Mitigating Vendor Risk: Three Steps to Protect Your Organization
Mitigating vendor risk is an increasingly relevant concern for organizations across all industries, especially with the recent cyber attacks of SolarWinds and Microsoft Exchange.
On Thursday April 15th, our VP of Smart Breach Response Lauren Winchester participated in a webinar with Jennifer A. Beckage, Esq., CIPP/US, CIPP/E, Managing Director and Daniel P. Greene of Beckage, a full-service tech firm to provide methods to reduce organizational risk. You can read our favorite takeaways below and watch the full webinar here
Mitigating vendor risk is an increasingly relevant concern for organizations across all industries, especially with the recent cyber attacks of SolarWinds and Microsoft Exchange. These far-reaching and sophisticated breaches impact companies of all sizes, with those in the private sector left to pay the bulk of the costs. The seriousness of these situations is cemented with the involvement of the NSA, as the agency increasingly weighs in on patch cycles and the importance of understanding potential vulnerabilities.
We are seeing that these breaches impact entire supply chains, affecting companies that may not even view themselves as targets for these sorts of attacks. In situations where your vendors are dealing with threat actors, the consequences don’t end at your vendor’s doorstep — your data is also at risk. That’s why we encourage thinking comprehensively about your approach to reducing organizational risk, from the contractual stages to how your staff addresses and manages ongoing vendor relationships.
Assume Threat Actors Are Sophisticated
After what we’ve seen from Microsoft Exchange and SolarWinds, we should make a point to assume all threat actors are sophisticated — they know what they’re doing and are able to create successful leverage points. We have seen threat actors start to take direct routes to quicken the response cycle in a ransom situation, sometimes by involving clients or employees (or sharing screengrabs between counsel and the insured) to showcase they have access to private information.
What Does This Mean for You?
Successfully identifying clumsy phishing emails is not an indicator that your organization is safe. Thinking of the bigger picture is key for taking those initial steps to mitigate risk.
Be proactive with patches, not reactive. The days of IT departments stalling on updates to see if the kinks are worked out — and then updating — are over.
Don’t throw your money all in one place as you establish a plan to mitigate risk. Think holistically: Insurance, operational plans and contract negotiations with vendors.
We’ll dive deeper into the three core ways to mitigate vendor risk: insurance, contract provisions, and operational changes.
Tech E&O and Cyber Insurance
When you’re contemplating how to protect your organization, insurance is a crucial first step for establishing a transfer of risk. Investing in a cyber policy for your organization can do more than just meet your expectations for insurance, they can also be a vital tool for keeping policyholders informed. The partnership with your Cyber or Tech E&O insurance provider can be helpful for staying up-to-date with new and evolving threats as they appear and how they may impact your business.
At Corvus — where we naturally think cyber insurance is a pretty big deal — we’re able to provide automated scans that pinpoint your organization’s biggest risks. The resources and educational benefit of working with your insurance provider go beyond simply being covered, but as an ongoing source for risk mitigation.
Here’s where risk mitigation ties directly to plans and communications with your vendors. If you’re working with a vendor who is hesitant to meet all your needs when it comes to contract negotiations, always focus on the key factor: these are driven by legal requirements. Laws surrounding data and privacy are constantly evolving and differ on a state-by-state basis. If your vendor has a breach, and your organization and clients are impacted, you’re still responsible. Take all the measures you can while negotiating contracts to keep your organization as protected as possible.
When Negotiating Contracts, We recommend That You:
Require an NDA with vendors when sharing your information.
Stay on top of vendor contracts. When laws change — and they frequently do — revisit and add amendments.
Ensure your vendor treats your information the same way you would under the expectations of the law. Always negotiate for the best privacy terms.
During contract negotiations, determine a plan for what happens if there is a data breach involving your vendor. Will they make you a priority for keeping you in the loop? How will they keep you informed during an incident?
This is where we take the moment to look inward: what is your organization’s process for vendor management? Depending on your department, everyone is going to have a different approach to establishing a third-party vendor management policy. That’s why it is a crucial step to have something in place that answers the questions of “who is in charge?” and “what is our process?” Determine guidelines for how you’re continuing to check in with vendors and update contracts when necessary, as well as established steps for how to train staff to abide by the policy in place. Having a third-party vendor management policy and an incident response plan shows that you had determined reasonable controls before any breach occurred. If you’re ever being held liable for a breach, it’ll be crucial to showcase you had a system to limit risk.
Your Policies Should Have:
No fluff. Don’t worry about prose or introductions, just focus on your steps. If anyone outside your organization ever needs to look it over, it’ll be better to keep it straightforward.
Clear indication of what it covers (ie. third party vendor management).
Steps of what your vendor process looks like — the contract process, NDAs, issued information security questionnaires.
A training provision: How do you prepare your staff to manage these tasks?
A discipline provision: How do we address staff that don’t abide by the policy when working with vendors?
As you work to mitigate vendor risk within your organization, it’s important to avoid overload paralysis. Everything all at once — insurance, contracts, operational challenges — may seem like a lot to wrap your head around, but take it step by step. You don’t have to do it all on your own, either. Find trusted advisors to help you through the process, and continue to keep up with news surrounding cybersecurity to stay on top of the constantly evolving landscape. Starting conversations about mitigating risks and promoting a culture of staff that understands the importance of reducing those risks is a good direction to move towards.
It starts with 5.25-inch floppy disks. Cue up Every Rose Has Its Thorn by Poison -- because it’s 1989. Computers aren’t a household necessity quite yet, the AIDS epidemic is ablaze, and a Harvard-taught evolutionary biologist, Dr. Joseph Popp, has mailed 20,000 copies of a computer-based questionnaire to the recent attendees of the World Health Organization AIDS conference.
A fresh face compared to other lines, cyber has taken many forms before — an easy add-on, a profitable afterthought, a tech-heavy nuisance — but was never a top priority. However, after headline-worthy ransomware attacks, data breaches, and serious losses for insurers, cyber insurance is getting the main character treatment.