Ever since the Target and Home Depot breaches were traced to intrusions at their vendors, the management of cybersecurity at third-party vendors has been a focus of companies and regulators. The FTC has flagged the issue, as has the SEC. The DoD has imposed strict cybersecurity requirements for contractors that “flow down” to sub-contractors.
But despite an increasing focus on the full lifecycle of third-party risk management, vendor incidents continue to represent a high percentage of reported data breaches. According to a March 2016 Ponemon Institute report, 49 percent of survey respondents indicated that their organization experienced a data breach caused by a vendor.
While vendor management programs can help mitigate cyber risks, part of the issue appears to be a lack of ongoing collaboration between vendors and the organizations they serve. For example, many vendors rely on an individual’s social security number (“SSN”) and date of birth (“DOB”) to authenticate employees seeking access to a portal with personal information, such as employee tax forms, payroll statements, 401(k) plans or health benefits. This information may be used consistently, or just for initial account registration, after which the individual creates a unique user name and password. These procedures may have been agreed-upon years ago in negotiated service agreements, but because of more recent data breaches, SSNs and DOBs are frequently available on the black market, and bad actors are using the information to access vendor sites. This type of unauthorized access has recently affected ADP, Equifax, Greenshades and many other vendors.
There are also significant complications in incident response with a vendor-based data breach. The vendor and customer may have different interests when determining what constitutes a “data breach,” whether there are breach notification obligations, the extent to which forensic investigations are necessary, and what level of information-sharing is appropriate between the parties. These issues are compounded when multiple customers are affected by a vendor breach, each with a different view on how to handle the response.
Revisiting third-party risk management in view of recent cyber attacks presents some important takeaways for companies and vendors to consider:
- Collaborate on data security – There should be open lines of communication between a vendor and its customers, and parties should not shy away from making changes to previously agreed-upon procedures in order to address evolving cyber threats.
- Be prepared for a breach – Corporate incident response plans can include guidelines for vendor situations, and vendors’ response plans should be consistent with contractual obligations and be designed to meet expected customer needs.
- Review your contractual terms – It may be time to update contractual terms so they include specific provisions with pragmatic requirements for monitoring and audit rights, breach response, and information-sharing.