Outsourcing cybersecurity services is becoming increasingly difficult because of tightening rules in the cyber insurance industry. That is creating an aggressive new approach to vetting vendors.

The process is becoming more exhaustive, especially in financial services. Service providers are being required to provide far more information about their cyber practices, sometimes with vetting that includes 250 or more data requirements.

Several high-profile cybersecurity incidents in recent years have highlighted the risks that vendors can pose to an organization’s data and systems. Target, Netflix, and Ticketmaster have suffered breaches, and coverage in media has damaged reputations and affected stock prices. Thousands of other incidents have gone unreported.

Understanding Third-Party Risk: Key Points

The potential for data breaches originating with vendors is increasing as organizations rely on them. Vendors have different levels of cybersecurity maturity, making it essential for organizations to assess and monitor their vendors' security practices.

The vendor risk assessment company Upguard is out with five things you need to know about third-party risk.

• Attackers often target smaller, less secure vendors as entry points to breach larger organizations. 
• Companies must understand their first-tier vendors' management of their own third parties, including overseas challenges and unsecured cloud instances.
• Customers and legal systems hold primary companies responsible for security risks, even if due to a vendor's lax security. Proper due diligence and risk management are crucial.
• Organizations need to address risks even in former third-party relationships. Ensure proper handling of sensitive data during and after the business relationship.
• A proactive approach to risk is essential, integrating all categories of third parties and risk areas. Reactive measures leave organizations exposed to high levels of risk.

Jerry Archer, Chief security officer for Sallie Mae, says that the real courtship begins once a vendor has passed the RFI stage. “I need to know their security teams,” Archer says. “I need to know if I can count on them. I need to know their expertise.” When that expertise is lacking, but “the business really wants to do work with a particular vendor,” he adds, “we send some of our subject matter experts to work with their folks to bring them up to a level that we deem appropriate.”

In particular, insurers are also looking at how organizations authenticate third-party privileged users from vendor organizations who need access to sensitive data and company systems. Vendors require the same security, yet they are rarely given the same security consideration as employees. For instance, if a vendor is onboarded for a brief two-week engagement, they should be onboarded and offboarded following the same HR processes as a new employee to minimize risk.

Best practices to reduce third-party risks

Assess third-party security testing and incident response plans:

• Ensure vendors conduct regular penetration and social engineering tests.
• Check for documented follow-up and remediation of issues.
• Verify annual third-party security testing.
• Examine vendors' incident detection, response, and follow-up procedures.

Ensure vendors share cybersecurity best practices and provide adequate training:

• Check for confidentiality agreements, security training, and access management.
• Verify proper training for employees, contractors, and vendors.

Document data breach notification requirements in contracts:

• Include vendor notification requirements upon a data breach, specifying timeframes.
• Set cybersecurity risk expectations and requirements with vendors

Rethink partnerships if vendors don't cooperate after breaches.

• Establish conditions for action, such as deep audit testing in case of a breach.

Consider extending your cyber-security programs to partners

• Include them in training
• Share cybersecurity awareness content

To strengthen your cybersecurity posture and raise awareness about cybersecurity best practices across your organization, Aware Force has the content you need.

Check our Cybersecurity Newsletter page to get to know more or connect with us and in 15 minutes, you'll see why Aware Force has raving fans across North America.