Mitigating Vendor Risk: Three Steps to Protect Your Organization
Mitigating vendor risk is an increasingly relevant concern for organizations across all industries, especially with the recent cyber attacks of SolarWinds and Microsoft Exchange.
On Thursday April 15th, our VP of Smart Breach Response Lauren Winchester participated in a webinar with Jennifer A. Beckage, Esq., CIPP/US, CIPP/E, Managing Director and Daniel P. Greene of Beckage, a full-service tech firm to provide methods to reduce organizational risk. You can read our favorite takeaways below and watch the full webinar here
Mitigating vendor risk is an increasingly relevant concern for organizations across all industries, especially with the recent cyber attacks of SolarWinds and Microsoft Exchange. These far-reaching and sophisticated breaches impact companies of all sizes, with those in the private sector left to pay the bulk of the costs. The seriousness of these situations is cemented with the involvement of the NSA, as the agency increasingly weighs in on patch cycles and the importance of understanding potential vulnerabilities.
We are seeing that these breaches impact entire supply chains, affecting companies that may not even view themselves as targets for these sorts of attacks. In situations where your vendors are dealing with threat actors, the consequences don’t end at your vendor’s doorstep — your data is also at risk. That’s why we encourage thinking comprehensively about your approach to reducing organizational risk, from the contractual stages to how your staff addresses and manages ongoing vendor relationships.
Assume Threat Actors Are Sophisticated
After what we’ve seen from Microsoft Exchange and SolarWinds, we should make a point to assume all threat actors are sophisticated — they know what they’re doing and are able to create successful leverage points. We have seen threat actors start to take direct routes to quicken the response cycle in a ransom situation, sometimes by involving clients or employees (or sharing screen grabs between counsel and the insured) to showcase they have access to private information.
What Does This Mean for You?
Successfully identifying clumsy phishing emails is not an indicator that your organization is safe. Thinking of the bigger picture is key for taking those initial steps to mitigate risk.
Be proactive with patches, not reactive. The days of IT departments stalling on updates to see if the kinks are worked out — and then updating — are over.
Don’t throw your money all in one place as you establish a plan to mitigate risk. Think holistically: Insurance, operational plans and contract negotiations with vendors.
We’ll dive deeper into the three core ways to mitigate vendor risk: insurance, contract provisions, and operational changes.
Tech E&O and Cyber Insurance
When you’re contemplating how to protect your organization, insurance is a crucial first step for establishing a transfer of risk. Investing in a cyber policy for your organization can do more than just meet your expectations for insurance, they can also be a vital tool for keeping policyholders informed. The partnership with your Cyber or Tech E&O insurance provider can be helpful for staying up-to-date with new and evolving threats as they appear and how they may impact your business.
At Corvus — where we naturally think cyber insurance is a pretty big deal — we’re able to provide automated scans that pinpoint your organization’s biggest risks. The resources and educational benefit of working with your insurance provider go beyond simply being covered, but as an ongoing source for risk mitigation.
Here’s where risk mitigation ties directly to plans and communications with your vendors. If you’re working with a vendor who is hesitant to meet all your needs when it comes to contract negotiations, always focus on the key factor: these are driven by legal requirements. Laws surrounding data and privacy are constantly evolving and differ on a state by state basis. If your vendor has a breach, and your organization and clients are impacted, you’re still responsible. Take all the measures you can while negotiating contracts to keep your organization as protected as possible.
When Negotiating Contracts, We recommend That You:
Require an NDA with vendors when sharing your information.
Stay on top of vendor contracts. When laws change — and they frequently do — revisit and add amendments.
Ensure your vendor treats your information the same way you would under the expectations of the law. Always negotiate for the best privacy terms.
During contract negotiations, determine a plan for what happens if there is a data breach involving your vendor. Will they make you a priority for keeping you in the loop? How will they keep you informed during an incident?
This is where we take the moment to look inward: what is your organization’s process for vendor management? Depending on your department, everyone is going to have a different approach to establishing a third party vendor management policy. That’s why it is a crucial step to have something in place that answers the questions of “who is in charge?” and “what is our process?” Determine guidelines for how you’re continuing to check in with vendors and update contracts when necessary, as well as established steps for how to train staff to abide by the policy in place. Having a third party vendor management policy and an incident response plan shows that you had determined reasonable controls before any breach occurred. If you’re ever being held liable for a breach, it’ll be crucial to showcase you had a system to limit risk.
Your Policies Should Have:
No fluff. Don’t worry about prose or introductions, just focus on your steps. If anyone outside your organization ever needs to look it over, it’ll be better to keep it straightforward.
Clear indication of what it covers (ie. third party vendor management).
Steps of what your vendor process looks like — the contract process, NDAs, issued information security questionnaires.
A training provision: How do you prepare your staff to manage these tasks?
A discipline provision: How do we address staff that don’t abide by the policy when working with vendors?
As you work to mitigate vendor risk within your organization, it’s important to avoid overload paralysis. Everything all at once — insurance, contracts, operational challenges — may seem like a lot to wrap your head around, but take it step by step. You don’t have to do it all on your own, either. Find trusted advisors to help you through the process, and continue to keep up with news surrounding cybersecurity to stay on top of the constantly evolving landscape. Starting conversations about mitigating risks and promoting a culture of staff that understands the importance of reducing those risks is a good direction to move towards.
The rise of remote work and growing concerns over ransomware acted as partners-in-crime to get organizations to hone in on risk mitigation efforts over the past couple years. Through compiling our Risk Insights Index, we found that with certain initiatives — safer or reduced usage of RDP, growing use of email security tools, and other measures taken to limit the impact of threat actors — businesses are more prepared than a year before and ready to play defense. Those efforts are borne out in our finding that the rate of companies who pay a ransom when attacked with ransomware fell by half within a year.
The whisperings of “firming rates” start first, quietly in business meetings, then published in industry reports. Soon to follow, rumblings of a “hard market” are brought to the conversation. It’s cyclical in nature, and we see it across all insurance lines at one point or another. For years, Cyber Insurance stretched far and wide with “soft” market conditions, remaining highly profitable. Now that period of growth, with exceedingly available coverage and inviting terms, has stalled in the face of a hard market.