STEPS FOR EFFECTIVE MANAGEMENT OF VENDOR AND SUPPLIER CYBERSECURITY RISKS. April 25, 2018 In-House Counsel Conference

Similar documents
PCI Data Breach Preparedness How To Prevent Your Organization From Becoming the Next Data Breach Headline

Salesforce s Processor Binding Corporate Rules. for the. Processing of Personal Data

ABS GUIDELINES ON CONTROL OBJECTIVES & PROCEDURES FOR OUTSOURCED SERVICE PROVIDERS. FREQUENTLY ASKED QUESTIONS 15 June 2017.

WELLS FARGO & COMPANY AUDIT AND EXAMINATION COMMITTEE CHARTER

The implications of the EU General Data Protection Regulation 2016 for ICT Disposal

Will Your Company Pass a Privacy Audit?

CHARTER OF THE AUDIT COMMITTEE NATIONWIDE MUTUAL INSURANCE COMPANY NATIONWIDE MUTUAL FIRE INSURANCE COMPANY NATIONWIDE CORPORATION

Vendor Agreements and the New EU GDPR Steps to Take Now

GDPR Compliance Checklist

General Data Privacy Regulation: It s Coming Are You Ready?

npliance IN 2008, MICROSOFT CORP. WAS FINED 899 MILLION Auditing for

EU General Data Protection Regulation, a new era in data protection

Guidance Note: Corporate Governance - Audit Committee. March Ce document est aussi disponible en français.

SOLUTION BRIEF EU GENERAL DATA PROTECTION REGULATION COMPLIANCE WITH RSA ARCHER

CANDIDATE DATA PROTECTION STANDARDS

STARWOOD HOTELS & RESORTS WORLDWIDE, INC. CHARTER OF THE AUDIT COMMITTEE OF THE BOARD OF DIRECTORS

IT Due Diligence in an Era of Mergers and Acquisitions

AMERICAN EXPRESS COMPANY AUDIT AND COMPLIANCE COMMITTEE CHARTER (as amended and restated as of September 26, 2017)

Definitions Definitions used in this document are taken from TNI SOP 7-100, and may be found there.

Data protection in light of the GDPR

Internal Control Questionnaire and Assessment

What is GDPR and Should You Care?

VENDOR RISK MANAGEMENT FCC SERVICES

THIRD-PARTY RISK MANAGEMENT

Internal Control Questionnaire and Assessment

Sarbanes-Oxley Compliance Kit

MODULE I: MEDICARE & MEDICAID GENERAL COMPLIANCE TRAINING

GDPR and Canadian organizations: Addressing key challenges GDPR and Canadian organizations: Addressing key challenges

Enterprise Compliance Management for Credit Unions

BEST PRACTICES IN CYBER SUPPLY CHAIN RISK MANAGEMENT

HITRUST CSF Assurance Program. The Common Healthcare Industry Approach for Assessing Security and Reporting Compliance

AUDIT COMMITTEE CHARTER (updated as of August 2016)

Compliance Program Effectiveness Guide

Audit Committee Charter Amended September 3, Tyco International plc

SOLUTION BRIEF EU GENERAL DATA PROTECTION REGULATION COMPLIANCE WITH RSA ARCHER

Self Assessment Workbook

General Data Protection Regulation (GDPR) Meeting the new requirements

SUNEDISON, INC. AUDIT COMMITTEE CHARTER (Adopted October 29, 2008)

Microsoft Cloud Agreement Financial Services Amendment

4/7/09 I. PURPOSE OF AGREEMENT

A QUALITY OF LIFE IN BUSINESS AND BEYOND

EU-GDPR and the cloud. Heike Fiedler-Phelps January 13, 2018

Sarbanes-Oxley Act of 2002 Can private businesses benefit from it?

AUDIT COMMITTEE CHARTER DATED AS OF AUGUST 5, 2010

AUDIT COMMITTEE CHARTER REINSURANCE GROUP OF AMERICA, INCORPORATED. the audits of the Company s financial statements;

BioAmber Inc. Audit Committee Charter

Corporate Background and Experience: Financial Soundness: Project Staffing and Organization

AICPA STANDARDS FOR PERFORMING AND REPORTING ON PEER REVIEWS. Effective for Peer Reviews Commencing on or After January 1, 2009

AUDIT COMMITTEE CHARTER

irobot Corporation Audit Committee Charter I. General Statement of Purpose

EY Center for Board Matters. Leading practices for audit committees

Effective implementation of COSO s new anti-fraud guidance

RFQ ATTACHMENT V: RESPONSE TEMPLATE

UNIVERSITY OF OKLAHOMA Campus Payment Card Security Standard Norman Campus

Update on Supply Chain Risk Management [SCRM] Standard

What you need to know. about GDPR. as a Financial Broker. Sponsored by

AUDIT COMMITTEE CHARTER

The GDPR Are you ready?

Triple C Housing, Inc. Compliance Plan

HIPAA and Electronic Information

Navigating the New Health Economy

CRESCENT CAPITAL BDC, INC. AUDIT COMMITTEE CHARTER

Independent Contractor Classifications: Potential Employee Benefit Plan Liabilities Under the ACA, ERISA and Other Laws

Accelerating the Path to GDPR Compliance: Are you ready to go "live"? Seminar

FRONTERA ENERGY CORPORATION CORPORATE GOVERNANCE POLICY

AUDIT COMMITTEE CHARTER. Specifically, the Audit Committee is responsible for overseeing that:

General Data Protection Regulation (GDPR) Readiness

SOUTHWEST AIRLINES CO. AUDIT COMMITTEE CHARTER

CORPORATE QUALITY MANUAL

INTERNATIONAL STANDARD ON AUDITING 260 COMMUNICATION WITH THOSE CHARGED WITH GOVERNANCE CONTENTS

Agenda. Agenda. Why Audit Suppliers. Outsourcing / Offshoring. Supplier Risks. Minimum Security Standards. Audit Focus

BIO-RAD LABORATORIES, INC. (the Company ) Audit Committee Charter

REQUEST FOR PROPOSAL FOR INFORMATION TECHNOLOGY SERVICES

A COMPANION DOCUMENT TO THE GDPR READINESS DECISION TREE QUESTIONS AND ANALYSIS. April 19, 2017

BIOSCRIP, INC. CHARTER OF THE AUDIT COMMITTEE OF THE BOARD OF DIRECTORS

Elements of a Successful Compliance Management System and Vendor Management Rules of the Road

GUIDELINES FOR IMPLEMENTING A PRIVACY MANAGEMENT PROGRAM For Privacy Accountability in Manitoba s Public Sector

GROUP 1 AUTOMOTIVE, INC. AUDIT COMMITTEE CHARTER

GDPR. Legalities, Policies and Process Part 3 of our series on GDPR and its impact on the recruitment industry

Vol. 2 Management RFP No. QTA0015THA A2-2

HOW TO AVOID THE DANGER OF WEAK CONTROLS IN THIRD-PARTY RISK MANAGEMENT

AUDIT COMMITTEE OF THE BOARD OF DIRECTORS

BrightPath Early Leaning Inc. Audit Committee Charter

3 Situations, 2 Lawyers, 1 Corporation, and So Many Features

AUDIT COMMITTEE CHARTER

Achieving GDPR Compliance with Avature

ARTICLE 29 DATA PROTECTION WORKING PARTY

HITRUST CSF Assurance Program

e-waste Responsible Recycling Presented by: Austin Matthews EHS Assistant Program Manager

Performing a Successful Audit. Fundamentals of Auditing ERO Compliance Audit Process Jim Hughes Manager, Audit Assurance and Oversight

Internal Audit Self-Assessment Questionnaire:

Guidelines of Corporate Governance

How to Finish the HIPAA Security Risk Analysis and Meaningful Use Risk Assessment

TAG Certified Against Fraud Guidelines. Version 1.0 Released May 2016

OPERATIONAL RISK MANAGEMENT MODULE

Request for Proposal

PUBLIC AUTHORITY BOARD MEMBER DUTIES Anita Laremont, SVP - Legal & General Counsel Empire State Development Corporation December 2005

Mott Community College. Independent Contractor Policy and Procedures

OPERATIONAL RISK MANAGEMENT MODULE

Audit & Risk Committee Charter

Transcription:

STEPS FOR EFFECTIVE MANAGEMENT OF VENDOR AND SUPPLIER CYBERSECURITY RISKS April 25, 2018 In-House Counsel Conference

Presenters: Daniela Ivancikova, Assistant General Counsel, University of Delaware Evan Foster, Co-Chair Cybersecurity and Privacy Practice, Saul Ewing Arnstein & Lehr LLP

What is the Risk? Increased digitization and interconnectedness means more data and more access by third parties Hackers are looking for path of least resistance Target Equifax Panama Papers High profile breaches have come from third party vendors and suppliers Increased regulatory focus on oversight of third parties

What is the Risk? Reputation Risk Operational Risk 3 rd Party Risk Compliance Risk Security Risk Strategic Risk

What is the Risk? According to Ponemon Institute s 2017 Third Party Data Risk Study: 56% of organizations suffer a breach that was caused by a vendor 57% don t have an inventory of third parties with whom they share sensitive information 18% of companies know if vendors share information with downstream suppliers Average number of third parties with access to sensitive information increased from 378 to 471 17% feel they re highly effective at mitigating third-party risks

Regulators are Taking Notice New York Department of Financial Services Reg. 500 Each Covered Entity shall implement written policies and procedures designed to ensure the security of Information Systems and Nonpublic Information that are accessible to, or held by, Third Party Service Providers. NAIC Model Act A Licensee shall exercise due diligence in selecting its Third-Party Service Provider. New Mexico Data Breach Notification Act Require by contract that the service provider implement and maintain reasonable security procedures and practices appropriate to the nature of the personal identifying information and to protect it from unauthorized access, destruction, use, modification or disclosure.

A Few Words About GDPR Existing Data Protection Directive being replaced by General Data Protection Regulation (GDPR) Takes effect May 2018 Requires notice of breach within 72 hours Requires significant oversight of data controller processor relationship Heavy fines for failure to protect personal data: For data controllers, 20M or 4% global annual turnover For data processors, 10M or 2% of global annual turnover

A Few Words About GDPR Article 28 of GDPR imposes oversight on the controller-processor relationship: requires controllers to use only processors providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject. Controllers must enter into agreements with processors that include the following: subject matter, duration, nature, and purposes of the processing controller s documented instructions governing the processing type of personal data processed and categories of data subjects mutual assurances concerning information security, breach response and responding to data subjects processor obligations to implement technical and organization security measures, maintain confidentiality and delete data upon conclusion

How Do We Do This? All vendors can introduce cybersecurity risk Vendor management is a team sport Legal IT/Security Finance Risk Management Procurement SMEs

Start by Evaluating Relationships Many successful vendor management programs utilize a three-tiered system. This system assigns each vendor to one of three tiers depending upon the risk rating associated with the service provided. Tier 1 Vendors that provide a critical service to the company and are integral to its ongoing operations. Vendors that have access to highly sensitive information, such as Non-Public Personal Information or Protected Health Information. Tier 2 Vendors that are frequently used and relied upon, but are not necessary for the continued functioning of the company. Vendors that may have access to confidential or critical internal-use only data and have no direct contact with customers. Tier 3 Non-critical vendors which are easily replaced. These vendors have no access to confidential or critical information and pose little risk to the business.

Manage Vendor/ Supply Chain Risk Procurement and SMEs Is the correct form of agreement being presented at the outset? Is the vendor diligence being performed prior to the start of contract negotiations? Is vendor risk being considered in pricing? Are the right SMEs being asked to evaluate the vendor based on the services? Ongoing vendor monitoring/evaluation.

Vendor Due Diligence Review audited financials for last two years Evaluate growth, earnings, and potential future litigation to understand the party s overall financial stability Ensure the vendor is currently in compliance with all regulations and can amend processes as needed to ensure flexibility and future compliance. Financial Condition Legal & Regulatory Qualification & Reputation Policies & Procedures Review resumes and backgrounds of management Evaluate depth of resources and industry reputation, including customer complaints or previous litigation Request copies of all P&P that will govern the services performed for your company If new regulations are pending, inquire as to how the vendor will update the P&P as needed, and request copy of project timeline

Manage Vendor/ Supply Chain Risk IT/Security: Any vendor that has access to your network is an extension of your network Robust vendor screening is a good first step In depth vendor questionnaire (see links) Application of third party standards (NIST, ISO)

Sample Provision: Incorporating Vendor Responses to Questionnaire At a minimum, Vendor shall implement the administrative, physical and technical controls set forth in Vendor s response to the Company s Information Security Questionnaire dated [ ], a copy of which is attached hereto and is made part of this Agreement.

Sample Provision:Third Party Standards In providing the Services to Company, Provider will implement, and Provider will ensure that all of its subcontractors implement, commercially reasonable physical, technical, and administrative safeguards to protect Company s Confidential Information that are no less rigorous than generally-accepted industry practices (such as the version 1.1 of the NIST Cybersecurity Framework, ISO 17799/27001, ITIL, or COBIT) and will ensure that all such safeguards, including how the Confidential Information is handled, processed, stored, and disposed of, are in compliance with all applicable data protection and privacy laws, including all applicable laws, regulations, and business guidance issued by the Federal Trade Commission.

Manage Vendor/ Supply Chain Risk Finance and Risk Management: Does the vendor have the $$$ to perform? Does the vendor have $$$ if there is a breach? Does the vendor have a pro-active approach to risk management and mitigation? BC/DR, vulnerability disclosure and management Does the vendor carry cyber insurance suitable for the risks presented? Not enough to simply have in contract- how to measure and enforce? Right to audit Third party audit (SOC?)

Sample Provision: Cyberrisk Insurance A policy of Cyber Insurance-Network Security and Privacy insurance (including coverage for disclosures and/or breaches of Confidential Information and/or customer information (whether electronic or hard copy), coverage for the costs associated with restoring lost or damaged data, sending breach notifications to affected individuals, credit monitoring, public relations expenses, fines and penalties). Such policy shall not contain exclusions for the acts or omissions of either party or its employees, agents, or volunteers, whether intentional or unintentional, resulting in or relating to disclosure and/or breach of Confidential Information and/or records.

Sample Provision: SOC Audit Each calendar year, Vendor shall engage independent third-party auditors to conduct a SOC 2 Type 2 service auditor s examination related to operations at the Vendor s facilities in accordance with the American Institute of Certified Public Accountants Statements on Standards for Attestation Engagements No. 18, Reporting on Controls at a Service Organization, or its successor standard, as applicable ( SSAE 18 ). Vendor shall deliver to Company, within a reasonable time (but in no event later than one (1) month) after the issuance by such third-party auditors, a copy (or, if and as requested by Company from time to time, a specific number of copies) of the independent service auditor s report produced in connection with such examination (the Independent Service Auditor s Report ). Company shall be permitted to provide input to Vendor regarding specific needs of Company regarding SSAE 18 and the examinations described in this Section, and Vendor shall reasonably consider any such input for the purposes of maintaining such with regard to such examinations and the relevant operational controls, processes, and safeguards and their effectiveness.

Manage Vendor/ Supply Chain Risk Legal Component: Robust contract intake to identify possible risks Review contracts Policies and requirements need to apply to vendors by contract Indemnification and warranties Approvals for material changes Any special requirements? Import/export HIPAA BAA FERPA Addendum Other regulatory requirements

Ongoing Monitoring It is essential to continue monitoring all aspects of performance for the duration of the relationship. Critical vendors should be monitored on a continual basis. Consider implementing a score-card to measure the vendor s performance. Conduct quality-control reviews of the vendor s work product and request remediation for all adverse findings. Employees with direct interaction with the vendor should escalate serious issues or concerns to senior management immediately. If your company lacks sufficient internal resources or expertise, determine whether it is beneficial to utilize industry experts, such as law firms or vendor risk consultants to assist with initial due-diligence and contract negotiation. Properly document all aspects of your vendor management program, from the Vendor Management Policy down to the results of due-diligence. Executive management or board should review the relationships on an annual basis.

Useful Tools & Tips Set up a separate vendor management office or position, depending on your resources Employ third party or technology to help manage your vendors Utilize your policies & procedures Produce and analyze periodic reports Beware of operational deficiencies Exit relationships when they are no longer viable

Questions?

Reference Materials Questionnaires for IT Vendor Assessments: https://www.cisecurity.org/controls/ https://cloudsecurityalliance.org/download/consensusassessments-initiative-questionnaire-v3-0-1/ https://csrc.nist.gov/publications/detail/sp/800-171/rev-1/final https://sharedassessments.org/sig/ https://www.vendorsecurityalliance.org/questionnaire2018.html Vendor GDPR Checklist https://iapp.org/news/a/third-party-vendor-management-meansmanaging-your-own-risk-a-checklist/

2024 © businessdocbox.com Privacy Policy | Terms of Service | Feedback