Worrying about the cyber security of your vendors is no longer the exclusive domain of the chief information security officer and IT departments. Instead, these worries have increasingly expanded into the realm of compliance. Growing global regulatory focus on data privacy, ever-increasing remediation costs and subsequent sales losses force compliance officers and their staff to assess a vendor’s cyber security maturity during their standard due diligence process.
Increasing Regulatory Focus on Cyber Security
Governments around the globe are emphasizing data protection and efforts to prevent data breaches. Likely, the best-known data privacy and data security regulation is the European Union’s General Data Protection Regulation (GDPR). Although the U.S. currently lacks a national data breach notification law, all 50 states have one, and there have been recent calls for an overarching U.S. national regulation on data breach notifications. Globally, over 100 countries have also enacted or drafted data protection laws in recent years.
Existing regulatory bodies have also increasingly focused on cyber security and data protection issues. For example, the U.S. Securities and Exchange Commission (SEC) advances “cyber-related enforcement actions that protect investors, hold bad actors accountable, and deter future wrongdoing.” Similarly, the U.S. Federal Trade Commission includes ensuring cyber security as part of its mission to protect consumers and competition. Augmenting these agencies are dozens of cyber security frameworks, such as NIST, HIPAA, PCI-DSS and FISMA, to name a few.
The growing size of fines levied against companies for data breaches shows that these data protection laws and regulations also have teeth. Some of the largest fines levied in recent years have been in the millions of dollars. Under GDPR alone, enacted just over two years ago, there have been 160,000 data breaches requiring enforcement, and over $126 million (mn) in fines levied out. These fines are only part of the picture: remediation efforts, lost business and subsequent lawsuits can add up quickly. According to one assessment, the average global total cost from a data breach is USD 3.9 mn; that figure stands at over USD 8 mn if the data breach occurs in the U.S.
Third-Party Cyber Risk: An Emerging Compliance Concern
A common data security concern among these global legal and regulatory efforts is third-party cyber risk. Firms across the globe and in every industry depend on outside vendors to meet their clients’ needs. Many of these third parties have access to sensitive data or are connected directly to a firm’s internal servers. The global nature of these supply chain networks, which rely on digital communications systems to function properly, exacerbates the cyber risk associated with outside partners.
The risk of a third-party cyber breach is not an over-hyped concern. According to one estimate, 60% of breaches stemmed from third parties. In 2019 there were almost 70 third-party data breaches, while 30 have occurred this year so far—many of which affected multiple companies. Those numbers are limited to known incidents—the real number of breaches is likely much higher. And it’s not just small companies impacted, several Fortune 500 companies have also fallen victim to third-party breaches recently. A breach involving an outside partner costs more as well, with one estimate stating that third-party data breaches cost a firm on average 10% more than internal breaches. This doesn’t include the added challenges present when trying to remediate a data breach of someone else’s servers.
Third-party cyber risk can often come in surprising forms. While many of the third parties involved are IT service and cloud providers, not all are. Some sources are less obvious, such as providers of logistics, accounting and educational services. Even the outside law firms that companies use are at risk, and may be of greater concern due to the amount of sensitive data they maintain and their historically lax cyber security processes.
The high level of cyber risk that third parties present to organizations has not gone unnoticed by regulatory bodies. For example, both the U.S. SEC and the Financial Industry Regulatory Authority recently signaled that they expect firms to maintain responsibility for ensuring that their third parties appropriately handle customer data. GDPR is even more direct, holding that firms are legally responsible for the acts of third parties when it comes to data privacy issues. Globally, numerous data breach-/data privacy-focused regulations also reference third parties and cyber risk, often including penalties for non-compliance.
What Should General Counsels and Chief Compliance Officers do about Third-Party Cyber Risk?
The growing global legal and regulatory focus on third-party cyber risk necessitates firms to incorporate assessments of this risk directly into their standard due diligence practices when onboarding a third party. A strong understanding a potential partner’s cyber risk will help general counsels and chief compliance officers determine whether a potential third party is compliant with evolving data breach/data privacy regulations.
How does one achieve this, especially when an organization may have dozens or even hundreds of third parties? Fortunately, a good understanding of a cyber risk profile can be quickly and easily obtained from an objective external review of a third party’s cyber security maturity, dovetailing smoothly with traditional due diligence practices. Doing so will also help control costs, as this method is less costly and faster than inside-out assessments.
At a minimum, you should understand the third party’s potential involvement in previous breaches, specifically if any records associated with the entity have been exposed. This includes identifying whether any of the third party’s individual business records, including those detailing accounts, passwords, profiles or other data, have been publicly exposed. This is a critical first step, as understanding how many credentials could be compromised is a useful measure of overall cyber risk. A recent study of 32,000 cyber incidents indicated that “67 percent of breaches [are] caused by credential theft.”
For critical third parties, such as those with access to your systems or providers of mission-critical supplies, components or services, it is important to examine their external IT infrastructure. This infrastructure includes their websites, public website applications, domain registrations and email providers, which are many of the ways that attackers can access systems and cause a data breach. It is important to review for potential deficiencies such as websites that are not patched or updated appropriately, as this is both a risk by itself and a potential indicator of poor IT practices. Further, it is important to benchmark these findings against others in the same industry. A bank’s handling of its external IT infrastructure may differ greatly from a media company’s due to regulatory requirements, but differences between banks is illustrative of whether they are meeting the requirements of their industry.
Reacting to Substandard Cyber Security Findings
During this external review, you may discover that some of your critical third parties have significant cyber security deficiencies, potentially exposing your firm to compliance concerns. Further actions could then be warranted, possibly in the form of questionnaires or remote assessments. By taking the above step first, however, you can narrow the requirements for these more resource-intensive efforts and take a reasonable, risk-based and cost-effective approach to this challenge.
As third-party cyber security risk continues to rise and the fines for non-compliance continue to grow, it is no longer enough to view this challenge solely as an IT department’s responsibility. Instead, general counsels, chief compliance officers and others responsible for a firm’s third-party risk program most also incorporate third-party cyber security risk assessments into the firm’s overall due diligence process. Only by ensuring that your third parties maintain cyber security best practices and by regularly assessing their cyber security maturity can you minimize your firm’s inadvertent exposure to regulatory or reputational risks.