Outsourcing some of your business operations to a third-party vendor comes with a lot of perks – like improving operational efficiency by saving money on infrastructure and maintenance – as is the case when moving data into cloud platforms. However, hiring a vendor doesn’t mean you’re off the hook when it comes to securing your data. In fact, bringing a third-party into the mix can make that fiduciary responsibility even more difficult to fulfill.
Last year, a number of costly third-party vendor breaches affected big-name businesses, including Target, Saks 5th Avenue, Voya Financial, and Universal Music Group. As part of an escalating and continued emphasis on cybersecurity, the SEC issued a Risk Alert in May 2019, highlighting their latest findings from a recent sweep focused on vendor security. The SEC examiners concluded that many businesses are not conducting proper oversight of third-party vendors.
Making Sure Your Vendors Aren’t a Liability
Vendors are often given privileged access to a business’s platforms and data. That access needs to be monitored and protected by a business in the same manner that it monitors internal users. Failure to do so may lead to situations like Delta Airlines’ 2018 breach in which the company’s online chat vendor, 7.ai, was hacked, exposing the personal data of several hundred thousand customers. In an online statement, the airline notified the public that 7.ai had been compromised in September 2017 and that hackers had intercepted consumer payment information. What Delta failed to mention is their culpability in the matter. When businesses rely on vendors to provide a service, they assume responsibility for the cybersecurity practices of those vendors.
The Importance of Being Thorough
Most businesses probably believe they are conducting adequate vendor oversight. Typically, when sourcing a vendor, some businesses will issue an RFP, do a thorough search on qualified companies and ask around for a reputable reference. Once the vendor is hired, a business will often conduct due diligence in the form of a questionnaire. None of these seemingly cautionary steps get to the heart of identifying a vendor’s cybersecurity weaknesses, or even its ability to meet compliance standards. And trusting a vendor’s reputation isn’t useful either, as Delta discovered the hard way.
The Vetting Phase
Ensuring vendors are in compliance starts before hiring. During the pre-contract phase, your business should review the vendor’s information security whitepaper. Ask about the vendor’s security audits, including System and Organization Control (SOC) audits. Conduct thorough discussions about the frequency and findings of those audits measures taken to address any noted issues, and if there are pending items that have not been addressed. Ask whether the vendor has undergone a penetration test to find security weaknesses that may be exploited. Have discussions with the vendor’s cybersecurity team, not just the sales team, and include your cybersecurity team in those meetings to gain a better understanding of the vendor’s security measures. Ask to use the vendor’s test environment for a few days to a week. This will provide your cybersecurity team with opportunities to try out the service or product to identify any weakness in the vendor’s security controls. Finally, ask for the vendor’s policies, standards, and procedures, and compare them to your own. Your job at this phase is to see if they are aligned with your business, identify any vulnerabilities and assess whether the vendor is the right fit for your business.
The Contract Phase
After you have assessed the vendor and have moved to the contract phase, it is important to incorporate a series of security metrics into the agreement. These metrics will allow you to assess the effectiveness of the vendor’s security controls later on. Furthermore, the contract phase should be used to document how you will continue to issue proactive remediation. The contract should define the scope of the vendor’s service. A cloud provider that is only providing service relating to HR operations should be restricted to varying degrees of HR-related content. Having a service-level agreement should address this; in addition to detailing the work to be performed, it should include communication escalation protocols, and how infractions or problems will be handled. Additional items to mandate in the contract are vendor-business continuity, employee security training for vendor employees, and regular third-party and internal audits.
Once the contract is signed by both parties, your business should be ready to fully implement continuous vendor monitoring. At this point, vendors which have passed through the vetting and contract phase may now be monitored via a due diligence questionnaire which should be designed based on the level of risk accessed by the vendor.
To achieve this, your business should establish criteria based on exposure to sensitive customer data, proprietary data, employee data, operational criticality, physical access, and systems access. The criticality of a vendor should be based on three levels of risk: High, Medium, Low. The purpose of using these criteria is to identify the most critical vendors.
Keep in mind that, based on the often-evolving nature of a vendor’s tasks, risk levels may fluctuate over the course of a contract, so it’s important to frequently review these assessments and to plan for unexpected scenarios. A marketing vendor may not start out with access to personal data like customer addresses and birthdays, but may eventually need that information to send out promotional material. Your business will need to continuously assess their vendors by reviewing contracts and checking their terms against the level of service that the vendor is currently providing.
Staying on top of changes within your vendor is a must. Changes within the vendor structure including the organizational hierarchy or changes to employee roles may cause issues with the services provided by the vendor. Not only do you have to know about changes within the vendor, but you also have to understand changes within your business and how that could affect the type of services provided by your vendor. A business that is considering an acquisition of a European business will be exposed to GDPR and the many regulations that come with it. Not only will the acquisition lead to tighter controls but also European clients which will require a thorough assessment of the service provided by the vendors.
Service Organization Control (SOC), and Statement on Standards for Attestation Engagements (SSAE) reports are a great way to see how the vendor’s controls measure up to industry standards. Conducting site visits will help you gain access to the physical security, and controls implemented by the vendor.
Ensuring your vendors are in compliance is more than just checking a box -it requires a great deal of involvement. Relationships are built on (verifiable) trust. When it comes to your vendors, trust should be established right from the start and be continuously monitored.