Follow ACC Docket Online:  

How to Reduce Your Cybersecurity Risk Profile through Vendor Management

R egardless of the size or complexity of your organization, you are likely using third-party vendors to leverage their expertise, help lower costs and improve efficiencies, and expand your organization’s capabilities. Engaging third-party vendors who will have access to your system in the age of the dark-web, ransomware, and cyber-terrorism, however, can significantly increase your company’s data security risk profile.

Notwithstanding the constant barrage of media reports and scary anecdotes about cybersecurity breaches, there are some simple steps you can take to reduce your risk profile. These steps can be taken with minimal resources and without significant amounts of technological sophistication.

1. Perform vendor due diligence before any engagement

Just as you would with any important long-term partner, make sure you know who you’re doing business with before you commit.

Consider creating and consistently using a standard data privacy and security vendor assessment questionnaire. This can help provide an efficient tool for gathering the information you need to conduct your due diligence. It can also help you make a rational comparison among responses from several potential vendors. You can start with simple due diligence-type questions, such as:
• Has the company ever been subject to a breach?
• How do they background check their employees?
• How do they train employees?
Some simple technology questions can also be helpful:
• How do you control user access to the sensitive data?
• Is there a disaster recovery/ business continuity plan in place?
You can tailor your questionnaire to address items important to your organization, as well as any applicable laws, regulations, and/ or industry standards. Reputable vendors should be familiar with these questionnaires. A technology vendor who balks at a reasonable assessment questionnaire may be cause for concern.

Third-party assessments
In addition to gathering information from the vendor, consider requiring your more critical potential vendors to provide independent, third-party security assessments, audits, or certifications during your pre-engagement due diligence. Examples of such assessments include AICPA Service Organization Controls (SOC) 2 reports.

Independent research
Perform your own due diligence by accessing some simple background information on the internet. Organizations like the Better Business Bureau and the Ponemon Institute can be excellent resources in your due diligence activities, and there are a number of sites available that provide comprehensive data security management resources.

2. Ensure appropriate contractual protections are in place

Your contracts are your friends; at least, they should be. Now that you’ve gotten to know your soon-to-be vendor, make sure you’re on the same page (or several pages) before you commit.

Vendor agreement provisions
When given the option, vendors will always want to use their own terms and conditions. These vendor-friendly provisions will not protect your organization. Consider creating and consistently using a standard data privacy and security addendum that includes appropriate terms to ensure your vendors are protecting your data and systems in a manner that, at least: (1) meet or exceed your organization’s own practices; (2) adhere to your organization’s policies and procedures; and (3) comply with applicable laws, regulations, and industry standards. These terms should address, at a minimum, the following:
• The standard of care for data privacy and security, including administrative, technological, and physical safeguards;
• Clarifying who has access and the level of appropriate access to the organization’s IT systems and use of data;
• Prohibitions on disclosure of data and applicable exceptions;
• Compliance with applicable laws, regulations, and industry standards;
• Requiring periodic attestations of compliance;
• Pass-through obligations for the vendor’s subcontractors and other service providers;
• Privacy and data security performance expectations, as appropriate;
• Obligations to return or destroy copies of the organization’s data;
• Security incident and reporting response requirements, including ensuring the vendor bears the response costs for a breach under its watch;
• Auditing and monitoring rights and obligations; and,
• Risk allocation, particularly in the event of a data breach or other security incident, such as: (1) indemnification; (2) cyber insurance requirements; and (3) cost allocation for regulatory penalties and other liabilities relating to privacy and data security failures.
Such an addendum can be attached to new or existing master service agreements, even if those agreements are drafted by your vendors. If in the event business circumstances dictate using a vendor’s data privacy and security terms, by developing your own standard terms, your organization will be better prepared to assess and manage the risk of using the vendor’s terms.

3. Don’t forget about your vendor after the contract is signed

Just like any healthy relationship, you don’t want to forget about your partner once you’ve signed the contract.  

Ongoing oversight and management
While selecting proficient and reputable vendors and executing appropriately protective agreements are two very important steps, you also want to make sure you continue to manage your vendor risk on an ongoing basis. At a minimum, this oversight should address the following:
• Monitoring vendor performance and auditing as appropriate;
• Ensuring vendors are providing periodic attestations of compliance;
• Questioning the vendor about its safeguards relating to new risks as they arise;
• Early identification of potential issues that could impact your data privacy and security exposure; and,
• Protection of the organization after the relationship has ended, including appropriate return or destruction of data.
These simple steps of performing due diligence, setting appropriate expectations, and showing a continued commitment to the relationship can help minimize your cybersecurity risk profile and allow you to take advantage of the benefits and efficiencies offered by vendors. 

About the Authors

Christina AllynChristina “Chris” Allyn is a partner in the Denver law firm Moye White, as well as a former senior vice president and general counsel, and a chief privacy officer of well known multi-national companies. Chris draws on nearly two decades of experience guiding companies and their leaders through a wide range of domestic and international legal issues, including data privacy and security, complex commercial transactions, regulatory compliance, general corporate and strategic matters, intellectual property, and other matters. She is a recipient of the National Diversity Council’s 2014 Colorado’s Most Powerful and Influential Women Award.

Eric HiltyEric Hilty is the chief legal officer for the National Multiple Sclerosis Society. Prior to starting at the Society in 2011, he managed litigation for Apartment Investment and Management Company (AIMCO) and was a litigation partner at Holland & Hart. Eric is based in Denver.

The information in any resource collected in this virtual library should not be construed as legal advice or legal opinion on specific facts and should not be considered representative of the views of its authors, its sponsors, and/or ACC. These resources are not intended as a definitive statement on the subject addressed. Rather, they are intended to serve as a tool providing practical advice and references for the busy in-house practitioner and other readers.