STEPS FOR EFFECTIVE MANAGEMENT OF VENDOR AND SUPPLIER CYBERSECURITY RISKS April 25, 2018 In-House Counsel Conference
Presenters: Daniela Ivancikova, Assistant General Counsel, University of Delaware Evan Foster, Co-Chair Cybersecurity and Privacy Practice, Saul Ewing Arnstein & Lehr LLP
What is the Risk? Increased digitization and interconnectedness means more data and more access by third parties Hackers are looking for path of least resistance Target Equifax Panama Papers High profile breaches have come from third party vendors and suppliers Increased regulatory focus on oversight of third parties
What is the Risk? Reputation Risk Operational Risk 3 rd Party Risk Compliance Risk Security Risk Strategic Risk
What is the Risk? According to Ponemon Institute s 2017 Third Party Data Risk Study: 56% of organizations suffer a breach that was caused by a vendor 57% don t have an inventory of third parties with whom they share sensitive information 18% of companies know if vendors share information with downstream suppliers Average number of third parties with access to sensitive information increased from 378 to 471 17% feel they re highly effective at mitigating third-party risks
Regulators are Taking Notice New York Department of Financial Services Reg. 500 Each Covered Entity shall implement written policies and procedures designed to ensure the security of Information Systems and Nonpublic Information that are accessible to, or held by, Third Party Service Providers. NAIC Model Act A Licensee shall exercise due diligence in selecting its Third-Party Service Provider. New Mexico Data Breach Notification Act Require by contract that the service provider implement and maintain reasonable security procedures and practices appropriate to the nature of the personal identifying information and to protect it from unauthorized access, destruction, use, modification or disclosure.
A Few Words About GDPR Existing Data Protection Directive being replaced by General Data Protection Regulation (GDPR) Takes effect May 2018 Requires notice of breach within 72 hours Requires significant oversight of data controller processor relationship Heavy fines for failure to protect personal data: For data controllers, 20M or 4% global annual turnover For data processors, 10M or 2% of global annual turnover
A Few Words About GDPR Article 28 of GDPR imposes oversight on the controller-processor relationship: requires controllers to use only processors providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject. Controllers must enter into agreements with processors that include the following: subject matter, duration, nature, and purposes of the processing controller s documented instructions governing the processing type of personal data processed and categories of data subjects mutual assurances concerning information security, breach response and responding to data subjects processor obligations to implement technical and organization security measures, maintain confidentiality and delete data upon conclusion
How Do We Do This? All vendors can introduce cybersecurity risk Vendor management is a team sport Legal IT/Security Finance Risk Management Procurement SMEs
Start by Evaluating Relationships Many successful vendor management programs utilize a three-tiered system. This system assigns each vendor to one of three tiers depending upon the risk rating associated with the service provided. Tier 1 Vendors that provide a critical service to the company and are integral to its ongoing operations. Vendors that have access to highly sensitive information, such as Non-Public Personal Information or Protected Health Information. Tier 2 Vendors that are frequently used and relied upon, but are not necessary for the continued functioning of the company. Vendors that may have access to confidential or critical internal-use only data and have no direct contact with customers. Tier 3 Non-critical vendors which are easily replaced. These vendors have no access to confidential or critical information and pose little risk to the business.
Manage Vendor/ Supply Chain Risk Procurement and SMEs Is the correct form of agreement being presented at the outset? Is the vendor diligence being performed prior to the start of contract negotiations? Is vendor risk being considered in pricing? Are the right SMEs being asked to evaluate the vendor based on the services? Ongoing vendor monitoring/evaluation.
Vendor Due Diligence Review audited financials for last two years Evaluate growth, earnings, and potential future litigation to understand the party s overall financial stability Ensure the vendor is currently in compliance with all regulations and can amend processes as needed to ensure flexibility and future compliance. Financial Condition Legal & Regulatory Qualification & Reputation Policies & Procedures Review resumes and backgrounds of management Evaluate depth of resources and industry reputation, including customer complaints or previous litigation Request copies of all P&P that will govern the services performed for your company If new regulations are pending, inquire as to how the vendor will update the P&P as needed, and request copy of project timeline
Manage Vendor/ Supply Chain Risk IT/Security: Any vendor that has access to your network is an extension of your network Robust vendor screening is a good first step In depth vendor questionnaire (see links) Application of third party standards (NIST, ISO)
Sample Provision: Incorporating Vendor Responses to Questionnaire At a minimum, Vendor shall implement the administrative, physical and technical controls set forth in Vendor s response to the Company s Information Security Questionnaire dated [ ], a copy of which is attached hereto and is made part of this Agreement.
Sample Provision:Third Party Standards In providing the Services to Company, Provider will implement, and Provider will ensure that all of its subcontractors implement, commercially reasonable physical, technical, and administrative safeguards to protect Company s Confidential Information that are no less rigorous than generally-accepted industry practices (such as the version 1.1 of the NIST Cybersecurity Framework, ISO 17799/27001, ITIL, or COBIT) and will ensure that all such safeguards, including how the Confidential Information is handled, processed, stored, and disposed of, are in compliance with all applicable data protection and privacy laws, including all applicable laws, regulations, and business guidance issued by the Federal Trade Commission.
Manage Vendor/ Supply Chain Risk Finance and Risk Management: Does the vendor have the $$$ to perform? Does the vendor have $$$ if there is a breach? Does the vendor have a pro-active approach to risk management and mitigation? BC/DR, vulnerability disclosure and management Does the vendor carry cyber insurance suitable for the risks presented? Not enough to simply have in contract- how to measure and enforce? Right to audit Third party audit (SOC?)
Sample Provision: Cyberrisk Insurance A policy of Cyber Insurance-Network Security and Privacy insurance (including coverage for disclosures and/or breaches of Confidential Information and/or customer information (whether electronic or hard copy), coverage for the costs associated with restoring lost or damaged data, sending breach notifications to affected individuals, credit monitoring, public relations expenses, fines and penalties). Such policy shall not contain exclusions for the acts or omissions of either party or its employees, agents, or volunteers, whether intentional or unintentional, resulting in or relating to disclosure and/or breach of Confidential Information and/or records.
Sample Provision: SOC Audit Each calendar year, Vendor shall engage independent third-party auditors to conduct a SOC 2 Type 2 service auditor s examination related to operations at the Vendor s facilities in accordance with the American Institute of Certified Public Accountants Statements on Standards for Attestation Engagements No. 18, Reporting on Controls at a Service Organization, or its successor standard, as applicable ( SSAE 18 ). Vendor shall deliver to Company, within a reasonable time (but in no event later than one (1) month) after the issuance by such third-party auditors, a copy (or, if and as requested by Company from time to time, a specific number of copies) of the independent service auditor s report produced in connection with such examination (the Independent Service Auditor s Report ). Company shall be permitted to provide input to Vendor regarding specific needs of Company regarding SSAE 18 and the examinations described in this Section, and Vendor shall reasonably consider any such input for the purposes of maintaining such with regard to such examinations and the relevant operational controls, processes, and safeguards and their effectiveness.
Manage Vendor/ Supply Chain Risk Legal Component: Robust contract intake to identify possible risks Review contracts Policies and requirements need to apply to vendors by contract Indemnification and warranties Approvals for material changes Any special requirements? Import/export HIPAA BAA FERPA Addendum Other regulatory requirements
Ongoing Monitoring It is essential to continue monitoring all aspects of performance for the duration of the relationship. Critical vendors should be monitored on a continual basis. Consider implementing a score-card to measure the vendor s performance. Conduct quality-control reviews of the vendor s work product and request remediation for all adverse findings. Employees with direct interaction with the vendor should escalate serious issues or concerns to senior management immediately. If your company lacks sufficient internal resources or expertise, determine whether it is beneficial to utilize industry experts, such as law firms or vendor risk consultants to assist with initial due-diligence and contract negotiation. Properly document all aspects of your vendor management program, from the Vendor Management Policy down to the results of due-diligence. Executive management or board should review the relationships on an annual basis.
Useful Tools & Tips Set up a separate vendor management office or position, depending on your resources Employ third party or technology to help manage your vendors Utilize your policies & procedures Produce and analyze periodic reports Beware of operational deficiencies Exit relationships when they are no longer viable
Questions?
Reference Materials Questionnaires for IT Vendor Assessments: https://www.cisecurity.org/controls/ https://cloudsecurityalliance.org/download/consensusassessments-initiative-questionnaire-v3-0-1/ https://csrc.nist.gov/publications/detail/sp/800-171/rev-1/final https://sharedassessments.org/sig/ https://www.vendorsecurityalliance.org/questionnaire2018.html Vendor GDPR Checklist https://iapp.org/news/a/third-party-vendor-management-meansmanaging-your-own-risk-a-checklist/