Third-Party Supply Chain Risk
According to a study performed by cyber security services firm BlueVoyant, 80 percent of organizations they surveyed experienced a breach that originated from vulnerabilities in their vendor ecosystem within the past 12 months. Less than 25 percent of those organizations monitor their entire supply chain, and only 32 percent reassess their vendor's cyber risk position either every 6 months or less frequently.
However, as demonstrated in the past year, third-party supply chain and vendor cyber risks have proliferated as they become the targets of increasingly sophisticated cyber-attacks. These attacks can have far-reaching and potentially disastrous consequences for customers and businesses alike. Consider, for example, the ransomware attack on Colonial Pipeline that led to a short-term spike in energy prices and disruption in energy supplies to the northeastern United States. Earlier this year, the New York Department of Financial Services (NY DFS) released a White Paper on the SolarWinds hack, which inserted malicious code into Orion software that was pushed out to clients.
Regulators from various governmental agencies also have taken note of the increased exposure businesses face through their supply chains.
For instance, NY DFS observed that the SolarWinds attack "confirms the importance of vigorous third-party risk management, which starts with a thorough assessment of an organization's third-party risk." The regulator further noted that the "SolarWinds attack should serve as a wake-up call. Through a single vector, Russian hackers opened back doors into thousands of organizations, including almost 100 companies in New York's financial services industry. ... The SolarWinds attack confirms that cyber risks are a threat not just to consumers and individual companies but also to the stability and soundness of our entire financial services industry."
Notably, NY DFS Cybersecurity Regulations make it mandatory for DFS-licensed organizations to document and implement a Third-Party Service Provider Security Policy designed to ensure the security of information systems and nonpublic information accessible by, or held by, Third-Party Service Providers (TPSPs) (see 23 NYCRR 500, section 500.11). This should include the establishment of minimum cybersecurity practices by all TPSPs, due diligence to evaluate the adequacy of the third party's cybersecurity practices and a periodic risk assessment of such TPSPs. Moreover, a DFS-licensed organization must have documented guidelines and/or contractual provisions addressing the third party's policies and procedures for access controls, use of multifactor authentication (MFA), encryption and notice to the licensed organization of a cybersecurity event experienced by the TPSP.
DFS-licensed entities are required to notify NY DFS of a third-party breach or cybersecurity incident to the extent it impacts the licensed entity. If it receives notice of such a breach, NY DFS may commence an investigation of the licensed organization and issue a Third-Party Breach Questionnaire, which contains a host of questions ranging from the nature of the business relationship between the licensed entity and the TPSP, the date the TPSP provided initial notice of the breach to the licensed entity and whether the licensed entity conducted a Third-Party Cybersecurity Risk Assessment following discovery of the breach. In short, the licensed entity cannot claim ignorance and bury its head in the sand just because a third party experienced a breach. Blissful ignorance is not a viable defense under the law.
A host of other relatively recent state laws similarly require organizations to assess potential third-party cyber risk and impact on the organization. For instance, the California Consumer Privacy Act (CCPA), as recently amended by the Consumer Privacy Rights Act (CPRA), requires companies that collect, share or sell personal information of California residents to enter into binding written contracts with TPSPs that have access to such data. These contracts must set forth expressly the limitation on the use and sharing of such data for the limited business purpose set forth in the contract. Moreover, the TPSP must certify that it will comply with these restrictions and limitations on use of the information. In addition, an organization is permitted to monitor the TPSP's compliance with the contract terms. This may include manual reviews, automated scans, security assessments or audits of the TPSP at least annually.
This year, Virginia and Colorado passed similar consumer privacy laws that require companies to enter into binding contracts with any TPSPs that process personal data at the direction of the company.
- The Colorado Privacy Act requires vendor contracts to address various issues regarding the processing of personal data, in addition to the company's right to perform cybersecurity audits and inspections of the TPSP at least once annually and at the TPSP's expense. The audit should examine specifically the TPSP's policies and procedures regarding the protection of personal data. If the audit is performed by a third party, the TPSP should provide a copy of the audit report to the company upon request.
- The Virginia Consumer Data Protection Act also requires companies to enter into binding written contracts with TPSPs that process personal data. Such contracts should include a provision enabling the company to conduct an assessment of the TPSP's policies and procedures for compliance with the protection of personal data.
Organizations should expect to see more laws that place the onus on them to conduct appropriate due diligence on TPSPs before sharing any personal, nonpublic information with them. In short, the burden is on companies to ensure that their downstream vendors have adequate cybersecurity controls, policies and procedures in place to adequately protect sensitive information.
Managing an Organization's Third-Party Cyber Risk
The largest risk for a company's supply chain is the organization's lack of control of their data once it leaves their network and is transmitted to the third-party vendor. Managing that control can be a daunting task for even the most sophisticated organizations due to the number of third parties with which organizations typically form business relationships. However, supply chain risk management can be codified into a relatively few number of important steps an organization should take to appropriately assess the risk of doing business with that third party.
Many organizations have begun to use detailed questionnaires to evaluate the current security controls of their third-party vendors. These documents vary in size and complexity – from a few pages to thousands of questions. While questionnaires are helpful, it is important to remember they should be used only as a starting point in an organization's supply chain risk management process, not as a definitive solution. The responses from the third party will highlight where the vendor is deficient in particular areas of information security. Follow-up discussions and meetings with the vendor should be initiated in order to continue the fact-finding investigation.
The following list is a sample of specific requests for information that organizations should require from their vendors as part of the vendor due diligence process:
- Identify the person(s) responsible for the vendor's cybersecurity program (including any external IT vendors or Managed Service Providers)
- How (specifically) does the vendor protect sensitive data (encryption, MFA, access controls, etc.)
- Whether the vendor previously experienced a cybersecurity incident and how they responded
- How the vendor identifies, prioritizes, escalates and reports cybersecurity incidents – internally and externally
- Copy of the vendor's most recent Risk Assessment
- Whether the vendor conducts employee training on cybersecurity and privacy
- Vendor's disaster recovery capabilities (including availability of offsite or Cloud-based backups)
- Whether the vendor routinely scans its network for suspicious activity, and if so, how.
These and other questions will provide an organization greater visibility into a third-party vendor's cybersecurity program.
Assess Vendor Security Controls
While examining the security controls of third parties, an organization always must be aware of its unique business needs for this service. Organizations should be able to answer these questions:
- What type of data is transmitted to the vendor?
- How much data is transmitted?
- How long is the data processing period?
- How will the organization ensure the safe dissolution of services with the vendor, including the return or destruction of data?
These questions may appear simple, but it takes a high level of coordination across multiple departments within a business to adequately address these types of issues. The answers to these questions will frame the vendor's security controls in the context of your organization's risk tolerance.
Establish Contractual Obligations
After gaining an understanding of the organization's risk tolerance with the vendor and its current security controls, creating contractual obligations is key to holding vendors accountable. Security-related contractual clauses will establish baselines for the vendor while it is in possession of an organization's data. Moreover, an organization can set minimum data security and privacy requirements for the vendor to satisfy the contractual relationship. Depending on the type of business relationship being established and the parties involved, the clauses should be as specific as possible so that both parties are clear on the data security expectations. In addition, organizations should require minimum limits on a vendor's cybersecurity insurance policy based on the service being offered and the amount of data the vendor will possess.
Performing the foregoing steps establishes a contractual arrangement with the vendor and ensures an organization's data is protected from the start of the business relationship. However, to ensure the supply chain risk is managed over time, organizations should perform routine cybersecurity audits of its vendors. Vendors left unchecked pose a serious vulnerability to an organization's data protection program since there is limited visibility into a vendor's security controls. Absent continuous monitoring, vendors may change their security program without an organization's knowledge. This might create additional risks that should be addressed by contractual amendments or expansion of insurance coverage. Annual audits of the vendor systems that contain an organization's data are a good example of continuous monitoring procedures.
In short, an organization's best defense is a good offense in managing third-party cyber risk. This includes:
- Vendor questionnaires regarding third-party data security and privacy protocols
- Documentation of the vendor's cybersecurity controls, policies and procedures
- Right to conduct periodic audits or assessments of the vendor's cybersecurity program
- Binding written contracts that limit a vendor's use of data for a stated business purpose, prohibit the vendor from sharing or selling data with other third parties, set forth minimum security requirements to protect data and require the vendor to provide prompt notice of a data breach
- Requirement for the vendor to maintain cyber insurance coverage.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.