In an environment where the term “data breach” has entered mainstream media and companies are being sued for failing to exercise proper oversight of cybersecurity risks, all businesses, no matter the size, should strive to safeguard their sensitive data. Aside from the legal risk, it just makes good business sense. One important facet of a cybersecurity risk management program is mitigating the risk created by your vendors-both those that store sensitive data and those with access to your computer systems.
Vendors are consistently cited as primary causes of data breaches and third party involvement is the highest per capita contributor to the cost of a data breach. Both the Target and Home Depot data breaches were vendor breaches, and a third-party service provider served as the initial access point to these organizations’ customer data. These high-profile breaches, along with the heightened scrutiny of cyber risk management by regulators emphasize the importance of including vendor management with your cyber risk management program. The problem is no longer one that can be left to the capable hands of the IT group. It has become an enterprise risk management and corporate governance issue, prompting legal counsel, compliance officers and executive management to join the risk mitigation efforts with respect to third-party service providers.
An effective risk management strategy involves oversight of the vendor throughout the life cycle of the relationship, from due diligence through termination. Though the particular regulatory requirements facing your company should always be of chief consideration, there are certain industry best practices that can help advance the ball. This article offers a framework that can apply equally to the selection of new vendors or your assessment of existing vendors.
Phase 1: Due Diligence
Due diligence in selecting or reviewing vendors should be commensurate with both your organization’s risk appetite and the nature of your relationship to the vendor. Consider a tiered approach to vendor management and categorize each vendor by its data security risk to your business, considering the level and frequency of access to your systems and the volume and type of data you transmit to them. You can then tailor your oversight of the vendor based on the vendor’s risk profile. Examples of due diligence action items include: assessing the financial soundness of the vendor; evaluating the vendor’s information security and incident response programs; and asking for the results of the vendor’s most recent independent security assessment.
Phase 2: Contract Negotiation
Risk-shifting in vendor agreements is common, especially in the technology field. However, given the increased pressure from regulators for businesses to perform intentional oversight of vendors, the traditional template vendor contract will likely change shape, giving businesses more opportunity to negotiate provisions that mitigate their cybersecurity risk. Vendor relationships are often the product of multiyear contracts which must typically come up for renewal before new language and requirements can be negotiated, but consider asking for contractual amendments or addendums in the meantime. Contractual provisions that mitigate cyber risk include: requiring the vendor to name your organization as an additional insured on its cyber risk policy; an indemnification provision that covers internal investigation costs following a data breach; and an exclusion to any limitation of liability if the vendor suffers a data breach.
Phase 3: Monitoring
As with the other phases of vendor management, the nature of any ongoing monitoring should align with the risk profile of the vendor. More extensive monitoring may be necessary for those vendors who pose the greatest risk to your organization. If resources allow, it would be beneficial to have dedicated personnel at your organization responsible for monitoring and evaluating the vendor’s data security practices. You could also engage an independent consultant to perform this task. Ongoing monitoring of the vendor could include: ensuring that the vendor conducts regular security training for its employees; restricting and monitoring the vendor’s access to your systems; and ensuring that any issues that arise during regular security audits are properly addressed.
The threat vendors pose to businesses is tangible. Fortunately, so are the steps a business can take to mitigate that threat. The key to vendor management-indeed any cybersecurity preparedness program-is deterrence. There is no guarantee that “doing everything right” will absolutely prevent a data breach, but implementing a comprehensive vendor management program is a formidable way to minimize cybersecurity risk to your organization.