An often-overlooked step in a company's cybersecurity strategy is the failure to manage third party risks. Do you know what steps your vendors are taking to protect your company's data and confidential information? It's important that you know. A vendor's deficiencies in cyber protection may render your company's cybersecurity strategy ineffective.
Below is an email that I received recently from a benefits vendor that we use at Berman Fink Van Horn:
We're pleased to let you know that [the vendor] has achieved Soc 2 Type 2, compliance. This is another important validation of the integrity of our systems security, availability, and confidentiality (i.e., our ability to safeguard the information and privacy of your participants and your plan).
Kudos to this vendor. In this day and age of data breach problems, it is reassuring that a major benefits vendor is taking steps to protect our data and confidential information.
So, what can you do to make sure your vendors are doing the same? For starters, your company should require all vendors to have and maintain a cybersecurity strategy. Make sure that your vendor agreements appropriately describe the vendor's privacy and data security process (see below). If your company's current vendor agreement does not contain contract terms to ensure that the vendor has systems in place to protect your company's data and confidential information, then you should require the vendor to enter into a Data Security Agreement immediately.
Of course, the type of data security that your company requires should be tailored to your company's specific requirements. At a minimum, the contractual terms dealing with a vendor's cybersecurity strategy should address the following:
– What steps does the vendor take to train its employees on cyber risks?
– A description of its security program, including appropriate policies and procedures.
– The administrative, physical and technical safeguards used and how they are maintained.
– The vendor's security breach procedures and incident response plan. For instance, how quickly will your company be notified of a data breach?
– A representation that the vendor has cyber liability insurance.
– A description of independent third-party assessments, audits or certifications.
– Will the vendor subcontract any services or use other vendors? What data security steps will be taken?
– Certification that the vendor complies with all applicable laws, regulations and industry standards.
– Indemnification provisions in the event of a data breach.
– An adequate definition of a security breach (this is often overlooked).
I encourage you to take action now to find out what steps your vendors are taking to protect your company's data and confidential information, if any. To be clear: This exercise goes well beyond having cyber liability insurance, which is a separate necessity. There are measures that can be put in place now to further protect your company from a data breach. To begin, I encourage you to enlist the support of experienced legal counsel to review, update and draft vendor agreements that will limit your company's vulnerabilities.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.