Articles | October 1, 2020

Third-Party Cyber Risk: Looking at Partners' Cybersecurity

Your business partners are a critical part of your success, potentially providing such services as running payroll, administering funds, or printing annual tax statements. 

In this article, we look at the importance of extending your cybersecurity beyond your own systems, considering your partners' programs and staying on top of third-party cyber risk. 

Two Software Developers At The Office Working On A Project

Partners can be weak links

Managing your business partners is a large part of cybersecurity, because the helpful services they provide could also be putting you at risk. 

In fact, according to survey responses on the 2019 Hiscox Cyber Readiness Report, 57% of U.S. firms said they had experienced one or more cyberattacks as a result of a weak link in their supply chain over the past year.

Start with the vendor requirements process

The place to start when choosing a vendor is your requirements definition process. You have to let the potential vendors understand that cybersecurity is a big deal and that any work they propose must come with their assurances that your data is safe. 

Note that the vendor should be open to allowing you to audit their cybersecurity protections at least annually.

You should also confirm they're willing to participate in cybersecurity testing or simulations at a frequency you identify, such as once or twice annually.

Your requirements should detail the expected amount of vendor involvement as it can range significantly from one person on a phone call to providing full personnel support on the vendor’s equipment to run the cybersecurity tests.

Computer Programmers Working Late To Complete An Assignment Computer Programmers Working Late To Complete An Assignment

The vendor should provide a review of their cybersecurity protection program

This should include:

  • how often they have external, objective cybersecurity assessments done
  • how they screen their personnel who will be handling your data
  • how they monitor their own business partners from a cybersecurity perspective
  • how they test their own applications to ensure they are secure
  • what security governance policies they have in place and are enforcing

They may possibly even provide you with the results of their most recent cybersecurity assessment.

What has the vendor done to fix critical issues in the past?

Ask your partner what they've done, since their most recent cybersecurity assessment, to remediate any critical or high-risk issues they found.

How will your partners will tell you if there's a cyber threat? 

Get this in writing. Find out how the vendor will notify you of a cyber incident at their organization and how quickly that notification will occur. 

Confirm they'll take responsibility for threats

When setting requirements with a potential vendor, make sure tbhy agree to being responsible for all of their costs relating to a cybersecurity incident and all of your costs if the incident happened as a result of the vendor falling victim to a cyberattack.

Make sure they've got insurance

The vendor should provide proof of enough cyber insurance to cover potential breaches or losses of your data.

How much downtime if there's an incident?

Make sure you outline this in a written agreement.

This is especially important if you have outsourced time critical processes such as payroll or governmental reporting and their outage will cause you to be late delivering those services or artifacts.

This requirement tells the vendor what their backup and disaster recovery schedules need to accommodate.

Ask to see their data retention plan

The vendor must have a data retention plan that you agree with for all data and actions relating to your data.

They should also be willing to return all of your data if your contract with them is terminated for any reason, and they must have the same rule in place for any third-party providers they deal with.

Last, the vendor must be required to destroy all of your data residing anywhere on their systems after providing you with copies of that data upon contract termination and they must have the same rule in place for any third-party providers they deal with.

Monitor vendor performance, manage third-party cyber risk

Once you've contracted with a vendor, you should routinely monitor their performance to ensure they are meeting your contractual cybersecurity requirements. You can do this in several ways including:

  • Reviewing daily, weekly, or monthly reports from the vendor’s cybersecurity monitoring tools to show their protections are in place and working.
  • Physically auditing the vendor site and performing your own cybersecurity review and/or assessment.
  • Asking the vendor to provide annual copies of approved third-party cybersecurity assessments.
  • Contracting with your own cybersecurity experts to do penetration testing against your vendor (with your vendor’s knowledge that the tests are occurring of course).
Female Software Engineers Working On Project Together Female Software Engineers Working On Project Together

Consider your own risk comfort level

The last item to consider is your own organization’s risk comfort level. You may need services from business partners who do not have the size or financial wherewithal to implement full cybersecurity protection because it is very costly to do.

The risk you are willing to accept from that vendor should be clearly documented in your contracts with them to avoid unnecessary legal issues should an incident occur.

Questions about third-party cyber risk?

Get in touch. Our HR and benefits technology team is here to help. 

Contact Us

More insights on cybersecurity

Computer Programmer Working On New Software Program

Optimizing Your Approach to Data Privacy and Cybersecurity

Stu Lerner tells Authority Magazine what organizations should do to optimize both cybersecurity and data privacy efforts.
Two Businesspeople Working Late On A Laptop In An Office

Keeping Retirement Plans Secure from Cyber Attacks

As they've increasingly used electronic means for both disclosures and transactions, plans have become more tempting targets for cyber criminals.
Businessman Sharing Ideas With Colleagues At Workplace

Who You Gonna Call? Cybersecurity Breach Communication Plan

Don't fall victim to cyber crime. Develop a communications plan.

This page is for informational purposes only and does not constitute legal, tax or investment advice. You are encouraged to discuss the issues raised here with your legal, tax and other advisors before determining how the issues apply to your specific situations.

Don't miss out. Join 16,000 others who already get the latest insights from Segal.