[BreachExchange] 6 ways to add cybersecurity protections to outsourcing deals

Audrey McNeil audrey at riskbasedsecurity.com
Fri Nov 11 14:05:01 EST 2016


http://www.cio.com/article/3140884/outsourcing/6-ways-to-
add-cybersecurity-protections-to-outsourcing-deals.html

As cybersecurity has become one of the most important strategic imperatives
for the enterprise, concerns about how third-party IT services providers
are protecting corporate data have grown. As a result, negotiation of
cybersecurity and data privacy issues has become one of the most
challenging areas in IT outsourcing contract negotiations, says Rebecca
Eisner, partner in the Chicago office of law firm Mayer Brown.

“Suppliers are understandably concerned about not paying damages that are
disproportionate to the revenue received, and therefore seek to limit or
disclaim their liability,” says Eisner. “Customers are equally concerned,
particularly where suppliers do not have the same incentives to protect
customer data as the customer, and because the negative impacts of a
security incident are generally far more significant to the customer than
to the supplier.” What’s more, the cybersecurity regulatory environment is
rapidly evolving, making it difficult for both sides to access the risks.

The increasingly complex and geographically dispersed IT environment also
complicates matters. When company data lived within one or more central
data centers, it was much easier for companies or their suppliers to secure
the perimeter with, for example, firewalls, physical security and
controlled logical access.  Today, data is scattered among data centers,
clouds, and mobile devices, for a start. “The points of access and
potential points of security failure multiply with this ever expanding
ecosystem,” says Eisner. “In addition, many of these systems are provided
or managed by third party suppliers.”

For those reasons, CIOs must take a risk management approach to selecting,
contracting with, and monitoring their company’s IT service providers.
There are six steps IT leaders can take to strengthen data privacy and
cybersecurity protections in their IT supplier relationships, according to
Eisner:

1. Understand which suppliers either process or have access tot the
company’s most sensitive personal or regulated data, and data that
represents the “crown jewels” of the company.

2. Collaborate with the company’s security, vendor management, and legal
teams to determine which supplier relationships create the highest risks
for the company in order to focus the appropriate level of attention and
resources on that group of outsourcing providers.

3. Take a look at existing IT service provider agreements through the lens
of your company’s up-to-date and well-defined cyberscurity and data privacy
requirements. Amend those contracts to close any gaps.

4. Make sure that IT’s vendor management, compliance, or security team is
monitoring high-risk suppliers, including updating vendor security
assessment questionnaires on an annual or bi-annual basis; reviewing audit
reports, certifications, and penetration tests; and, where appropriate,
conducting site visits and annual security reviews.

5. Review the company’s standard security and privacy contract terms
regularly with legal counsel to ensure that those baseline requirements are
kept up to date. “This is particularly necessary due to rapidly evolving
privacy regulation in the U.S. and around the world,” says Eisner. For
example, the new European General Data Protection Regulation set to take
effect in 2018, will require operational, policy, and contractual changes
regarding the processing and transfer of EU personal data.

6. Take the time to educate the company’s board of directors, officers and
employees about security and privacy risks, including those risks
associated with third-party relationships, and help them to understand the
steps they can take to mitigate them.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20161111/1cab2067/attachment.html>


More information about the BreachExchange mailing list