A thorough examination of a vendor’s cybersecurity practices can provide the due diligence necessary to prevent a data leak within your organization. A standard process for evaluating vendors can not only prevent ad hoc decisions, leading to missed contract language or additional risks, like the unauthorized use of subcontractors, but having such process is often a requirement from regulatory perspective. And while data incidents are often inevitable, controls like encryption and documented incident response plans with periodic testing can reduce the liability, costs and reputational harm associated with these events.
“The outcome of data incidents can involve massive penalties imposed by regulatory bodies and be subject to private litigation, resulting in a substantial financial loss,” said Scott Vaccaro, Assistant Vice President of IT Compliance and Risk Management at Safety National. “Apart from the loss that can be quantified is the reputational damage associated with one of the events. If your business partners have a choice to work with a competitor with more established security standards, they will likely make the safer choice, and no one wants to be the company looked over because of a preventable incident.”
Before signing on the dotted line, ensure that you have asked the following questions.
1. Do you know what you are subject to from a regulatory perspective?
Depending on your organization’s location(s) and industry, you may have multiple jurisdictional requirements to adhere to, and each will likely vary in its requests. This can be specific to state requests, the number of data subjects (citizens) of a state for whom you handle personal information, and what kind of data you handle regularly. For example, the California Consumer Privacy Act (CCPA) allows any California consumer to demand all information a company has saved on them and a full list of third parties with access to that data. It also allows consumers to sue a company if the privacy guidelines are violated. Thus, organizations operating within that state must make that information readily available, and any data leaks could prove especially harmful.
Regulations such as the New York State Department of Financial Services 23 NYCRR 500 require many insurance entities’ third-parties (service providers) to maintain a cybersecurity program with comprehensive protections and controls. Additionally, the National Association of Insurance Commissioners (NAIC) model law and its participating states require oversight of third-party service providers. Both of these regulations have provisions for annual recertifications of vendors, ensuring that they follow security standards. Federal consumer data privacy laws also cover industries handling sensitive personal information. The Health Insurance Portability and Accountability Act (HIPAA) protects personal health information within healthcare entities, and the Fair Credit Reporting Act (FCRA) covers information in your credit report and applies directly to financial institutions.
2. How involved is your legal team with the contract?
Your legal department includes experts familiar with vendor contracts’ subjectivity, especially those involving data privacy, so it is best to involve them early. Your legal team can also efficiently identify terms and conditions from past contracts, allowing a more consistent negotiation process. They can outline the consequences that would result in contract termination and manage the language to cover all regulatory requirements. Their role serves to prevent worst-case scenarios, which can commonly occur from data breaches, so working harmoniously with their team can provide complementary expertise to effectively avoid any reputational damage.
3. What controls are included in the vendor’s cyber hygiene practices?
The National Institute of Standards and Technology (NIST), the International Organization for Standardization (ISO) and the Center for Internet Security (CIS) provide frameworks for reasonable, basic security standards. These security controls include antivirus software, firewalls, secure passwords, multi-factor authentication, regular backups and training, to name a few. While a payroll provider or customer relationship management software is expected to follow many of these standards, the same is not expected of your landscaping vendor, for example, so it is best not to employ a one-size-fits-all approach. A vendor with one employee may not have the resources to engage in all the top-tier controls, but the same cannot be said of a multimillion-dollar CRM company.
Expectations of your vendor’s cyber hygiene should be set before a contract negotiation, but a minimum standard of controls during the onboarding process can be a helpful reinforcement. At the very least, your vendors should match your cybersecurity controls. Remember that you accept any inherent risks associated with your vendor, so you must decide what to prioritize when communicating any cybersecurity concerns.