As businesses continue to rely on third-party vendors to provide critical services and products, managing and mitigating vendor cyber risk has become a crucial aspect of overall cybersecurity. Vendors can pose a significant threat to an organization’s cybersecurity posture, and their vulnerabilities can have cascading effects on the organization’s data and systems. Lawyers, in particular, need to be aware of these threats to uphold their fiduciary duties. Vendors may have a different interest in securing client data than the company itself, and a company’s hundreds of vendors and sub-vendors may have varying risk profiles. It is vital for companies to establish objective and repeatable processes for cybersecurity triage in order to reduce their exposure to new vendor risks.
A recent example of a vendor-related data breach occurred when Uber drivers’ personal and confidential information was compromised due to a data breach on Genova Burns, outside counsel for Uber.[1] A second example occurred when the personal information of more than 800,000 current and former students in dozens of U.S. School Districts was compromised due to a cyber-attack on the district’s vendor, Illuminate Education.[2] Hackers often exploit vendors as the path of least resistance to breach a company’s security.
In order to protect themselves from numerous threats posed by various individuals or groups, companies need to re-evaluate their relationships with vendors and prioritize the elimination and mitigation of cybersecurity risks. Lawyers can be instrumental in helping clients manage and decrease the cyber risks related to vendors. To this end, we present ten strategies that lawyers can use to assist their clients in reducing their vendor cyber risks.
- Conduct Vendor Risk Assessments
Lawyers should advise their clients to conduct vendor risk assessments regularly. A vendor risk assessment is a comprehensive review of a vendor’s security controls, policies, and procedures. It helps identify potential risks and vulnerabilities that may impact the organization’s data and systems. Lawyers should work with their clients to create a risk assessment framework that includes vendor classification, evaluation criteria, and assessment frequency.
- Implement Vendor Security Requirements
Lawyers should advise their clients to implement security requirements that vendors must meet to do business with the organization. These requirements should be outlined in contracts, service-level agreements, and other relevant documents. The security requirements should be based on the organization’s risk assessment and should address areas such as data privacy, access controls, incident response, and business continuity.
- Monitor Vendor Security Compliance
Lawyers should advise their clients to monitor their vendors comply with industry-specific cybersecurity standards, such as the Payment Card Industry Data Security Standard (PCI DSS) and Health Insurance Portability and Accountability Act (HIPAA) for healthcare vendors. This includes conducting periodic assessments, reviewing audit reports, and conducting on-site visits. Organizations should also require vendors to report any security incidents promptly.
- Implement Access Controls
Lawyers should advise their clients to implement access controls to limit the number of individuals who have access to sensitive data. This includes requiring multi-factor authentication, access logs, and background checks for vendors who have access to the organization’s systems.
- Review Vendor Contracts
Lawyers should review vendor contracts to ensure that they include appropriate cybersecurity provisions. These provisions should address areas such as data ownership, liability, breach notification, security audits, incident response protocols, and termination clauses.
- Training
It is important to provide training to both your information security personnel and all employees regarding proper security practices and what to do in the event of a cyber incident. Human error is often the cause of data breaches rather than technology failure. The training program should also include real-life examples of losses suffered by companies due to careless security practices. This should also cover breaches that may have occurred due to malicious actors accessing company resources through vendors.
- Conduct Thorough Due Diligence
Before engaging the services of any vendor, it is imperative that businesses undertake comprehensive due diligence to mitigate potential risks. This involves conducting a meticulous risk assessment to ensure that the vendor is trustworthy and secure. To accomplish this, businesses should review the vendor’s security policies to evaluate their commitment to safeguarding data and privacy. Furthermore, they should carry out extensive background checks on the vendor to ascertain their credibility and reputation. Finally, businesses should investigate any previous cyber incidents involving the vendor, to assess the adequacy of their security measures and their ability to respond to security breaches. By conducting thorough due diligence, businesses can minimize the risk of cyber threats and safeguard their confidential data.
- Consider Cyber Insurance
Lawyers should advise their clients to consider purchasing cyber insurance. Cyber insurance provides financial protection in the event of a data breach or other cyber incident. It can also provide access to resources, such as incident response teams and legal counsel.
- Establish Incident Response Plans
Lawyers should advise their clients to establish incident response plans that include vendors. These plans should outline roles and responsibilities, communication procedures, and escalation protocols. Vendors should also be required to have their incident response plans in place.
- Consult with Experts
Lawyers should advise their clients to consult with cybersecurity experts to develop a comprehensive cybersecurity strategy that includes vendor risk management. Cybersecurity experts can provide guidance on risk assessment, vendor selection, contract negotiation, and incident response planning.
In conclusion, the importance of mitigating vendor cyber risk cannot be overstated. Businesses that fail to take the necessary precautions to protect their data from vendor cyberattacks risk devastating consequences, including loss of revenue, damage to reputation, and legal liability. Lawyers can play a critical role in helping their clients reduce their vendor cyber risks by implementing these ten strategies and providing ongoing support to ensure their vendor risk management program remains effective over time.
Daniel B. Garrie is a distinguished neutral with JAMS, an arbitrator, mediator, and special master with expertise in cybersecurity, data privacy, e-discovery, and intellectual property. He is the Founder and Managing Partner of Law & Forensics LLC, where he leads the cyber security and forensic practice teams and frequently testifies as an expert witness on e-discovery, cybersecurity, and computer forensics. Additionally, he is a Fellow of the Academy of Court-Appointed Neutrals. He is also a Professor at Harvard in the School of Continuing Education, teaching Information Security, Computer Forensics, and Cybersecurity Law.
Jennifer Deutsch, Director of Privacy Services at Law & Forensics, LLC, is a renowned privacy professional and licensed attorney focused on ensuring data security and privacy standards. Holding International Association of Privacy Professionals (IAPP) certifications for the US and EU, her expertise lies in cybersecurity audits, compliance assessments, and digital forensics investigations. Currently, she’s advancing her knowledge in Cybersecurity Risk Management with a Master’s from Georgetown University.
Disclaimer: The content is intended for general informational purposes only and should not be construed as legal advice. If you require legal or professional advice, please contact an attorney.
[1] Alessandro Mascellino, Uber Drivers’ Data Exposed in Breach of Law Firm’s Servers, Info Security Group, April 6, 2023, https://www.infosecurity-magazine.com/news/uber-data-exposed-law-firm-breach/, (last visited April 15, 2023).
[2] Casbo, Nation’s 3 Largest Districts Experience Data Breach, June 21, 2022, https://www.casbo.org/nations-3-largest-districts-experience-data-breach/?utm_source=rss&utm_medium=rss&utm_campaign=nations-3-largest-districts-experience-data-breach (last visited April 14, 2023).