Fri, Jun 21, 2019
It has never been more important to diligently vet, onboard, monitor, and audit critical third-party service providers and vendors. These third parties exist to make life easier, more efficient, and more innovative and to help you better serve your customers. To do so, they often have access to, ingest, and store tremendous amounts of data for various processing purposes. Given this reality, it is hardly surprising that vendor-attributed data breaches are increasingly common. A recent study by Soha Systems found that 63% of data breaches may be directly or indirectly related to third-party access by contractors and suppliers.1 And while there are certainly examples of bad press and enforcement activity against a service provider who suffers a data breach, by far, the rule is that the company bears the brunt of its service provider’s cyber mistakes and mishaps. Continued corporate migration to the cloud, and the growth in outsourcing generally, set the stage for significant third-party risk going forward.
On this front, the Securities and Exchange Commission’s 2018 cyber guidance is instructive.2 Throughout the guidance, the Commission repeatedly cites to third-party “suppliers,” “service providers,” and “vendors” as critical to, among other things, enterprise risk, cyber incidents, and potential breach response and remediation costs. Companies are admonished to think long and hard about how service providers might be discussed in their public filings (e.g., “Past incidents involving suppliers, customers, competitors, and others may be relevant when crafting risk-factor disclosure.”). Indeed, the fallout from a third-party breach can be significant for companies that have tight operational connectivity and integration with their vendors (e.g., in the supply chain). Where companies rely on third parties not only for operational support but also for cybersecurity controls, the stakes may be even much higher. The same goes for companies that rely on service providers to provide critical e-commerce support. In these scenarios, a failure in the vendor’s measures designed to protect against, identify, detect, or respond to major cyber events could materially impact the company.
Despite these warning signs, many organizations still struggle to get their arms around their service providers. A 2018 Ponemon study3 found that 59% of survey respondents reported experiencing a data breach caused by a third party. That number increased 5% from 2017, and up 12% from 2016. More than 75% of respondents believe that third-party data breaches are increasing. But nearly one quarter of respondents admitted that they did not know if they had had a third-party breach in the previous twelve months. More troubling is that only 35% of respondents are confident that a third-party vendor would notify them if the vendor suffered a data breach. And only 11% are confident that a downstream fourth-party vendor would notify them of a breach.
Much has been written about the design and execution of robust vendor management programs. We do not wish to duplicate that here. It goes without saying that vendor management can impose significant costs, and we are not advocating the outsourcing of vendor management to yet another service provider (e.g., companies that offer website/online scanning technology). Rather, we offer three tips on less notorious but (in our experience) effective risk mitigation moves that counsel might consider vis à vis third parties:
Read Tips from the Trenches: Make Your Company Less Attractive to Cyber Enforcement
This article has been published in PLI Current: The Journal of PLI Press, Vol. 3, No. 2 (Spring 2019), https://www.pli.edu/PLICurrent
A version of this article has been published in the Course Handbook for PLI’s Twentieth Annual Institute on Privacy and Data Security Law.
Sources
1 Soha Systems, Third Party Access Is A Major Source Of Data Breaches, Yet Not An IT Priority (Apr. 2016) (online survey of over 219 IT and security C-level executives, directors, and managers).
2 Commission Statement and Guidance on Public Company Cybersecurity Disclosures, 17 C.F.R. pts. 229, 249 (2018).
3 Ponemon Institute, Data Risk in The Third Party Ecosystem (Nov. 2018).
Incident response, digital forensics, breach notification, managed detection services, penetration testing, cyber assessments and advisory.
Kroll's cyber risk assessments deliver actionable recommendations to improve security, using industry best practices & the best technology available.
Services include drafting communications, full-service mailing, alternate notifications.
Kroll is the largest global IR provider with experienced responders who can handle the entire security incident lifecycle.