Articles | August 10, 2020

Third Party Cyber Risk: Looking at Partners' Cybersecurity

Your business partners are a critical part of your success, potentially providing such services as running payroll, administering funds, or printing annual tax statements. 

In this article, we look at the importance of extending your cybersecurity beyond your own systems, considering your partners' programs and staying on top of third party cyber risk. 

Two Software Developers At The Office Working On A Project

Partners can be weak links

Managing your business partners is a large part of cybersecurity, because the helpful services they provide could also be putting you at risk. 

In fact, according to survey responses on the 2019 Hiscox Cyber Readiness Report, 57% of US firms said they had experienced one or more cyberattacks as a result of a weak link in their supply chain over the past year.

Software Programmer Man Working On Computer In IT Office Writing Code Software Programmer Man Working On Computer In IT Office Writing Code

Start with the vendor requirements process

The place to start when choosing a vendor is your requirements definition process. You have to let the potential vendors understand that cybersecurity is a big deal and that any work they propose must come with their assurances that your data is safe. 

Note that the vendor should be open to allowing you to audit their cybersecurity protections at least annually.

Computer Programmers Working Late To Complete An Assignment Computer Programmers Working Late To Complete An Assignment

You should also confirm they're willing to participate in cybersecurity testing or simulations at a frequency you identify, such as once or twice annually.

Your requirements should detail the expected amount of vendor involvement as it can range significantly from one person on a phone call to providing full personnel support on the vendor’s equipment to run the cybersecurity tests.

The vendor should provide a review of their cybersecurity protection program

This should include:

  • how often they have external, objective cybersecurity assessments done
  • how they screen their personnel who will be handling your data
  • how they monitor their own business partners from a cybersecurity perspective
  • how they test their own applications to ensure they are secure
  • what security governance policies they have in place and are enforcing

They may possibly even provide you with the results of their most recent cybersecurity assessment.

What has the vendor done to fix critical issues in the past?

Ask your partner what they've done, since their most recent cybersecurity assessment, to remediate any critical or high-risk issues they found.

How will your partners will tell you if there's a cyber threat? 

Get this in writing. Find out how the vendor will notify you of a cyber incident at their organization and how quickly that notification will occur. 

Confirm they'll take responsibility for threats

When setting requirements with a potential vendor, make sure tbhy agree to being responsible for all of their costs relating to a cybersecurity incident and all of your costs if the incident happened as a result of the vendor falling victim to a cyberattack.

Make sure they've got insurance

The vendor should provide proof of enough cyber insurance to cover potential breaches or losses of your data.

How much downtime if there's an incident?

Make sure you outline this in a written agreement.

This is especially important if you have outsourced time critical processes such as payroll or governmental reporting and their outage will cause you to be late delivering those services or artifacts.

This requirement tells the vendor what their backup and disaster recovery schedules need to accommodate.

Ask to see their data retention plan

The vendor must have a data retention plan that you agree with for all data and actions relating to your data.

They should also be willing to return all of your data if your contract with them is terminated for any reason, and they must have the same rule in place for any third party providers they deal with.

Last, the vendor must be required to destroy all of your data residing anywhere on their systems after providing you with copies of that data upon contract termination and they must have the same rule in place for any third party providers they deal with.

Questions about third party cyber risk?

Get in touch. Our HR and benefits technology team is here to help. 

Contact Us

Monitor vendor performance, manage third party cyber risk

Once you've contracted with a vendor, you should routinely monitor their performance to ensure they are meeting your contractual cybersecurity requirements. You can do this in several ways including:

  • Reviewing daily, weekly, or monthly reports from the vendor’s cybersecurity monitoring tools to show their protections are in place and working.
  • Physically auditing the vendor site and performing your own cybersecurity review and/or assessment.
  • Asking the vendor to provide annual copies of approved third party cybersecurity assessments.
  • Contracting with your own cybersecurity experts to do penetration testing against your vendor (with your vendor’s knowledge that the tests are occurring of course).
Female Software Engineers Working On Project Together Female Software Engineers Working On Project Together

Consider your own risk comfort level

The last item to consider is your own organization’s risk comfort level. You may need services from business partners who do not have the size or financial wherewithal to implement full cybersecurity protection because it is very costly to do.

The risk you are willing to accept from that vendor should be clearly documented in your contracts with them to avoid unnecessary legal issues should an incident occur.

More insights on cybersecurity

Three IT Engineers Programmers Talking About Work Using Computers With Data Server Racks

As Organizations Go Remote, Cyber Crime is on the Rise

We consider how increased remote work due to COVID-19 may be affecting cyber liability insurance, now and in the future.
Man looking at his phone and laptop

Managing Cybersecurity Risk in DC Plans

We cover potential vulnerabilities for DC plans, strategy for managing DC plan data security risks, and the ROI of being prepared.

This page is for informational purposes only and does not constitute legal, tax or investment advice. You are encouraged to discuss the issues raised here with your legal, tax and other advisors before determining how the issues apply to your specific situations.

Don't miss out. Join 16,000 others who already get the latest insights from Segal.