Beyond the Firewall: Mitigating Downstream Cyber Risk
Organizations will spend billions of dollars this year on cybersecurity technologies to find cyber intruders inside their own networks. But in today’s interconnected and outsourced world, an organization’s sensitive data resides with or can be accessed by hundreds, if not thousands, of business partners. How can companies effectively manage these third party risks to their data?
Insecure third parties pose a significant risk to an organization: just ask any of the high profile businesses hit with a headline-grabbing breach caused by a security breakdown on the part of an interconnected business partner. The response from regulators has been clear. In recent years, sector-specific regulators and quasi-regulators in the financial sector (SEC, OCC, SIFMA, and in individual states like New York), insurance (National Association of Insurance Commissioners), retail (PCI Council), defense (DOD), consumer industries (Federal Trade Commission) and health care (Office of Civil Rights) have all issued statements, guidelines, or new requirements for third party cyber risk management.
With significant financial, legal, and reputational risk in play, organizations should consider four critical elements when building and monitoring a third party cyber risk management program:
- Focus on business partners that pose the most risk. Some organizations have hundreds, even thousands of business partners with access to their data or systems, but not each partner should be deemed “critical” from a risk perspective. The partners that have access to an organization’s most sensitive data (including financial, personal, or secret information) or maintain unrestricted portal access likely pose the most risk. This includes law firms, consulting firms, and hardware or software providers.
- Build a team to identify the most critical third party risks. Managing cyber risk posed by business partners is a cross-functional exercise and one department cannot do it alone. Business units best understand the value of their data and should work with the legal and IT teams to identify and locate the organization’s most critical data. Legal, IT, and procurement all work together to establish the appropriate standards for business partners to meet, develop contract language that binds partners to those standards, and audit and assess the implementation of those standards by business partners.
Significant financial, legal, and reputational risk are in play when managing a third party cyber risk program.
- Select security standards suitable for your business partners. There are many different security standards to consider asking your business partners to meet. Many of these standards are industry-dependent. Standards include ISO 27001, the Payment Card Industry data security standards, SOC2, NIST 800-53, and the NIST Cybersecurity Framework. Some companies may choose to spell out specific security practices for their business partners to follow (e.g. encrypting data, annual penetration testing, mandatory code scanning). If your organization has specific expectations you should state them clearly: Contracts requiring “reasonable” security are subject to wide interpretation. Though it is a best practice to request evidence of your business partners’ compliance with the security standards or practices you’ve established, your partners may not always comply; it was recently revealed that Anthem prevented some of its customers from learning information about its security program prior to their massive data breach.
- Continuously monitor your business partners. With so much at stake, organizations must take a “trust but verify” approach to their business partners’ cybersecurity efforts. Just as they do with their own networks, many organizations want to monitor their business partners’ security in real time. Monitoring the security posture of vendors allows companies to gain a better understanding of the integrity of their business partners’ security and subsequently work with their partners to alleviate security issues in real-time. Greater visibility of insecure partners allows organizations to better manage or transfer risk through contracts or insurance.
What happens beyond the firewall can cause significant harm to your organization. Cybersecurity is now becoming a key factor in business decisions. Organizations are learning that strong cybersecurity can be a market differentiator, helping them earn and retain business with customers.
On the other hand, insecure companies who have underinvested in data security protections, failed to adopt best practices, or underperform compared to their peers, are increasingly being left behind.