It has never been more important to diligently vet, onboard, monitor, and audit critical third-party service providers and vendors. These third parties exist to make life easier, more efficient, and more innovative and to help you better serve your customers. To do so, they often have access to, ingest, and store tremendous amounts of data for various processing purposes. Given this reality, it is hardly surprising that vendor-attributed data breaches are increasingly common. A recent study by Soha Systems found that 63% of data breaches may be directly or indirectly related to third-party access by contractors and suppliers.1 And while there are certainly examples of bad press and enforcement activity against a service provider who suffers a data breach, by far, the rule is that the company bears the brunt of its service provider’s cyber mistakes and mishaps. Continued corporate migration to the cloud, and the growth in outsourcing generally, set the stage for significant third-party risk going forward.
On this front, the Securities and Exchange Commission’s 2018 cyber guidance is instructive.2 Throughout the guidance, the Commission repeatedly cites to third-party “suppliers,” “service providers,” and “vendors” as critical to, among other things, enterprise risk, cyber incidents, and potential breach response and remediation costs. Companies are admonished to think long and hard about how service providers might be discussed in their public filings (e.g., “Past incidents involving suppliers, customers, competitors, and others may be relevant when crafting risk-factor disclosure.”). Indeed, the fallout from a third-party breach can be significant for companies that have tight operational connectivity and integration with their vendors (e.g., in the supply chain). Where companies rely on third parties not only for operational support but also for cybersecurity controls, the stakes may be even much higher. The same goes for companies that rely on service providers to provide critical e-commerce support. In these scenarios, a failure in the vendor’s measures designed to protect against, identify, detect, or respond to major cyber events could materially impact the company.
Despite these warning signs, many organizations still struggle to get their arms around their service providers. A 2018 Ponemon study3 found that 59% of survey respondents reported experiencing a data breach caused by a third party. That number increased 5% from 2017, and up 12% from 2016. More than 75% of respondents believe that third-party data breaches are increasing. But nearly one quarter of respondents admitted that they did not know if they had had a third-party breach in the previous twelve months. More troubling is that only 35% of respondents are confident that a third-party vendor would notify them if the vendor suffered a data breach. And only 11% are confident that a downstream fourth-party vendor would notify them of a breach.
Much has been written about the design and execution of robust vendor management programs. We do not wish to duplicate that here. It goes without saying that vendor management can impose significant costs, and we are not advocating the outsourcing of vendor management to yet another service provider (e.g., companies that offer website/online scanning technology). Rather, we offer three tips on less notorious but (in our experience) effective risk mitigation moves that counsel might consider vis à vis third parties:
- Define “Breach” Strategically, Address Cooperation, and Seek a No-Past-Breach Representation
In the United States, the scope of notifiable data breaches is actually quite narrow as only certain types of data and certain circumstances trigger mandatory notification regimes. In vendor contracts, companies should consider what types of cybersecurity events or incidents matter in terms of managing their risk, and negotiate for definitions consistent therewith. Moreover, in our experience, companies and their vendors must cooperate with each other when a cybersecurity incident occurs that affects them both. When third-party breaches happen, regulators look at not only the security commitments that a company obtained from the vendor, but also the speed and quality of information and cooperation that the company obtains from the vendor to help to more quickly and effectively mitigate harm to any impacted consumers. Finally, we have found that it can be very helpful to include a draft contractual rep that the vendor is not aware of facts or circumstances suggesting a past “breach” (defined as discussed above). This type of rep has two benefits. First, it usually prompts a discussion with the vendor around different types of incidents that the vendor has experienced, and whether or not they are covered by the rep. Second, because many breaches trace back to hacks and other events that occurred many months or even years ago, a no-past-breach rep can provide significant leverage should the rep turn out to be untrue.
- When Bargaining Power Is Unequal, Implement Compensating Controls
In many situations, a service provider is so large, powerful, and essential that companies are unable to negotiate for customized contractual protections. In these situations, counsel are well advised to work with their clients to identify and implement compensating controls. This can be as simple as turning on a multifactor authentication option that the vendor offers, or as complex as implementing supplemental encryption strategies.
- Exercise Your Audit Rights
In our experience, when regulators investigate a breach attributable to a service provider, the fact that the company had a contractual right to audit compliance is becoming less and less acceptable. Regulators want to see more. Counsel should take time to identify critical vendors and, to the extent no audit process is in place, consider the possibility of some (any) checks on whether vendors are living up to their security commitments. And as regulatory requirements and expectations evolve, they should be reflected in both vendor management practices as well as in updated contractual provisions.
This article has been published in PLI Current: The Journal of PLI Press, Vol. 3, No. 2 (Spring 2019), https://www.pli.edu/PLICurrent
A version of this article has been published in the Course Handbook for PLI’s Twentieth Annual Institute on Privacy and Data Security Law.
1 Soha Systems, Third Party Access Is A Major Source Of Data Breaches, Yet Not An IT Priority (Apr. 2016) (online survey of over 219 IT and security C-level executives, directors, and managers).
2 Commission Statement and Guidance on Public Company Cybersecurity Disclosures, 17 C.F.R. pts. 229, 249 (2018).
3 Ponemon Institute, Data Risk in The Third Party Ecosystem (Nov. 2018).