Dealing With the Cybersecurity Risks of Third-Party Vendors
Dealing With the Cybersecurity Risks of Third-Party Vendors
In today’s interconnected digital landscape, companies increasingly rely on outside vendors and third parties for services, including cybersecurity. While this reliance can enhance operational efficiency, it also introduces significant vulnerabilities. These risks expose companies to cyber breaches, leading to compromised data, operational disruptions, costly insurance claims, and legal battles. As cyber threats evolve, understanding and mitigating these risks has become vital for businesses of all sizes and industries.
High-Profile Vendor-Related Cyber Attacks
- Microsoft Exchange Server Breach (2021):
In early 2021, Microsoft disclosed a breach that exploited vulnerabilities in its Exchange Server software, affecting thousands of organizations globally. Hackers gained access to emails and sensitive data, sparking widespread concern over the security of corporate communication tools. This incident underscored the risks associated with relying on third-party software for critical business functions. - Change Healthcare Ransomware Attack (2024):
In February 2024, a ransomware attack on Change Healthcare, a healthcare technology provider, caused a nationwide disruption of key healthcare operations and compromised the sensitive health information of up to one-third of Americans. Hackers used stolen credentials and exploited the absence of multifactor authentication (MFA), a basic security measure, to remotely access Change Healthcare’s systems. The incident not only highlighted the severe financial and direct patient care impacts that a cyberattack can have on the healthcare industry but also emphasized the importance of thoroughly assessing and continuously monitoring third-party cybersecurity practices to prevent such breaches from occurring. - CrowdStrike Cyber Incidents (2023-2024):
In 2023, CrowdStrike, a leader in cybersecurity technology, successfully thwarted a significant cyberattack. However, in 2024, the company experienced a global system outage, highlighting the risks even top-tier cybersecurity firms face. These incidents emphasize the critical importance of monitoring vendor relationships, as any breach or failure could compromise sensitive customer information or disrupt the cybersecurity tools customers rely on. - CDK Global Breach (2024):
In mid-2024, CDK Global, a technology provider to the automotive industry, suffered a cyberattack that allowed hackers to access sensitive data, including dealership operations and potentially customer details. This breach illustrates the ripple effect that cyberattacks can have on industries heavily reliant on interconnected digital platforms, leading to significant operational disruptions.
How Third Parties Increase Cybersecurity Vulnerability
Recent high-profile cyber incidents have highlighted the vulnerabilities and risks associated with vendors and third parties. Outsourcing functions like cybersecurity, payment processing, or data management inherently increases a company’s risk exposure. For example, if a vendor responsible for processing payments has inadequate cybersecurity measures and falls victim to an attack, the company’s customer data could be compromised. Such breaches are not hypothetical; they have occurred and often result in significant financial and reputational damage.
These dangers extend beyond direct data breaches involving prominent vendors. When a vendor’s system is compromised, it can serve as a gateway for hackers to infiltrate the company’s network, leading to widespread damage. This cascading effect can be particularly devastating, potentially disrupting operations and leading to business interruption claims.
These scenarios create a variety of potential claims — between the company and its customers, the company and the vendor, and claims for coverage under applicable insurance policies. The potential for such claims, along with regulatory compliance concerns, underscores the importance of thoroughly assessing the cybersecurity posture of any third party before entering a business relationship.
Evaluating Third-Party Cybersecurity: A Proactive Approach
To safeguard against the cybersecurity risks associated with third parties, companies should thoroughly evaluate the cybersecurity measures of vendors before engaging their services. This evaluation should be a multi-faceted process involving both the IT/security team and the legal department.
- Vetting the Vendor:
Your IT or cybersecurity specialists should rigorously assess the vendor’s cybersecurity practices to ensure robust defenses are in place. This vetting process should include a review of the vendor’s incident response plan and compliance with relevant standards and regulations, such as SOC 2, ISO 27001, and GDPR. If the vendor will have access to sensitive or confidential data, incorporating adequate cybersecurity measures and response plans into the vendor contract is crucial. - Requiring Cyber Insurance:
Vendors should be required to carry cyber insurance covering breaches that could impact your operations, including third-party liability for hardware failures, system breakdowns, and business interruption claims. Confirm that the policy includes acceptable waiting periods and coverage limits to address potential damages and liabilities in the event of a major incident. Additionally, review the policy for exclusions or limitations that might impact your company’s coverage. - Incorporating Risk-Shifting Provisions:
Your legal team should include risk-shifting provisions in contracts with third-party vendors. These provisions should ensure that if a breach occurs, the vendor indemnifies your company against both direct losses and third-party claims. This indemnification should cover both standard and gross negligence, as well as willful misconduct, and include reimbursements for any losses beyond what insurance might cover. Such contractual agreements shift the financial burden back onto the vendor in the event of a cyber incident.
Responding to a Breach: Key Steps to Take
In the unfortunate event of a breach involving a third party, prompt and decisive action is essential. Here’s what to do:
- Activate Your Incident Response Plan:
Engage your IT and legal teams and communicate with the vendor. Determine whether the connection to the vendor should be disconnected and assess the breach’s impact on your data, systems, customer information, and legal and compliance issues. - Document Potential Insurance and Vendor Claims:
- Flag any extra expenses or financial losses incurred due to the breach. Ensure that your accounting team tracks all monetary damages to support any future claims.
- Notify your insurance carrier without delay to avoid issues related to late reporting. Early notification ensures that the carrier can begin their review process while you continue managing the breach’s impact. Ideally, your cyber policy should include contingent/dependent business interruption and external systems coverage.
- Consider consulting claims and forensic accounting experts to help package your damage claims and calculate your business interruption / extra expense claims. These professionals can assist in determining how your financial impacts are potentially covered under your insurance policy and help identify claims against the vendor. They will also review existing contracts to understand the terms and conditions, particularly focusing on indemnification provisions, risk-shifting, and insurance clauses. - Draft a Notice Letter:
If a claim arises, your legal team or claims consultant should prepare a notice letter to the vendor, preliminarily outlining the agreement, the breach, and the vendor’s contractual obligations. The vendor should forward this letter to its insurance carrier.
Legal Considerations and Compliance
Even if your company is not directly liable for a data breach, it must manage the aftermath, which could involve regulatory scrutiny and legal action. Be aware of any relevant regulations or legal implications that may apply. For instance, privacy regulations often mandate that companies notify customers of any breaches. The requirements vary by jurisdiction, with the GDPR (EU and UK) imposing particularly stringent data privacy obligations. Non-compliance can result in significant fines, reputational damage, legal action, operational impact, and supervisory authority investigations, further compounding the risks.
Additionally, the U.S. Securities and Exchange Commission (SEC) implemented new rules, effective December 18, 2023, requiring public companies to disclose material cybersecurity incidents within four business days. The rules define a material incident as one that a reasonable investor would consider important when making an investment decision. This means an incident is deemed material if it significantly impacts a company’s operations, financial position, reputation, or legal obligations. Public companies must familiarize themselves with the new SEC cybersecurity disclosure rules, as they set forth how and when incident and annual disclosures must be made, the detail required, as well as new managerial standards public companies must adopt.
Adapting to an Evolving Cyber Landscape
Cybersecurity is not static; it evolves constantly as cybercriminals strive to stay ahead of security innovations. Emerging technologies, such as deep fakes and AI, are becoming tools for cybercriminals. For example, a convincing deep fake of a CEO could trick an employee into clicking a malicious link, compromising the entire network.
Given these evolving threats, companies must adopt a comprehensive and proactive approach to cybersecurity. Relying on a single measure, such as insurance, is insufficient. Instead, companies should combine multiple layers of defense, including robust cybersecurity practices, carefully drafted contracts, and continuous monitoring of third-party risks.
Staying Ahead of Cyber Threats
As cybercriminals continue to innovate, businesses must remain vigilant. By understanding the risks posed by third-party vendors and implementing a multi-faceted cybersecurity strategy, companies can better protect themselves and their customers from potential threats. Taking these proactive steps will help safeguard against breaches and enhance the company’s overall resilience in an increasingly digital world.