Although organisations know they should take their own cyber security seriously, they often overlook the one at third parties
As organisations have become increasingly aware of the significant legal and business risks posed by cyber security breaches, they have begun to devote substantial resources to identifying and eliminating internal vulnerabilities and to mitigating their exposure resulting from potential cyber security incidents. Organisations have found that they must address cyber security risk management from multiple angles, including investing in robust IT security systems, conducting employee training, considering the purchase of cyber security-related insurance policies, developing a data breach response plan and so forth.
An important, but sometimes overlooked, element of that process is third-party risk management. At a speech in February, Benjamin Lawsky—the superintendent of the New York State Department of Financial Services, which regulates many global financial institutions—observed that “a company’s cyber security is only as strong as the cyber security of its third-party vendors”. This article discusses some of the issues organisations should consider in seeking to mitigate their cyber security risk in connection with third-party service providers.
Take stock of existing vendor relationships
A first step is to ensure that your organisation has a complete understanding of who has access to what data. Does your organisation store information in the cloud? Does your organisation use a vendor to host its website? These days most, if not all, organisations provide some kind of data or systems access to at least some third-party vendors, whether the vendor be a law firm, a business consultant, a data storage provider, a printing services provider, a payment processor or even the manager of an office building’s HVAC systems.
Limit access and segregate data
Although it may be necessary to share some data or systems with outside vendors, such access should be only a need-to-know basis. The well-publicised and very costly credit card data breach recently experienced by Target Inc started with the theft of credentials granted to Target’s HVAC vendor, Fazio Mechanical Services. The attackers infected the vendor with general purpose malware through an email phishing campaign. While many lessons can be gleaned from Target’s misfortune, one of the most obvious is that the compromise of an HVAC vendor’s credentials should never have led to the compromise of payment system data.
Review existing contracts
A well-designed contract will serve as a crucial foundation for a relationship with third-party vendors. If it has not already done so, your organisation should review existing vendor contracts with an eye towards mitigating cyber security risk. A number of contractual protections might help to manage such risk:
- consider extending your own security standards to vendors. Contracts can include provisions requiring vendors to comply with specified security procedures
- consider requiring the vendor to make representations or warranties regarding its cyber security practices or authorising your organisation to conduct audits regarding the vendor’s ability to meet and sustain your security expectations
- require that the vendor provide timely notification of any security incidents that it experiences. Such a provision might also define your organisation’s rights to control any responses or disclosures to third parties in the event of an incident
- control and limit downstream transfers of your data
- require the vendor to destroy copies of your data in the manner you specify on termination of the relationship
- consider how to allocate liability through indemnification provisions or limitations on liability based on the nature of the relationship and the sensitivity of the data involved
- consider requiring the vendor to maintain cyber security-related insurance coverage. Relatedly, organisations should consider whether and to what extent data breaches stemming from third-party vendors fall within their own insurance coverage.
Develop a vendor management plan
After reviewing existing contracts, an organisation should consider whether such contracts can and should be renegotiated. Additionally, the organisation should develop guidelines for future contracts. These guidelines may include standard provisions such as those described above and may also aim to structure the analysis of when the benefits of outsourcing outweigh the associated risks.
The fact that Target’s breach originated from a third-party vendor did not prevent Target for incurring enormous losses in the form of, among other things, litigation expenses and lost customer confidence. For that reason, the primary goal is to prevent an incident. If, however, an incident does occur, the robustness of an organisation’s procedures and practices with regard to third-party vendors could help to limit its liability in subsequent litigation, which could include a shareholder suit against directors and officers or a customer or employee data privacy suit, or regulatory scrutiny. Indeed, regulators have begun to place increasing scrutiny on third-party relationships in the context of cyber security. For example, the New York Department of Financial Services will now examine banks within its purview on, among other things, their protocols concerning the cyber security of third-party vendors. Moreover, organisations should expect scrutiny regarding this issue to continue to increase.
Scott S. Balber is a partner and US head of investigations and financial services litigation and John J. O’Donnell is a partner in the New York office of Herbert Smith Freehills LLP. (The authors thank David Leimbach, an associate at the firm, for his assistance in preparing this article.)