Mon, May 20, 2019

Growing Demand for Third-Party Cyber Risk Management in FTC’s Proposed Amendments

The Federal Trade Commission (FTC) is updating the requirements for organizations to establish a reasonable cybersecurity program, with revised recommendations involving internal actions of a company – like designating a Chief Information Security Officer (CISO) who will report on cybersecurity, at least annually, to the Board of Directors. This suggestion is neither new nor novel, and closely mirrors regulation released by the New York Department of Financial Services (NYDFS). Some of the biggest changes, however, reflect external actions and partners.

The FTC recognizes that in today’s technology and business environment, many operational systems involve cooperation, coordination and inter-operability of data and access between the systems operated, owned or licensed by multiple organizations. While this is significant, it should not be a surprise. Many of the largest data breaches have involved compromises that began not within the company, but at a business partner, supplier, outsource or other outside organization. By explicitly including provisions addressing “external risks to the security, confidentiality, and integrity of customer information” and “the sufficiency of any safeguards in place to control these risks,” the FTC is shining a spotlight directly on third-party cyber risks.

Managing Growing Third-Party Cyber Risks

The findings from Kroll’s investigation of thousands of cyber incidents mirrors those of the FTC, indicating that many, if not most, of these events were preventable. Our investigators regularly find that incidents at third-parties occurred because the original company didn’t consider, inquire or fully evaluate the risks of partnering with the third party. The fact is that when it comes to third-party cybersecurity, not knowing is no longer acceptable.

Organizations Work With a Range of Third Parties

Some third parties may provide outsourcing of cyber infrastructure (for example, Amazon Web Services or Microsoft Azure). These services typically document their security features and often have independent certifications and reviews available for customer review, but only reviewing their documents is insufficient. It’s vital to determine that you are using their security services appropriately. Just because they offer a security feature doesn’t mean that you’ve chosen to use it.

Most third-party business partners, suppliers or vendors are likely much smaller and less sophisticated, and it should be required to actively determine the security that they employ, the access they will be given and the degree of risk that the connection to that organization represents. For an organization of any size, the number of engaged third parties can quickly scale into the hundreds, or even thousands. This is where a third-party cyber risk management solution, like CyberClarity360, helps in carrying out and interpreting vendor risks, along with factors to consider when evaluating a potential (or actual) partner organization. 

Solutions such as CyberClarity360 accelerate the data gathering and analysis phase, allowing an organization to quickly make risk-informed decisions utilizing industry standard security frameworks such as the NIST Cybersecurity Framework – the same standard controls on which the NYDFS regulations and the FTC’s proposed regulations are based. To optimize these decisions, risk assessments and control compliance must be contextualized within your relationship with a given third party.

Understand the Impact of Third Parties

It is important to understand the impact third-party organizations can have on your company’s cybersecurity. Whether you allow third parties to access your systems, you access theirs or you provide data to a third party, there is risk that must be actively managed. Ignoring this fact doesn’t manage or control the risk, it just sets you up for unpleasant surprises at some point down the road.

Assessing Connectivity Levels

You also need to determine the degree of connectivity between your systems and the third party. This is largely driven by the functions that need to be performed by the third party and the architecture of your systems. Once this is understood, you should ask three questions: 

  • Are we providing access to only those systems and functions that are necessary? 
  • How are we limiting the access?
  • Do we know that the restrictions are working?

We repeatedly see that providing more trust, access or privilege than is required to a third party can lead to serious issues.

Monitoring Access Permissions

When a third party is permitted to access your systems, it is important to determine the security of access codes or other authentication methods that are used to carry out the access. Have you considered using the IP address to limit access so that even with the access codes, access will only be granted if the IP address of the person/system requesting access is one that has been provided by the third party? Alternatively, is remote access controlled with dual-factor authentication? For example, when a correct user ID and password are provided, the system might send an authentication message to the authorized user’s mobile phone and require a response.

Data Categorization and Handling

When you provide organizations access to your data, once they have it, you are essentially responsible for their data security failures. If you don’t know how effective their security is, you’re assuming their risk in the dark. You either need a review by an independent third party (a cybersecurity firm, most likely) documenting the state of security, or to use a tool to obtain enough information to make a determination as to how effectively they are carrying out their cybersecurity responsibility. 

Cyber Insurance Coverage

It is not unreasonable to ask a potential partner whether they have active cyber insurance, what that insurance consists of and how much coverage there is. You want to make sure if there is an incident involving your (or your customer/client’s) data that there is coverage to assure a complete response. Consider having your risk manager or general counsel involved in reviewing their response.

Finally, ask the partner whether they are willing to execute an agreement which mandates good cybersecurity practices and an obligation to notify you if they know or suspect that a breach may have occurred.  Work with your general counsel (or outside counsel) to draft the terms of such agreement. 

Regulatory standards to “implement and maintain reasonable security procedures and practices” are included in California’s forthcoming Consumer Privacy Act (CCPA), and will no doubt appear in others. The updated guidance from the FTC and NYDFS show a rising pressure to manage risks both within and outside of your organization – with a particular focus on third parties. While there is no magic formula for managing third-party risk, ignoring the risk is simply unacceptable. 

This article was originally published on Legaltech News.

 


Cyber Risk

Incident response, digital forensics, breach notification, managed detection services, penetration testing, cyber assessments and advisory.

Optimized Third-Party Cyber Risk Management Programs

Manage risk, not spreadsheets. Identify and remediate cybersecurity risks inherent in third-party relationships, helping achieve compliance with regulations such as NYDFS, FARS, GDPR, etc.

Third Party Cyber Audits and Reviews

Ensure that your third parties are handling sensitive data according to regulatory guidelines and industry standards with our cyber audits and reviews.


Virtual CISO (vCISO) Advisory Services

Kroll’s Virtual CISO (vCISO) services help executives, security and technology teams safeguard information assets while supporting business operations with augmented cyber expertise to reduce business risk, signal commitment to data security and enhance overall security posture.

Data Protection Officer (DPO) Consultancy Services

Kroll's data privacy team provide DPO consultancy services to help you become and stay compliant with regulatory mandates.