[BreachExchange] Cybersecurity Vendor Management Has Role in Risk Reduction

[Destry Winant]

http://www.dailyreportonline.com/id=1202792483504/Cybersecurity-Vendor-Management-Has-Role-in-Risk-Reduction?slreturn=20170612010102

Preplanning is the key to managing or avoiding a cyber incident. There
are many ways to clean up your house internally and many ways to
assess and plan for possible exposure. Preplanning is not just about
your own internal practices, however: it's also about ensuring that
your suppliers are managing their practices to your standards.
Establishing your own "best practices" and policies is important to
risk assessment and mitigation and to a defense based on the use of
reasonable measures of protection. That effort may lose some
effectiveness, however, if you fail to hold others to your standards
when they are performing work for you. What follows are some basics to
consider when evaluating your vendors and their commitments to your
cybersecurity, as well as some specific measures to employ with those
suppliers whose work might present a risk to your company data.

What Vendors Present a Risk?

The presence of any third party in your business creates potential
risk. Their employees and contractors are not subject to your policies
directly; they may work with minimal supervision; and they may have to
have access to otherwise-restricted equipment, areas or system.
Containing any exposure starts with assessing the risks.

As a baseline, it is important to consider what kinds of third-party
work may have direct implications for your network and data security.
Obvious choices for any business include IT workers, software
licensors, providers of cloud-based services (such as HR or other
portals) and consultants whose role includes business continuity or
disaster recovery. Such service providers will have direct access to,
or the opportunity for direct access to, your sensitive internal data.
Depending on your industry, you might also have other types of service
providers whose work implicates your proprietary data. Examples
include payment card processors for retail businesses, e-mail
marketing list managers, fleet or sales force management providers who
track various elements of your workflow and workers, and more. Any
provider with direct access to your confidential data should be
considered.

Third parties whose work may not be directly related to your data, but
who have access to your systems, should also be on your list for
evaluation and discussion: remember that the 2013 breach of Target's
network of consumer card data came through a security hole in its HVAC
system. Examples might include providers of networked equipment or
storage services for equipment, contractors who perform build-out
services that will include space for servers or other equipment, and
of course service providers who have access to your network via HVAC
and other controls.

Best Practices with Vendors

Once you have a handle on the types of vendors in your ecosystem and
what kinds of access they have to equipment, space and data, you can
begin to vet their security savvy. This due diligence should not be
taken lightly. Asking about their security practices can tell you much
about how likely they are to work on your behalf if the unthinkable
happens and you (or they) suffer a security incident that compromises
your data. All of the following questions are fair game and would give
you a good start on assessing a supplier: what technologies they use,
how secure those technologies are, whether their services include
nontechnological security processes, whether their other customers
have suffered any data incidents, what the process would be if you or
they discovered a breach of your system, and how they propose to
handle credentials and access matters. Your IT or risk management team
undoubtedly has a specific list, or your legal counsel, cyber insurer
or another outside expert can also help vet key vendors.

In addition to asking questions about the vendor's work and
experience, you can develop internal standards or guidelines that form
the minimum set of security requirements in any vendor agreement.
Having a standard set of "asks" helps you manage risk by creating a
uniform operating standard below which you know various third parties
will not fall. This approach, in combination with a well-drafted set
of service promises, can shore up your exposure from any one vendor.
Using the same baseline risk allocation terms across several service
providers improves your protection.

Standard Contractual Terms

When considering how to standardize your company's vendor "asks," the
main risk allocation terms to consider are the confidentiality
obligations of the parties, the representations and warranties, the
indemnification provisions and the limitations of liability.

The more often sensitive data are involved in any services agreement,
the more likely it is that they will constitute a separately-defined
category of "confidential information." This makes them subject to
heightened performance standards, and can make a data breach a
standalone cause of action. It may also help tie data breaches to a
full indemnification promise that is not subject to the contract's
limits on liability. It is a good idea to define your sensitive data
as a specific component of your confidential information for all those
reasons.

"Reps and warranties" are contained in nearly every contract. In IT
and service agreements, it is common to have a warranty relating to
the quality of the work to be performed, the qualifications of the
people who will perform it and perhaps the results. In the security
setting, these warranties might include any or all of the following,
as a starting point:

• Meeting an agreed standard or using agreed technologies to secure
your property.

• Taking some defined measure of care designed to prevent certain
activities with your data: loss, theft, use of, access to or
distribution of your information, for example, all might be
considered.

• Employing standard patch, virus, firewall and other protections
within one release of current.

• Notifying you of data security issues, investigating those issues at
their cost, working promptly to remedy any issue and taking measures
to prevent the recurrence of the issue.

• Ensuring that the vendor's employees and others will be subject to
restrictions regarding confidential information (as defined) no less
stringent than those applicable to your agreement as a whole.

• Ensuring that the vendor's employees and others will be qualified as
per any industry guidelines for the services they perform.

• Carrying cyber liability insurance of a kind and amount acceptable to you.

• In the case of security providers, that services performed or goods
provided will provide the agreed-upon security results.

Once the reps and warranties are defined, the indemnification
obligations from your vendor will, ideally, track those obligations.
At its simplest, an indemnification against any "breach of the
agreement" or "breach of Supplier's representations or warranties" is
a common way to tie them together. There might also be a direct
indemnification obligation relating to the costs of any data breach
involving your confidential information. Note that these can be very
tricky to draft for full coverage, and there are many ways for a savvy
vendor to limit them.

Finally, for the indemnification clauses to maintain their full
impact, any limitation of liability clause should contain an express
exception for the vendor's indemnification promises. This has the
effect of allowing you to recover more than any contractually agreed
limit, if drafted correctly. In addition, you might consider certain
specific exceptions that relate to different obligations under the
agreement. For example, the commonly accepted exception for "breach of
obligations relating to confidential information" will cover your data
security requirements if you have defined "confidential information"
in such a way as to include your protected data. Likewise, your reps
and warranties and their associated indemnification promises can be
crafted into explicit exceptions to any contractually agreed liability
cap.

As with most corporate undertakings, planning ahead and
standardization are two tools that can yield real benefits in the
vendor management setting as it relates to cybersecurity. Assessing
what kinds of standard questions to ask your suppliers and what kinds
of standard protections you need from them usually is time well spent.
In cybersecurity, as in so many things, that ounce of prevention is
worth far more weight in cure. Knowing your standard demands—and
fallback positions, since very few vendors will simply acquiesce to
all your "asks"—is a good start to the effort of vendor management for
cybersecurity planning reasons.