III)
We all know that businesses rely on a large number of third-party vendors to support their business operations. Many of these third parties require access to a company’s data and its internal information and technology systems. This digital fact of life creates a real cyber risk for illegal intrusions.
Over half of all cyber-attacks are the direct or indirect result of third party access. Third-party vendors often have less sophisticated or robust cyber protections against unauthorized access. In the Target breach case, the cyber-attack gained initial access through the air conditioning subcontractor. JP Morgan suffered a date beach as a result of a initial attack against an online platform run by an outside website vendor. BestBuy, Sears, Kmart and Delta suffered data breaches because of their use of the same chat and customer services vendor, which was hacked by a malware attack.
Response to Cyber Incident
When a cyber incident occurs, businesses have to be ready to respond. Frankly, a company has to create a breach response protocol or else it may veer off into costly and ineffective responses resulting in significant damage.
If the cyber-attack occurs because of a third-party vendor, companies have to consider the following:
- Public relations announcement and strategy
- Internal announcements and mitigation
- Preservation and investigation of digital evidence
- State and federal regulatory and legal requirements
- Notification of regulators and communication steps to protect information prior to and after incident
- Credit monitoring and identity protection
- Insurance claims
- Class action filings and defense
- Briefing of third parties
Third-Party Risks
Many companies outsource a variety of functions to third-parties, including information technology, payroll, accounting and other financial services. While convenient, such outsourcing raises cyber risks.
Given this fact of corporate life, companies have to manage these risks by ensuring third-party access to sensitive data is restricted to only that which is needed to provide a specific service. Third-party due diligence for cyber risks has to focus on some weighty issues such as the vendor’s own:
- Identification and protection of sensitive customer data or other confidential information
- Cyber-security risks and mitigation strategies
- Certification or evaluation of the vendor’s cyber-risk management program (e.g. government certification or industry certification)
- Access to third-party risk and security assessment
- Confirmation of use of encryption technology and other steps to minimize unauthorized access to data
- Two-factor authorization and password management
- Cybersecurity training programs
- Cyber incident response plans
- Physical data security
- Past data security incidents\
- Cyber insurance
Companies have to risk rank their vendors based on the nature and quantity of company information to which each vendor has access (e.g. payment card information, protected health information, personally identifiable data).
Responding to a Vendor Data Breach
If a vendor suffers a data breach, companies have to make sure they have appropriate safeguards relating to initial notification, contractual requirements for coordinating responses, sharing information, and responding to such situations. If the vendor has access to and responsibility for sensitive personal and/or financial information, coordination and contractual protections are paramount.
Depending on your company’s contractual provisions (which should be robust depending on the sensitivity of information), at a minimum there should be basic notification and coordination requirements. In the event the vendor handles sensitive personal information, a company should have audit rights, on-site inspections and even the right to conduct an independent risk and security audit at the vendor’s expense.
At the outset, a company needs to know whether its data has been compromised, whether there has been any disruption to its services, the nature and extent of the incident, the status of any remediation, any preliminary findings of an assessment of investigation; and relevant information to the company’s operations and reputational concerns. If relevant, a vendor may seek to inspect the company’s operations to assist in its own investigation and assessment.