Published on:

What’s Good for the Goose: Protecting against Vendor Cybersecurity Risk

cybersecurity riskEven when you’ve done your utmost to secure your organization’s cybersecurity—you’ve followed the advice of all the experts, you’ve checked all the boxes—you still may have an Achilles’ heel. Your cybersecurity is only as strong as its weakest point, which is often a vendor or supplier. In this context, a vendor could be anything from a cloud service provider, data processor, or IT engineer to an HR consultant, accounting firm, or health care benefits manager, while a supplier could be a key provider of manufacturing components or raw materials.

But how to begin to address this vulnerability? The answer is by imposing the same kind of discipline on your vendors that you apply to your own cybersecurity practices—that is, by incorporating similar requirements in your vendor contracts. Protect yourself by taking at least these important steps:

Inventory your vendors. You may be surprised how difficult this one step can be and how many companies don’t already have control of this information. While you’re at it, consider imposing better controls on the vetting of new vendors and your individual employees’ authority to hire them.

Understand the vendor’s risks (and how these relate to your own risk profile). Make sure you understand the impact that a cyber event—be it unauthorized access to or disclosure of personal or business confidential information, introduction of malware, phishing ploy, ransomware attack, or something else—could have on the ability of the vendor to perform its obligations to your company and on your company’s ability to continue normal business operations. Key business functions are frequently outsourced; if you have identified a particular function as a source of cyber risk for your own business, it likely represents an even greater risk if performed by a third party.

Assess the vendor’s cybersecurity safeguards. Ensure visibility into your vendors’ cybersecurity architecture and practices by contract. One solution is to require each vendor to provide a “cyber certification,” disclosing key metrics related to the risk factors identified above and discussing the vendor’s cybersecurity systems and methodologies. If your company purchases cyber insurance, the application you completed for your insurer may serve as a guide for this certification. You may also require the vendor to re-certify on a regular basis.

Ensure vendor best practices. Contractually require that vendors and suppliers adhere to written data protection and information security procedures—particularly vendors who handle sensitive data on your behalf. These should include express obligations to comply with applicable data privacy laws. You should update these regularly and periodically require the vendor to certify compliance. In addition, require vendors to notify you of any failure to comply, and particularly of any information security incident, within a prescribed period, and to provide raw data and investigation results related to the failure or incident upon request.

Strengthen vendor indemnities. Call out the following, for example, as specific bases for breach of contract requiring indemnification by the vendor: (1) failure to adhere to mandated cybersecurity standards, (2) unauthorized access to or loss or disclosure of sensitive data, and (3) interruption of the vendor’s services caused by a cyber event. Indemnification should, if possible, include any resulting loss that your company incurs, including costs of notification to regulators or individuals, regulatory fines, assessments and penalties associated with credit card processing arrangements, damages in civil suits, and lost income due to interruption of your business, together with all associated legal costs. Depending on the vendor’s bargaining power, caps on indemnities may be unavoidable, but at least make sure that key risk categories are addressed.

Work with sound, insured vendors. A perfectly crafted indemnification clause won’t help if the vendor is judgment-proof. Equally, the fact that the vendor has insurance is no guarantee of full and prompt compensation for your losses. The vendor’s financial position must be sufficiently secure that it can stand behind its obligations. Nevertheless, requiring the vendor or supplier to be appropriately insured is an important backstop that should also be incorporated into your contract. But beware of boilerplate clauses. The insurance requirement should spell out not only the types of insurance policies and limits to be purchased, but also specific coverages associated with the risks that are unique to the vendor’s or supplier’s relationship to your business and its success. And you should, of course, expressly mandate that your company be named as an additional insured on the vendor’s insurance policies.

What’s good for the goose is good for the gander: Insist that your vendors measure up to your own high standards for cybersecurity. Your in-house and outside counsel are the best source for language tailored to protect you in light of the risks presented by both sides of the contractual relationship.