Cyber Security. (Shutterstock)
Preplanning is the key to managing or avoiding a cyber incident. There are many ways to clean up your house internally and many ways to assess and plan for possible exposure. Preplanning is not just about your own internal practices, however: it’s also about ensuring that your suppliers are managing their practices to your standards. Establishing your own “best practices” and policies is important to risk assessment and mitigation and to a defense based on the use of reasonable measures of protection. That effort may lose some effectiveness, however, if you fail to hold others to your standards when they are performing work for you. What follows are some basics to consider when evaluating your vendors and their commitments to your cybersecurity, as well as some specific measures to employ with those suppliers whose work might present a risk to your company data.
What Vendors Present a Risk?
The presence of any third party in your business creates potential risk. Their employees and contractors are not subject to your policies directly; they may work with minimal supervision; and they may have to have access to otherwise-restricted equipment, areas or system. Containing any exposure starts with assessing the risks.
As a baseline, it is important to consider what kinds of third-party work may have direct implications for your network and data security. Obvious choices for any business include IT workers, software licensors, providers of cloud-based services (such as HR or other portals) and consultants whose role includes business continuity or disaster recovery. Such service providers will have direct access to, or the opportunity for direct access to, your sensitive internal data. Depending on your industry, you might also have other types of service providers whose work implicates your proprietary data. Examples include payment card processors for retail businesses, e-mail marketing list managers, fleet or sales force management providers who track various elements of your workflow and workers, and more. Any provider with direct access to your confidential data should be considered.
Third parties whose work may not be directly related to your data, but who have access to your systems, should also be on your list for evaluation and discussion: remember that the 2013 breach of Target’s network of consumer card data came through a security hole in its HVAC system. Examples might include providers of networked equipment or storage services for equipment, contractors who perform build-out services that will include space for servers or other equipment, and of course service providers who have access to your network via HVAC and other controls.
Best Practices with Vendors
Once you have a handle on the types of vendors in your ecosystem and what kinds of access they have to equipment, space and data, you can begin to vet their security savvy. This due diligence should not be taken lightly. Asking about their security practices can tell you much about how likely they are to work on your behalf if the unthinkable happens and you (or they) suffer a security incident that compromises your data. All of the following questions are fair game and would give you a good start on assessing a supplier: what technologies they use, how secure those technologies are, whether their services include nontechnological security processes, whether their other customers have suffered any data incidents, what the process would be if you or they discovered a breach of your system, and how they propose to handle credentials and access matters. Your IT or risk management team undoubtedly has a specific list, or your legal counsel, cyber insurer or another outside expert can also help vet key vendors.
In addition to asking questions about the vendor’s work and experience, you can develop internal standards or guidelines that form the minimum set of security requirements in any vendor agreement. Having a standard set of “asks” helps you manage risk by creating a uniform operating standard below which you know various third parties will not fall. This approach, in combination with a well-drafted set of service promises, can shore up your exposure from any one vendor. Using the same baseline risk allocation terms across several service providers improves your protection.
Standard Contractual Terms
When considering how to standardize your company’s vendor “asks,” the main risk allocation terms to consider are the confidentiality obligations of the parties, the representations and warranties, the indemnification provisions and the limitations of liability.
The more often sensitive data are involved in any services agreement, the more likely it is that they will constitute a separately-defined category of “confidential information.” This makes them subject to heightened performance standards, and can make a data breach a standalone cause of action. It may also help tie data breaches to a full indemnification promise that is not subject to the contract’s limits on liability. It is a good idea to define your sensitive data as a specific component of your confidential information for all those reasons.
“Reps and warranties” are contained in nearly every contract. In IT and service agreements, it is common to have a warranty relating to the quality of the work to be performed, the qualifications of the people who will perform it and perhaps the results. In the security setting, these warranties might include any or all of the following, as a starting point:
• Meeting an agreed standard or using agreed technologies to secure your property.
• Taking some defined measure of care designed to prevent certain activities with your data: loss, theft, use of, access to or distribution of your information, for example, all might be considered.
• Employing standard patch, virus, firewall and other protections within one release of current.
• Notifying you of data security issues, investigating those issues at their cost, working promptly to remedy any issue and taking measures to prevent the recurrence of the issue.
• Ensuring that the vendor’s employees and others will be subject to restrictions regarding confidential information (as defined) no less stringent than those applicable to your agreement as a whole.
• Ensuring that the vendor’s employees and others will be qualified as per any industry guidelines for the services they perform.
• Carrying cyber liability insurance of a kind and amount acceptable to you.
• In the case of security providers, that services performed or goods provided will provide the agreed-upon security results.
Once the reps and warranties are defined, the indemnification obligations from your vendor will, ideally, track those obligations. At its simplest, an indemnification against any “breach of the agreement” or “breach of Supplier’s representations or warranties” is a common way to tie them together. There might also be a direct indemnification obligation relating to the costs of any data breach involving your confidential information. Note that these can be very tricky to draft for full coverage, and there are many ways for a savvy vendor to limit them.
Finally, for the indemnification clauses to maintain their full impact, any limitation of liability clause should contain an express exception for the vendor’s indemnification promises. This has the effect of allowing you to recover more than any contractually agreed limit, if drafted correctly. In addition, you might consider certain specific exceptions that relate to different obligations under the agreement. For example, the commonly accepted exception for “breach of obligations relating to confidential information” will cover your data security requirements if you have defined “confidential information” in such a way as to include your protected data. Likewise, your reps and warranties and their associated indemnification promises can be crafted into explicit exceptions to any contractually agreed liability cap.
As with most corporate undertakings, planning ahead and standardization are two tools that can yield real benefits in the vendor management setting as it relates to cybersecurity. Assessing what kinds of standard questions to ask your suppliers and what kinds of standard protections you need from them usually is time well spent. In cybersecurity, as in so many things, that ounce of prevention is worth far more weight in cure. Knowing your standard demands—and fallback positions, since very few vendors will simply acquiesce to all your “asks”—is a good start to the effort of vendor management for cybersecurity planning reasons.