[BreachExchange] What’s Good for the Goose: Protecting against Vendor Cybersecurity Risk

Destry Winant destry at riskbasedsecurity.com
Fri Jan 11 10:08:56 EST 2019


https://www.jdsupra.com/legalnews/what-s-good-for-the-goose-protecting-17723/

Even when you’ve done your utmost to secure your organization’s
cybersecurity—you’ve followed the advice of all the experts, you’ve
checked all the boxes—you still may have an Achilles’ heel. Your
cybersecurity is only as strong as its weakest point, which is often a
vendor or supplier. In this context, a vendor could be anything from a
cloud service provider, data processor, or IT engineer to an HR
consultant, accounting firm, or health care benefits manager, while a
supplier could be a key provider of manufacturing components or raw
materials.

But how to begin to address this vulnerability? The answer is by
imposing the same kind of discipline on your vendors that you apply to
your own cybersecurity practices—that is, by incorporating similar
requirements in your vendor contracts. Protect yourself by taking at
least these important steps:

Inventory your vendors. You may be surprised how difficult this one
step can be and how many companies don’t already have control of this
information. While you’re at it, consider imposing better controls on
the vetting of new vendors and your individual employees’ authority to
hire them.

Understand the vendor’s risks (and how these relate to your own risk
profile). Make sure you understand the impact that a cyber event—be it
unauthorized access to or disclosure of personal or business
confidential information, introduction of malware, phishing ploy,
ransomware attack, or something else—could have on the ability of the
vendor to perform its obligations to your company and on your
company’s ability to continue normal business operations. Key business
functions are frequently outsourced; if you have identified a
particular function as a source of cyber risk for your own business,
it likely represents an even greater risk if performed by a third
party.

Assess the vendor’s cybersecurity safeguards. Ensure visibility into
your vendors’ cybersecurity architecture and practices by contract.
One solution is to require each vendor to provide a “cyber
certification,” disclosing key metrics related to the risk factors
identified above and discussing the vendor’s cybersecurity systems and
methodologies. If your company purchases cyber insurance, the
application you completed for your insurer may serve as a guide for
this certification. You may also require the vendor to re-certify on a
regular basis.

Ensure vendor best practices. Contractually require that vendors and
suppliers adhere to written data protection and information security
procedures—particularly vendors who handle sensitive data on your
behalf. These should include express obligations to comply with
applicable data privacy laws. You should update these regularly and
periodically require the vendor to certify compliance. In addition,
require vendors to notify you of any failure to comply, and
particularly of any information security incident, within a prescribed
period, and to provide raw data and investigation results related to
the failure or incident upon request.

Strengthen vendor indemnities. Call out the following, for example, as
specific bases for breach of contract requiring indemnification by the
vendor: (1) failure to adhere to mandated cybersecurity standards, (2)
unauthorized access to or loss or disclosure of sensitive data, and
(3) interruption of the vendor’s services caused by a cyber event.
Indemnification should, if possible, include any resulting loss that
your company incurs, including costs of notification to regulators or
individuals, regulatory fines, assessments and penalties associated
with credit card processing arrangements, damages in civil suits, and
lost income due to interruption of your business, together with all
associated legal costs. Depending on the vendor’s bargaining power,
caps on indemnities may be unavoidable, but at least make sure that
key risk categories are addressed.

Work with sound, insured vendors. A perfectly crafted indemnification
clause won’t help if the vendor is judgment-proof. Equally, the fact
that the vendor has insurance is no guarantee of full and prompt
compensation for your losses. The vendor’s financial position must be
sufficiently secure that it can stand behind its obligations.
Nevertheless, requiring the vendor or supplier to be appropriately
insured is an important backstop that should also be incorporated into
your contract. But beware of boilerplate clauses. The insurance
requirement should spell out not only the types of insurance policies
and limits to be purchased, but also specific coverages associated
with the risks that are unique to the vendor’s or supplier’s
relationship to your business and its success. And you should, of
course, expressly mandate that your company be named as an additional
insured on the vendor’s insurance policies.

What’s good for the goose is good for the gander: Insist that your
vendors measure up to your own high standards for cybersecurity. Your
in-house and outside counsel are the best source for language tailored
to protect you in light of the risks presented by both sides of the
contractual relationship.


More information about the BreachExchange mailing list