Fri, Mar 27, 2020

How to Have a Conversation with Your Third Parties on Cyber Risk during the Coronavirus Outbreak?

Every day, headlines on the coronavirus outbreak continue to arouse fear, uncertainty and doubt about the future. Although epidemiologists, medical professionals and government leaders are working hard to try and contain the spread of the disease, the world is feeling its economic impact. There has been an impact to supply chains as factories and businesses have reduced workforces. Conferences and meetings have been canceled, and significant investments have been postponed.

At a time like this, cyber threats and your third parties may seem less of a priority, but it is critical to engage with your partners. As mentioned here, there are supply chain risks to consider, as well as cyber risks. Hackers and others leverage the days' headlines to goad employees into downloading malicious files or sharing their account information. Further, as more employees start working remotely, the ability for IT teams to ensure secure connections is tested. During this critical moment, it’s more important than before to engage with your third parties on cyber risk and have an honest dialogue on the happenings. We believe that conversation should be guided by the following:


First and foremost, what is happening is a human tragedy as thousands have been directly impacted and millions have suffered due to travel restrictions or other economic impacts. Hence, when engaging with third parties, it is vital that the conversation start with empathy, as your point of contact may be feeling the pressure of this event at a personal level.


Third parties, especially smaller ones, may not be aware of the cyber threats tied to coronavirus. It is vital to share vetted public information that they can use to avoid phishing or other attacks. The Cybersecurity and Infrastructure Security Agency, an agency of the U.S. Department of Homeland Security, has an informative page with links to the recent cyber alert on coronavirus-themed attacks.


Many organizations have business continuity plans which should be reviewed now, if they haven't been implemented, before their implementation in the near future. Check with your third parties what steps they are taking to ensure their operations continue in the face of the coronavirus (or other challenges). If they are not familiar with what steps to take, it may be wise to share some best practices, such as what the U.S. Federal Emergency Management Agency offers or how your organization is coping with these challenges.


The law is the law no matter what is occurring, and it is essential to keep the focus on your legal, ethical or other required obligations. Your third parties play an important part in securing data that you have been entrusted with. Hence, keeping the focus from the regulatory point of view will both streamline the conversation and elevate its importance. For example, keeping the conversation focused on how your third parties are securing access controls in compliance with the New York State Department of Financial Services' regulatory requirements will allow you to explore what they are doing with remote workers through an important and shared lens. 

These are challenging and difficult times. Your third parties, whether they are vendors, partners, stakeholders, or someone else, are feeling the pain as much as your organization. Of all our recommendations, empathy is the most important. 

This crisis will pass, and hopefully, by engaging and communicating with your third parties, your organization's third-party ecosystem will emerge stronger than before.

Cyber Risk

Incident response, digital forensics, breach notification, managed detection services, penetration testing, cyber assessments and advisory.

Cyber Risk Assessments

Kroll's cyber risk assessments deliver actionable recommendations to improve security, using industry best practices & the best technology available.

Data Protection Officer (DPO) Consultancy Services

Kroll's data privacy team provide DPO consultancy services to help you become and stay compliant with regulatory mandates.

Virtual CISO (vCISO) Advisory Services

Kroll’s Virtual CISO (vCISO) services help executives, security and technology teams safeguard information assets while supporting business operations with augmented cyber expertise to reduce business risk, signal commitment to data security and enhance overall security posture.