Articles | October 1, 2020
Third-Party Cyber Risk: Looking at Partners' Cybersecurity
Your business partners are a critical part of your success, potentially providing services such as running payroll, administering funds or printing annual tax statements.
In this article, we look at the importance of extending your cybersecurity beyond your own systems, considering your partners’ programs and staying on top of third-party cyber risk.
Partners can be weak links
Managing your business partners is a large part of cybersecurity, because the helpful services they provide could also be putting you at risk.
In fact, according to survey responses on the 2019 Hiscox Cyber Readiness Report, 57 percent of U.S. firms said they had experienced one or more cyberattacks as a result of a weak link in their supply chain over the past year.
Start with the vendor requirements process
The place to start when choosing a vendor is your requirements definition process. You have to let the potential vendors understand that cybersecurity is a big deal and that any work they propose must come with their assurances that your data is safe.
Note that the vendor should be open to allowing you to audit their cybersecurity protections at least annually.
You should also confirm they’re willing to participate in cybersecurity testing or simulations at a frequency you identify, such as once or twice annually.
Your requirements should detail the expected amount of vendor involvement, as it can range significantly from one person on a phone call to providing full personnel support on the vendor’s equipment to run the cybersecurity tests.
The vendor should provide a review of their cybersecurity protection program
This should include:
- How often they have external, objective cybersecurity assessments done
- How they screen the personnel who will be handling your data
- How they monitor their own business partners from a cybersecurity perspective
- How they test their own applications to ensure they are secure
- What security governance policies they have in place and are enforcing
They may possibly even provide you with the results of their most recent cybersecurity assessment.
What has the vendor done to fix critical issues in the past?
Ask your partner what they’ve done since their most recent cybersecurity assessment to remediate any critical or high-risk issues they found.
How will your partners will tell you if there’s a cyber threat?
Get this in writing. Find out how the vendor will notify you of a cyber incident at their organization and how quickly that notification will occur.
Confirm they’ll take responsibility for threats
When setting requirements with a potential vendor, make sure they agree to being responsible for all of their costs relating to a cybersecurity incident, as well as all of your costs if the incident happened as a result of the vendor falling victim to a cyberattack.
Make sure they’ve got insurance
The vendor should provide proof of enough cyber insurance to cover potential breaches or losses of your data.
How much downtime if there’s an incident?
Make sure you outline this in a written agreement.
This is especially important if you have outsourced time critical processes, such as payroll or governmental reporting, if their outage will cause you to be late delivering those services or artifacts.
This requirement tells the vendor what their backup and disaster recovery schedules need to accommodate.
Ask to see their data retention plan
The vendor must have a data retention plan that you agree with for all data and actions relating to your data.
They should also be willing to return all of your data if your contract with them is terminated for any reason, and they must have the same rule in place for any third-party providers they deal with.
Last, the vendor must be required to destroy all of your data residing anywhere on their systems after providing you with copies of that data upon contract termination; and they must have the same rule in place for any third-party providers they deal with.
Monitor vendor performance, manage third-party cyber risk
Once you’ve contracted with a vendor, you should routinely monitor their performance to ensure they are meeting your contractual cybersecurity requirements. You can do this in several ways, including:
- Reviewing daily, weekly, or monthly reports from the vendor’s cybersecurity monitoring tools to show their protections are in place and working
- Physically auditing the vendor site and performing your own cybersecurity review and/or assessment
- Asking the vendor to provide annual copies of approved third-party cybersecurity assessments
- Contracting with your own cybersecurity experts to do penetration testing against your vendor (with your vendor’s knowledge that the tests are occurring)
Consider your own risk comfort level
The last item to consider is your own organization’s risk comfort level. You may need services from business partners who do not have the size or financial wherewithal to implement full cybersecurity protection because it is very costly to do.
The risk you are willing to accept from that vendor should be clearly documented in your contracts with them to avoid unnecessary legal issues should an incident occur.
Questions about third-party cyber risk?
Get in touch. Our HR and benefits technology team is here to help.
Contact Us
Wanted — Workers with Technical and Soft Skills
The Future of Work is Now
