Chapter 14
Offshore Third‐Party Cybersecurity Risk
Offshore vendors pose a different risk than those who reside within your home country. The majority of the time, the term offshore refers to those who are located in countries where business process outsourcing is typical; for example, India, the Philippines, Vietnam, South America, and others outside the United States, Canada, Europe, and other countries where costs can be higher than for the same processes outsourced to a lower‐cost location. Challenges exist in performing both due diligence and due care for the location, and differences in standards, practices, regulations, culture, and other risks offshore exist in comparison to a supplier local to your shores.
Distance can present challenges for several reasons. Vendors and their subject‐matter experts (SMEs) who participate in the conversations for due diligence are remote, and can be located in different time zones, making scheduling a challenge. Typically, this can be overcome by including a local representative from the offshore vendor, and/or when the remote staff is on your local time or have an agreed schedule that overlaps with the home country's time zones. There can also be issues with holiday coverage and notification risks. Secondly, the third‐party's distance makes performing on‐site due diligence costly in terms of time and travel. Some countries might require a visa for entry and can take a day of travel, depending on locations and connecting flights.
Local regulations for data privacy and data security are a risk as they can differ greatly from your country or region. It is not hard to see how a U.S.‐based company could outsource to Argentina (for Spanish‐speaking expertise and a lower‐cost support model) where the Ibero‐American Data Protection Network (RIPD is the acronym in Spanish) covers that country. Further, in 2000 the Argentina National Constitution executed the Personal Data Protection Act 25.326 (PDPA) to help protect data privacy. PDPA aligns with the EU data privacy model, and Argentina was the first Latin American country to be able to perform data transfers to the EU with the “adequacy” qualification. How does a firm deal with any differences in how data privacy is treated? It can be said that the data is coming from the United States and only concerns U.S. citizens and residents. However, there could easily be a U.S. resident who is an Argentine citizen, who is also your customer, who could be protected by the PDPA and the RIPD that allows them access to their data. A bigger company could have up to hundreds or more examples of cross‐border regulations, which presents risks for how data is handled and stored and needs to be addressed by offshore vendors.
Other risks are as follows: The countries themselves and how work is performed, internet traffic that might be monitored or blocked, areas of the world where internet hackers and criminals operate out of, and regions with potentially armed conflict (including cyber conflict). The following presents a company with an option to determine boundaries where the risk to business, and cyber risk in particular, should be avoided: Some countries are known to block or monitor web traffic, which can present risk for offshore data protection. If the region has a high cybercrime rate, malware/ransomware attacks, and is not prepared to deal with them, it's of particular concern when drawing boundaries on where offshore vendors can and cannot be located. The home government will publish an ever‐evolving list of forbidden countries for business. But this list is about the legality of working, not the advisability. When drawing red lines around countries or regions for your business to avoid, it should not be confined to what the regulations are, but to avoid unnecessary risk by performing business in a country or region when less risky options are available.
The lifecycle of an offshore vendor is not different than a local one, but different risk considerations must be addressed at each phase. To make the process more descriptive, we will explore how KC Enterprises performs the lifecycle of a remote or offshore vendor.
Onboarding Offshore Vendors
Onboarding a vendor who is offshore requires that many of the same questions are asked, but the focus on some areas is more pronounced or incorporates different questions due to the different risks. KC Enterprises' IRQ includes questions to ensure that these risks are caught early. The review includes extra risk questions and can trigger other third‐party risk domains to become more engaged. If you recall, in Chapter 5, KC's intake questions about potential offshore work included two separate questions about fourth‐party risk:
- Will the vendor require other third parties to provide service to KC Enterprises?
- Will any of the vendors or its third parties (i.e., KC's fourth parties) perform work or support services outside the United States?
These two questions are direct and designed to get these vendors the appropriate questionnaires, additional contract language, and other due diligence processes focused on remote suppliers. When they are answered in the affirmative, the next set of formal due diligence questions on the intake assessment includes language and reviews tailored for them. At KC, the same team that performs local vendor due diligence also performs these reviews, as they are trained or already have the experience necessary to perform them. On‐site assessment team employees are required to have valid passports, so they can perform these activities in whatever country is required.
The questions for a Request for Proposal (RFP) do not change as there is also a question about the potential for offshore risk: Does the product have any development or support outside the United States?
And as the RFP process uses a grading system, this risk can be graded as the answers are evaluated. Depending on the project, this grading will hinge on the project's scope (e.g., is it designed to be done offshore or is it preferred onshore?), but the risk is then weighed into those results. When the selected vendor is known to be remote, this data is added to the next step (in the IRQ).
This next step is to ensure that the vendor and internal business sponsor are aware of the KC Enterprise non‐negotiable where no KC customer or employee data may be stored or processed outside the United States. This means all work must be performed via remote access from the offshore vendor's location to a virtual environment at a KC data center or a U.S.‐based co‐location or Cloud Service Provider (CSP). Given how solutions could be moved to the cloud and there were existing due diligence workstreams to deal with that risk, this was viewed as providing choices to the business while maintaining a low‐risk profile when it comes to entanglements in external data privacy laws such as General Data Protection Regulation (GDPR).
The intake assessment process is designed to provide both a vetting process for vendors that could pose a risk to the company unnecessarily (will not encrypt data or in a country that poses unneeded risk), and to perform due diligence on those that can proceed. For offshore business, the IRG and intake questions focus on the key areas of risk for performing business outside the country. Because these locations are remote, performing the physical security validation with an on‐site assessment becomes important and leads into the ongoing due diligence efforts.
Ongoing Due Diligence for Offshore Vendors
Ongoing due diligence for remote vendors requires the same activities—remote and on‐site assessments—but the questions and validation included vary slightly. Remote questionnaires can be performed on an annual basis for offshore, but there is a requirement for doing a physical, on‐site security evaluation due to the risks. At KC Enterprises, the Cybersecurity Third‐Party Risk team plans an on‐site assessment annually at each remote vendor. The assessments for KC's offshore vendors in India, the Philippines, and Ireland are all done in one trip to each country but use different personnel for each journey.
Physical Security
The main purpose of a visit to these offshore vendors is to view in the flesh that security controls are in place as expected. As the assessment team approaches the Offshore Development Center (ODC), the evaluation has already begun, by noting how the security around the ODC is performing as follows:
Outside:
- Indication: There should be no external indication what clients the vendor manages or performs work for at the location.
- Physical barriers around the building(s): Is there a wall or fence at least 8 feet high along with closed‐circuit cameras around the perimeter? Walk around the fence or wall to visibly check for any holes or access points and that the cameras are covering all angles. If there is no wall or fence, the visual inspection around the building should look for doors or access points that are not locked or guarded. When a wall or barrier is present, the distance should be sufficient to allow for interception before an intruder can get to the building itself.
- Entry and guards: As the entry is approached, watch how the guards pay attention to others entering: Are they spending time matching identifications with the faces of the employees or guests? How are bags, purses, and other hiding places (e.g., jackets, fanny packs, etc.) inspected for any recording devices (e.g., cameras, phones, etc.). Is the search cursory with little interest in finding anything, or do they clearly understand the risk and treat it with proper curiosity?
- Inspection: When it is your turn (i.e., the assessors) to pass through the security guard checkpoint and inspections, note how the process is handled. Did they have you sign into a guest log and sufficiently check and log your identification? Did they check your baggage for recording devices and require you to give them up, per the policy? Just because you are a customer does not mean the on‐site team should receive favorable treatment. If they allow this customer team through without holding them to the policy, then it is likely they are not following the process for others as well.
- Logs: Ask to see the log for visitors to see how they manage it. View it with a critical eye for informational consistency on the visitors being logged, including dates, times, where they were from, who they were visiting, and logout dates and times. Ensure the log is filled out with data for each visitor as expected.
- Any other entry controls: Note if a metal detector or other devices are used to screen staff and visitors. Are bollards located at the entrance to prevent a smash and grab? Are the entry controls and physical barriers sufficient to stop an unauthorized entry or does it seem possible for someone to circumvent with little effort?
Inside:
- Production area: Ask to see the area where sensitive data is accessed first to assess physical separation and the Clean Desk policy. As the ODC's production area is approached, ensure there is no alternate access points into this area that would evade the guarded main entry area. The entry to the production space should have another entry check, such as a badge and/or PIN code. When entering and observing this space, look for unattended desks with computers unlocked and sensitive documentation left out on the desk. Ask to view any break areas or supply rooms to also look for any documentation or devices that could contain sensitive data (e.g., laptops, hard drives, etc.) and are left unattended.
- Validation of physical separation: The Offshore Addendum states that production and development areas must have a physical separation. This division must be validated and has some discretion by the on‐site team. The preference is for these areas to be separated on separate floors or in another building. There can be cases where the engagement with the vendor is small enough that having this level of separation is not possible without significant cost to the customer. In such cases, these areas can be located on the same floor but must have a barrier (i.e., wall) between the two areas.
- Paper documentation security and destruction: If the production area will be managing paper documentation, then it is necessary to have a locked area where these papers can be securely stored when not in use. Also, a locked bin should be used to store such materials prior to their destruction. View the logs for destruction and verify that they are filled out completely.
- Production workstation: There are restrictions on what the offshore workers can do on the VDI that need to be validated. Have one or more of them log in and substantiate that they cannot copy and paste out of the virtual desktop or access the internet beyond what they need to perform their job. Look at the desktop software running on the vendor's PC for any communication software that has access outside the supplier's network. Check to ensure that any external drives and media are not accessible physically or logically (i.e., can they plug in a thumb drive and download data to it?). Ensure antivirus and malware software are running and check to see when they were last updated.
These are the high‐level key security controls for the physical pieces. If the offshore staff supports other clients, make sure there are specific controls in place to address KC data and that systems access is isolated and separate. More of these can be added, depending on what sort of work a vendor performs and how they perform it for the customer.
Offboarding Due Diligence for Offshore Vendors
Offboarding an offshore vendor is similar to any other supplier, with the exception of the additional steps on the validation of any remote data destruction and connectivity termination. The steps to offboard a vendor start with the notification from the business about the impending change and dates of when the contract is to be finished. At KC Enterprises, the Cybersecurity Third‐Party Risk team performs a remote assessment, in addition to planning several conference calls along this timeline with milestones set for the vendor to meet.
Initial work by the team focuses on gathering all the following relevant data for the vendor, noting each item that requires confirmation and due diligence on the offboarding process:
- Data records: If the vendor was processing paper records for KC, then there must be a certificate of destruction (COD) from the shredding firm confirming that all final documentation was destroyed. If there is a need to retain the documentation for legal or regulatory reasons, the team works with the vendor to securely transfer those records to the appropriate team for the duration of the retention.
- Data: The contracts for offshore vendors at KC require them to wipe any hard drives or memory devices that were used for their services. These devices do not need to be destroyed, but the wiping process must include breaking the link between the hard drive encryption and the keys to ensure that the data cannot be recovered. While no data was stored locally, the links to the VDI and any other risks drop when the data is rendered non‐recoverable.
- Connectivity: The way offshore vendors connect to perform their services at KC is through a VDI from their onshore partners/company. This ensures that no data ever leaves the country and lowers the risk of data leakage as the desktop environment is controlled by KC's team. If there is a leased line or VPN that is involved in that connectivity, then the termination of it follows the same path as other connections. Whenever a contract is going to be terminated, or a connection is no longer needed, the termination process for the connectivity must follow a process to ensure that it is completed and that the hardware is returned as requested. The trigger, if automated or manual, is done by the vendor manager who notifies both the operations staff and the TPRM teams of the impending cutoff.
Much like the intake process that needs to have some time to prepare for installation, the same is true of the removal. Ensure operations staff are ready to escort vendor's engineers needed from the vendor and provide physical validation to the Cybersecurity Third‐Party Risk team of the step's completion.
Inside Look: A Reminder on Country Risk
A reminder on the Vietnam supply‐chain attack. As previously mentioned, the Vietnamese government dictates that all documentation must be signed using their digital signature through the Vietnam Government Certification Authority (VCGA). The supply‐chain attack was done by compromising the digital signature toolkit that exploited the installers on the VCGAs website “ca.gov.vn” that contained spyware called PhantomNet or Smanager. The toolkit was distributed by the government that provides cryptographic certificates that are required to digitally sign documents in Vietnam.
The attack took place from July 23 to August 16, 2020. The two modified installers “gca01‐client‐v2‐x32‐8.3.msi” and “gca01‐client‐v2‐x64‐8.3.msi” for 32‐bit and 64‐bit Microsoft Windows systems were part of the install packages that contained the malware. Because the downloads happened over a secured pathway (HTTPS), this leads investigators to believe it is not a man‐in‐the‐middle attack. This would be where an attacker takes over the back‐and‐forth traffic between the website and the user, redirecting them to another malicious website. This meant that the attackers had altered the software directly and loaded it into the website for download by unsuspecting victims.
Once the compromised software was downloaded and installed, the application ran the PhantomNet backdoor with a regular file named “eToken.exe,” which looked like a legitimate part of the software. The trojan then contacted a command and control server for further instructions.
There have been additional supply‐chain attacks that point to Advanced Persistent Threats (APTs) going after sectors or countries as a whole. In the Able Desktop attack, the chat application was exploited to disrupt Mongolian government agencies from a likely Chinese APT. GoldenSpy was an instance of a Chinese bank that had a backdoor tech toolkit that contained an exploit which got sent to international trading firms doing business with it in China. Wizvera VeraPort device, a security software manager popular in South Korea, was compromised by the Lazarus Group, a known North Korean hacking group.
While doing business in Vietnam, Mongolia, or South Korea is not stopped due to these APT supply‐chain attacks, they do demonstrate that some countries will carry additional risk depending on adversaries and political climate. The danger of doing business offshore in some countries carries additional cybersecurity risk due to state‐sponsored APTs in certain regions.
Country Risk
Part of the risk of a country or region stems from cybersecurity risks. Performing work outside the home country of the company, as described, entails risk due to the distance and differing regulations. It is prudent for a company to examine the risk of working remotely with vendors and establish some guidance for the business to use in making less risky decisions on which nations or regions are considered more acceptable and those that pose undue risk. The way this can be accomplished varies by industry, regulatory guidance, and business operational decisions; cybersecurity risks also must be considered. Does the area or country have an elevated danger of open conflict or is it already at cyberwar with another? For example, the conflict between the Ukraine and Russia has produced some negative impact on business and life in the Ukraine. In some countries, the free flow of data across the internet is not the same as others. If there is known monitoring or the blocking of traffic, it could pose an unnecessary risk to work being performed in those countries.
KC's Country Risk
There were times at KC where the process worked correctly for an offshore vendor. However, along the way, it somehow was “discovered” that they were, in fact, in a county of “concern.” These countries were not ones that the U.S. government said that if we did business with them, we could go to jail. These were countries that the cybersecurity teams knew had higher risk than others. When these late discoveries were made, it often led to uncomfortable discussions with the internal business sponsors and the vendor. KC decided that the firm needed a unified explainable definition of which countries weren't acceptable to perform business in and which ones were preferred, and that it was necessary to explain why these decisions were made so they could be shared internally and externally.
The team based these definitions on a list that provided options for business but also set boundaries with some explanations. First, there was the easy list of sanctioned countries, including Cuba, Iran, North Korea, and Syria, resulting in no ambiguity about their exclusion. The policy was listed in several different standards as such:
No KC Enterprise employee, contractor, agent, or representative will engage in any discussions or business operations with a country currently listed by the U.S. Department of Commerce (DoC). In instances where a country is added to this list that already has a vendor(s) performing services for KC Enterprises, all activity must stop effective the date required by the U.S. Government and regulatory guidance.
The next part of the list contained the preferred countries. The word preference meant that if these countries were selected as one of the offshore countries, then standard due diligence would take place. If another country was chosen, then due diligence could require additional questions and did not guarantee approval. Preferred locations were determined to be, in this case, where the company already had an offshore footprint and where other countries were seen as favorable for business operations. Favorable for business operations meant the government had long been friendly to western business operations, did not restrict or were known to monitor internet traffic, and contained capable infrastructure (e.g., technology, air travel, road travel).
The decision on these definitions produced a list for internal business that was easily explained:
- Countries not permitted due to law or regulation: Cuba, North Korea, Syria, and Iran. Consult the latest U.S. DoC website for any updates. This can be driven by regulatory or legal limitations.
- Countries KC Enterprises considers unfavorable for business: Afghanistan, Somalia, Yemen, Pakistan, Libya, Myanmar, Nigeria, Chad, Ethiopia, and Venezuela.
- Preferred countries (current operations): Philippines, India, and Ireland.
- Other countries: On a case‐by‐case basis.
For intake, it not only clarified preference, but stated that additional countries could be considered with the understanding that there would be more due diligence and no guarantee of approval. This had the effect of pointing most options to the three countries currently performing offshore work for the company. The process for the case‐by‐case basis was established for those times when it was required for a new country to be added to a restricted list or the preferred countries.
Countries not on the preferred list had to be reviewed by Cybersecurity Third‐Party Risk with the following criteria:
- Is there a similar provider in an existing “preferred” country?
- What is the state of cybercrime in the country?
- Does the country monitor or block internet traffic?
- Does the country pose an elevated risk to KC's data or network connectivity?
These security assessments for countries not already reviewed and having business operations enabled an open dialogue to occur between business leadership, KC's upper management, and the cybersecurity team about the risks observed and guidance provided. Their process is not designed to be a checklist, but more of a discussion of the findings and risks the Cybersecurity Third‐Party Risk team found in relation to the business's operation and benefits the offshore vendor provided. The first question of “Is there a similar provider in a country already on a preferred list?” was one that required the internal business leadership to come ready with an answer. If they were unsure or had not done the required work to find one, then that must be completed to provide a complete picture of a way to avoid the risk.
Conclusion
Performing work offshore to save a company money is not new, but a business can often underappreciate the cybersecurity risks with them. Setting clear boundaries of acceptable and non‐acceptable nations or regions in policy or standards provides early guidance to follow. If work is to be done offshore, then the on‐site physical validation assessment becomes a key security control itself for due diligence efforts.
Ensure that data controls are in place to address any data exfiltration from the offshore vendors' premises, especially with the pandemic and remote access from homes in those countries that typically would have worked from a controlled corporate location pre‐pandemic. The security of offshore—meaning not in your primary company location and market—requires more work and controls because by definition they are very remote. This remoteness means performing regular on‐site due diligence, and other validations require an extra level of trust that can be achieved with tighter control language in contracts and due diligence.