Cybersecurity risk from third-party service providers, vendors, suppliers and contractors (collectively referred to in this article as third-party providers) is a significant source of risk to businesses and professions. According to a recent study of information security practices, 74 percent of companies do not have a list of third-party providers who handle their employee and customer data.1 Another survey revealed that only 42 percent of businesses even consider vendor risk in their work.2 Not surprisingly, this lack of attention to third-party providers has consequences. In a 2013 Global Security Report by Trustwave, the authors discovered that out of 450 investigations of data breaches, 63 percent of them were directly linked to a third party providing IT services.3
Managing third-party provider risk is plainly integral to an organization’s overall cybersecurity risk management program. Responding to the growing recognition of “third-party risk,” regulators are sharpening their focus on how businesses manage third-party providers, to the point of mandating (or at least strongly encouraging) specific types of terms in contracts with parties that access or manage a company’s systems or data. Regulators are further extending their reach by mandating cybersecurity policy content and certain risk management practices for third-party provider arrangements. The much-discussed new rule pending with New York’s Department of Financial Services (the “DFS Rule”)4 is just one of the latest examples of regulators picking up the pen on commercial contracts involving cyber risk and on cyber policies involving third-party providers. As currently worded, the DFS Rule (effective on March 1, 2017) requires financial entities to create written security policies specifically addressing third-party providers. This includes the use of certain contract terms requiring third-party providers to establish multifactor authentication and encryption capabilities and to adhere to 72-hours notification requirements following a breach.5
