Archived Insight | October 1, 2020
Your business partners are a critical part of your success, potentially providing such services as running payroll, administering funds, or printing annual tax statements.
In this article, we look at the importance of extending your cybersecurity beyond your own systems, considering your partners' programs and staying on top of third-party cyber risk.
The place to start when choosing a vendor is your requirements definition process. You have to let the potential vendors understand that cybersecurity is a big deal and that any work they propose must come with their assurances that your data is safe.
Note that the vendor should be open to allowing you to audit their cybersecurity protections at least annually.
You should also confirm they're willing to participate in cybersecurity testing or simulations at a frequency you identify, such as once or twice annually.
Your requirements should detail the expected amount of vendor involvement as it can range significantly from one person on a phone call to providing full personnel support on the vendor’s equipment to run the cybersecurity tests.
This should include:
They may possibly even provide you with the results of their most recent cybersecurity assessment.
Ask your partner what they've done, since their most recent cybersecurity assessment, to remediate any critical or high-risk issues they found.
Get this in writing. Find out how the vendor will notify you of a cyber incident at their organization and how quickly that notification will occur.
When setting requirements with a potential vendor, make sure tbhy agree to being responsible for all of their costs relating to a cybersecurity incident and all of your costs if the incident happened as a result of the vendor falling victim to a cyberattack.
The vendor should provide proof of enough cyber insurance to cover potential breaches or losses of your data.
Make sure you outline this in a written agreement.
This is especially important if you have outsourced time critical processes such as payroll or governmental reporting and their outage will cause you to be late delivering those services or artifacts.
This requirement tells the vendor what their backup and disaster recovery schedules need to accommodate.
The vendor must have a data retention plan that you agree with for all data and actions relating to your data.
They should also be willing to return all of your data if your contract with them is terminated for any reason, and they must have the same rule in place for any third-party providers they deal with.
Last, the vendor must be required to destroy all of your data residing anywhere on their systems after providing you with copies of that data upon contract termination and they must have the same rule in place for any third-party providers they deal with.
Once you've contracted with a vendor, you should routinely monitor their performance to ensure they are meeting your contractual cybersecurity requirements. You can do this in several ways including:
The last item to consider is your own organization’s risk comfort level. You may need services from business partners who do not have the size or financial wherewithal to implement full cybersecurity protection because it is very costly to do.
The risk you are willing to accept from that vendor should be clearly documented in your contracts with them to avoid unnecessary legal issues should an incident occur.
This page is for informational purposes only and does not constitute legal, tax or investment advice. You are encouraged to discuss the issues raised here with your legal, tax and other advisors before determining how the issues apply to your specific situations.
Don't miss out. Join 16,000 others who already get the latest insights from Segal.