Mitigating vendor risk is an increasingly relevant concern for organizations across all industries, especially with the recent cyber attacks of SolarWinds and Microsoft Exchange.
On Thursday April 15th, our VP of Smart Breach Response Lauren Winchester participated in a webinar with Jennifer A. Beckage, Esq., CIPP/US, CIPP/E, Managing Director and Daniel P. Greene of Beckage, a full-service tech firm to provide methods to reduce organizational risk. You can read our favorite takeaways below and watch the full webinar here
Mitigating vendor risk is an increasingly relevant concern for organizations across all industries, especially with the recent cyber attacks of SolarWinds and Microsoft Exchange. These far-reaching and sophisticated breaches impact companies of all sizes, with those in the private sector left to pay the bulk of the costs. The seriousness of these situations is cemented with the involvement of the NSA, as the agency increasingly weighs in on patch cycles and the importance of understanding potential vulnerabilities.
We are seeing that these breaches impact entire supply chains, affecting companies that may not even view themselves as targets for these sorts of attacks. In situations where your vendors are dealing with threat actors, the consequences don’t end at your vendor’s doorstep — your data is also at risk. That’s why we encourage thinking comprehensively about your approach to reducing organizational risk, from the contractual stages to how your staff addresses and manages ongoing vendor relationships.
After what we’ve seen from Microsoft Exchange and SolarWinds, we should make a point to assume all threat actors are sophisticated — they know what they’re doing and are able to create successful leverage points. We have seen threat actors start to take direct routes to quicken the response cycle in a ransom situation, sometimes by involving clients or employees (or sharing screengrabs between counsel and the insured) to showcase they have access to private information.
We’ll dive deeper into the three core ways to mitigate vendor risk: insurance, contract provisions, and operational changes.
When you’re contemplating how to protect your organization, insurance is a crucial first step for establishing a transfer of risk. Investing in a cyber policy for your organization can do more than just meet your expectations for insurance, they can also be a vital tool for keeping policyholders informed. The partnership with your Cyber or Tech E&O insurance provider can be helpful for staying up-to-date with new and evolving threats as they appear and how they may impact your business.
At Corvus — where we naturally think cyber insurance is a pretty big deal — we’re able to provide automated scans that pinpoint your organization’s biggest risks. The resources and educational benefit of working with your insurance provider go beyond simply being covered, but as an ongoing source for risk mitigation.
Here’s where risk mitigation ties directly to plans and communications with your vendors. If you’re working with a vendor who is hesitant to meet all your needs when it comes to contract negotiations, always focus on the key factor: these are driven by legal requirements. Laws surrounding data and privacy are constantly evolving and differ on a state-by-state basis. If your vendor has a breach, and your organization and clients are impacted, you’re still responsible. Take all the measures you can while negotiating contracts to keep your organization as protected as possible.
This is where we take the moment to look inward: what is your organization’s process for vendor management? Depending on your department, everyone is going to have a different approach to establishing a third-party vendor management policy. That’s why it is a crucial step to have something in place that answers the questions of “who is in charge?” and “what is our process?” Determine guidelines for how you’re continuing to check in with vendors and update contracts when necessary, as well as established steps for how to train staff to abide by the policy in place. Having a third-party vendor management policy and an incident response plan shows that you had determined reasonable controls before any breach occurred. If you’re ever being held liable for a breach, it’ll be crucial to showcase you had a system to limit risk.
As you work to mitigate vendor risk within your organization, it’s important to avoid overload paralysis. Everything all at once — insurance, contracts, operational challenges — may seem like a lot to wrap your head around, but take it step by step. You don’t have to do it all on your own, either. Find trusted advisors to help you through the process, and continue to keep up with news surrounding cybersecurity to stay on top of the constantly evolving landscape. Starting conversations about mitigating risks and promoting a culture of staff that understands the importance of reducing those risks is a good direction to move towards.