If you didn’t know that the entry point through which hackers stole payment card information from over 40 million Target customers in the fall of 2013 was Target’s HVAC vendor, then you’ve been living in a cave with no internet—and maybe no heat or air conditioning, too.
While concern about cybersecurity has increased since the beginning of the 21st century as people and organizations became hyperconnected via the internet, the Target breach put vendor risk management under the spotlight. Customers didn’t care whether Target or its vendor was at fault, they were just understandably upset that their financial information had been compromised. In the end, Target paid hundreds of millions of dollars to deal with the breach, in addition to suffering a significant blow to its reputation.
Vendors, service providers, consultants, and third parties—for our purposes, let’s cover them with the blanket term “vendors”—are companies and people that organizations trust and compensate to perform a service that the organization is unwilling or unable to do. Companies and governments around the world rely on vendors to perform all sorts of tasks, including cleaning and maintenance; human resources and information technology support; and senior-level advisement. These vendors usually are contractually obligated to follow a service level agreement outlining the tasks that they will perform, fees collected for the services, and what might happen if they are unable to meet agreed-upon expectations.
As companies have long known, supply chain and business interruptions can result when vendors are unable to perform expected services. But recently, as we become more and more interconnected, vendors also are creating information and security vulnerabilities for their clients, which can lead not only to business interruptions, but also loss of data and extortion. While organizations should manage their own policies and procedures around enterprise security, they should also take several steps to better understand and manage the risks posed by their vendors.
First, a company should “size up” its vendors. This usually involves requests for proposal (RFP) as well as more technical questionnaires or assessments to shed light on vendors’ controls and capabilities. At a minimum, the customer must make sure that information security is included in its assessments. Most importantly, the customer must involve the right people to evaluate the RFPs, such as the chief information security officer, IT security director, and risk manager, in addition to the traditional procurement team. Benchmarking, auditing, and checking a vendor’s references also should be part of a comprehensive vetting process.
As part of an assessment, it’s a good idea for the company to ask about its vendors’ vendors—otherwise known as a company’s “fourth party”—and how they manage their risks. If a company’s vendor is relying on another relatively weak vendor to provide its services, then that liability can quickly become the company’s liability. While obtaining information about vendors’ vendors might be time-consuming, the insight into how the vendor runs its own affairs might say a lot about what type of relationship the vendor will have with the company.
Once the company is comfortable with its assessments of a vendor’s risks, it should set up common and clear expectations about how the business arrangement will work. This will certainly involve legal teams on both sides hammering out various contract provisions and details.
The contract must include the right of the company to conduct a regular audit and IT inspection of the vendor to ensure compliance with agreed-upon security policies. Also, the contract provision referencing insurance must require not only general or professional liability coverage—including the vendor listing the company as an additional named insured (vicarious at the very least)—but also current and active cyber liability insurance coverage from a reputable carrier with full limits and a full set of coverages. There should be no twisted definitions or exclusions on extending coverage to affected third parties or responding to a breach of a fourth party. Additionally, the contract should set forth expectations about the responsibilities of each party in the event of a breach, and ensure compliance with any statutory disclosure requirements.
After the parties have signed off on the terms and conditions and engagement has begun, the last and most pressing step is managing the vendor relationship. This includes restricting the level of access the vendor has to the company’s network, determining the kind of data that can be transferred, and making sure that the company continuously monitors the vendor for any shifts in its information security posture. While a vendor may attest to certain controls on a questionnaire, how does a company validate those claims?
It may be difficult to perform this type of validation, but collecting the necessary information allows the company to intervene early and remediate a situation, limit its potential losses, and possibly help with reevaluating vendors at the time of renewal. Cultivating the health of its vendors should improve the company’s overall cybersecurity posture, leading to fewer breaches and potentially lower cyber insurance premiums.
It’s important to find services that enable continuous third-party monitoring. Visibility into a vendor’s security posture as well as knowing about fourth-party risks sets a company up to obtain the information it needs to make well-informed risk management decisions.