Thu, May 21, 2020

Minimizing Third Party Cyber Risk Starts with Contract Review

In our previous video we outlined the fundamental steps for building a data inventory to better understand where sensitive data is stored and how best to protect it. In this video, we highlight the need to identify third parties who may have access to your data, and what steps they’ve taken to protect it. Especially in the event of a cyberattack, it is important to know how your data may be at risk and what legal mechanisms your organization has to inspect third parties’ security or minimize liabilities. In a webcast co-hosted with James Melendres of Snell & Wilmer, Jonathan Fairtlough, Managing Director in the Cyber Risk practice of Kroll, a division of Duff & Phelps, discussed the importance of creating and updating contracts with third-party vendors to ensure data is securely stored to reduce vulnerabilities that can lead to cyberattacks, such as ransomware and business email compromise (BEC).

Minimizing Third Party Cyber Risk Starts with Contract Review

Watch the full webinar and download the slides: Effective Business Email Compromise and Ransomware Mitigation

It is crucial for security and privacy leaders to monitor and update contracts with third-party vendors to protect their organizations from data breaches. Very often, a data incident originates with a vendor whose security has not been validated due to a lack of legal authority, which should be present in the contract. Clauses such as a contractual right to access and a duty to assist in security reviews are fundamental to ensure a healthy third-party cyber risk management program. In doing so, an organization can audit and ensure the safety of the data being kept by a third-party.  

How to keep track of the data your third parties have? 

It is important to hold your vendors to the same security standard to which you hold your own organization. Monitoring and maintaining the data that your vendor holds should be managed the same way as your internal data inventory. Ensure you’re taking the following steps when keeping track of your third-party data: 

  • Review your vendor contracts 
  • Keep copies of contracts in a documented form
  • Include review of third parties in your audit 
  • Utilize your ability to inspect if you have a clause that allows for it 

In the infographic below, Jonathan identifies key considerations for ensuring the safety of your data. He highlights the need to take the proper steps to know who has your data. This includes verifying the legal review of vendor contracts that hold data and maintaining copies of vendor security assessments. 

Minimizing Third-Party Cyber Risk Starts with Contract Review

Shay Colson, one of our experts, wrote an excellent article on the inherent challenges of managing third-party cyber risk and how to adjust expectations to better fit business needs and strategically manage our resources to address the most pressing risks. It’s a must-read.

Your organization’s data security is increasingly dependent upon third parties, pressing the need for external reviews. Starting with a review of vendor contracts, focused on the key aspects that Jonathan and James shared in the video, helps set the course towards cyber resilience. 


Cyber Risk

Incident response, digital forensics, breach notification, managed detection services, penetration testing, cyber assessments and advisory.

Third Party Cyber Audits and Reviews

Ensure that your third parties are handling sensitive data according to regulatory guidelines and industry standards with our cyber audits and reviews.

Data Protection Officer (DPO) Consultancy Services

Kroll's data privacy team provide DPO consultancy services to help you become and stay compliant with regulatory mandates.

Optimized Third-Party Cyber Risk Management Programs

Manage risk, not spreadsheets. Identify and remediate cybersecurity risks inherent in third-party relationships, helping achieve compliance with regulations such as NYDFS, FARS, GDPR, etc.