Scan the news, and you’re likely to read about a new cyberbreach. With the rising threat of cyberattacks, it’s no longer a question of who will be attacked, but when an attack will occur. Organizations that work with third party vendors increasingly are vulnerable to cyberattacks. This fall, T-Mobile became the latest such victim. Personal information was stolen from approximately 15 million T-Mobile customers in a cyberattack on one of its vendors, the credit processor Experian.
Hackers gained access to Experian servers in early September, stealing names, addresses, Social Security numbers, birth dates, and identification numbers (for example, driver’s license, military ID, or passport numbers) of T-Mobile customers who required a credit check. Experian reported that no payment card or banking information was breached.
T-Mobile’s CEO John Legere offered an immediate response: “I am incredibly angry about this data breach, and we will institute a thorough review of our relationship with Experian, but right now my top concern and first focus is assisting any and all consumers affected.”
The breach already has cost Experian about $20 million in first party losses, which includes notifying customers and government agencies and offering two years of credit monitoring services and identity theft recovery services for affected individuals. There also is a growing third party class-action lawsuit. What’s more, Ohio Senator Sherrod Brown, the leading Democrat on the Senate Banking Committee, has asked Experian to disclose more details as well as what the company is doing to prevent another cyberattack.
Third Party Vendor Risks
The T-Mobile cyberattack reveals the vulnerability an organization faces when a partner or vendor has access to its customer data. Moreover, the problem could get worse before it gets better. A recent PricewaterhouseCoopers survey found that while 71 percent of companies said they were confident in their own security activities, only 32 percent required third party vendors to comply with their policies. That’s a serious gap in exposure coverage.
Many companies now have cyberliability insurance. For those without it, now’s the time to buy. It’s inexpensive because insurers are still learning how serious the exposures are. But companies know little about how third party vendors and contractors affect their cyberrisks. To protect customer data, organizations should hold third party vendors to the same high standards used in their own processing systems. This is key to effectively managing risk.
When talking with clients who use third party vendors, insurers should address these five topics to make sure the companies have an adequate plan in place:
1. What's the content of your data, and who has access to it? Does your data contain sensitive financial, personal, or medical information about your customers? Does it contain business knowledge that gives a competitive advantage? What would the cost be if this data got into the wrong hands? Who has access to the data—employees, vendors, trading partners?
2. What are your cyberrisk exposures? Think about first party exposures, such as the costs to notify customers of a breach, pay fines to regulators, use of forensic experts to investigate a breach, and restore systems and replace stolen data, as well as possible business interruption. Consider third party exposures, such as lawsuits by customers with compromised data or shareholders watching falling stock valuations.
3. What are you doing to manage your cyberrisk exposures? What’s your risk and emergency response plan? Do you require vendor audits? How are you prepared for a data breach? How would customers be notified? Who is your public spokesperson? What kind of background checks and training do you require for employees with access to data? Do you apply those standards to vendor subcontractors?
4. Do you have an enterprise risk management (ERM) plan? Are you managing business risk as well as you manage hazard risk? Have you measured the threat of a cyberattack and its potential to threaten the viability of your business, incorporating your response into your overall ERM approach?
5. What insurance do you carry? What cyber coverage do you anticipate in your traditional property, liability, and business income policies? Do you have a cyberrisk insurance policy? If so, does it address your first party and third party exposures? Does it have a worldwide coverage territory? Will you require your vendors to have a cyberrisk insurance policy?