Offshore vendors pose a different risk than those who reside within your home country. The majority of the time, the term offshore refers to those who are located in countries where business process outsourcing is typical; for example, India, the Philippines, Vietnam, South America, and others outside the United States, Canada, Europe, and other countries where costs can be higher than for the same processes outsourced to a lower‐cost location. Challenges exist in performing both due diligence and due care for the location, and differences in standards, practices, regulations, culture, and other risks offshore exist in comparison to a supplier local to your shores.
Distance can present challenges for several reasons. Vendors and their subject‐matter experts (SMEs) who participate in the conversations for due diligence are remote, and can be located in different time zones, making scheduling a challenge. Typically, this can be overcome by including a local representative from the offshore vendor, and/or when the remote staff is on your local time or have an agreed schedule that overlaps with the home country's time zones. There can also be issues with holiday coverage and notification risks. Secondly, the third‐party's distance makes performing on‐site due diligence costly in terms of time and travel. Some countries might require a visa for entry and can take a day of travel, depending on locations and connecting flights.
Local regulations for data privacy and data security are a risk as they can differ greatly from your country or region. It is not hard to see how a U.S.‐based company could outsource to Argentina (for Spanish‐speaking expertise and a lower‐cost support model) where the Ibero‐American Data Protection Network (RIPD is the acronym in Spanish) covers that country. Further, in 2000 the Argentina National Constitution executed the Personal Data Protection Act 25.326 (PDPA) to help protect data privacy. PDPA aligns with the EU data privacy model, and Argentina was the first Latin American country to be able to perform data transfers to the EU with the “adequacy” qualification. How does a firm deal with any differences in how data privacy is treated? It can be said that the data is coming from the United States and only concerns U.S. citizens and residents. However, there could easily be a U.S. resident who is an Argentine citizen, who is also your customer, who could be protected by the PDPA and the RIPD that allows them access to their data. A bigger company could have up to hundreds or more examples of cross‐border regulations, which presents risks for how data is handled and stored and needs to be addressed by offshore vendors.
Other risks are as follows: The countries themselves and how work is performed, internet traffic that might be monitored or blocked, areas of the world where internet hackers and criminals operate out of, and regions with potentially armed conflict (including cyber conflict). The following presents a company with an option to determine boundaries where the risk to business, and cyber risk in particular, should be avoided: Some countries are known to block or monitor web traffic, which can present risk for offshore data protection. If the region has a high cybercrime rate, malware/ransomware attacks, and is not prepared to deal with them, it's of particular concern when drawing boundaries on where offshore vendors can and cannot be located. The home government will publish an ever‐evolving list of forbidden countries for business. But this list is about the legality of working, not the advisability. When drawing red lines around countries or regions for your business to avoid, it should not be confined to what the regulations are, but to avoid unnecessary risk by performing business in a country or region when less risky options are available.
The lifecycle of an offshore vendor is not different than a local one, but different risk considerations must be addressed at each phase. To make the process more descriptive, we will explore how KC Enterprises performs the lifecycle of a remote or offshore vendor.
Onboarding a vendor who is offshore requires that many of the same questions are asked, but the focus on some areas is more pronounced or incorporates different questions due to the different risks. KC Enterprises' IRQ includes questions to ensure that these risks are caught early. The review includes extra risk questions and can trigger other third‐party risk domains to become more engaged. If you recall, in Chapter 5, KC's intake questions about potential offshore work included two separate questions about fourth‐party risk:
These two questions are direct and designed to get these vendors the appropriate questionnaires, additional contract language, and other due diligence processes focused on remote suppliers. When they are answered in the affirmative, the next set of formal due diligence questions on the intake assessment includes language and reviews tailored for them. At KC, the same team that performs local vendor due diligence also performs these reviews, as they are trained or already have the experience necessary to perform them. On‐site assessment team employees are required to have valid passports, so they can perform these activities in whatever country is required.
The questions for a Request for Proposal (RFP) do not change as there is also a question about the potential for offshore risk: Does the product have any development or support outside the United States?
And as the RFP process uses a grading system, this risk can be graded as the answers are evaluated. Depending on the project, this grading will hinge on the project's scope (e.g., is it designed to be done offshore or is it preferred onshore?), but the risk is then weighed into those results. When the selected vendor is known to be remote, this data is added to the next step (in the IRQ).
This next step is to ensure that the vendor and internal business sponsor are aware of the KC Enterprise non‐negotiable where no KC customer or employee data may be stored or processed outside the United States. This means all work must be performed via remote access from the offshore vendor's location to a virtual environment at a KC data center or a U.S.‐based co‐location or Cloud Service Provider (CSP). Given how solutions could be moved to the cloud and there were existing due diligence workstreams to deal with that risk, this was viewed as providing choices to the business while maintaining a low‐risk profile when it comes to entanglements in external data privacy laws such as General Data Protection Regulation (GDPR).
The intake assessment process is designed to provide both a vetting process for vendors that could pose a risk to the company unnecessarily (will not encrypt data or in a country that poses unneeded risk), and to perform due diligence on those that can proceed. For offshore business, the IRG and intake questions focus on the key areas of risk for performing business outside the country. Because these locations are remote, performing the physical security validation with an on‐site assessment becomes important and leads into the ongoing due diligence efforts.
Ongoing due diligence for remote vendors requires the same activities—remote and on‐site assessments—but the questions and validation included vary slightly. Remote questionnaires can be performed on an annual basis for offshore, but there is a requirement for doing a physical, on‐site security evaluation due to the risks. At KC Enterprises, the Cybersecurity Third‐Party Risk team plans an on‐site assessment annually at each remote vendor. The assessments for KC's offshore vendors in India, the Philippines, and Ireland are all done in one trip to each country but use different personnel for each journey.
The main purpose of a visit to these offshore vendors is to view in the flesh that security controls are in place as expected. As the assessment team approaches the Offshore Development Center (ODC), the evaluation has already begun, by noting how the security around the ODC is performing as follows:
Outside:
Inside:
These are the high‐level key security controls for the physical pieces. If the offshore staff supports other clients, make sure there are specific controls in place to address KC data and that systems access is isolated and separate. More of these can be added, depending on what sort of work a vendor performs and how they perform it for the customer.
Offboarding an offshore vendor is similar to any other supplier, with the exception of the additional steps on the validation of any remote data destruction and connectivity termination. The steps to offboard a vendor start with the notification from the business about the impending change and dates of when the contract is to be finished. At KC Enterprises, the Cybersecurity Third‐Party Risk team performs a remote assessment, in addition to planning several conference calls along this timeline with milestones set for the vendor to meet.
Initial work by the team focuses on gathering all the following relevant data for the vendor, noting each item that requires confirmation and due diligence on the offboarding process:
Much like the intake process that needs to have some time to prepare for installation, the same is true of the removal. Ensure operations staff are ready to escort vendor's engineers needed from the vendor and provide physical validation to the Cybersecurity Third‐Party Risk team of the step's completion.
A reminder on the Vietnam supply‐chain attack. As previously mentioned, the Vietnamese government dictates that all documentation must be signed using their digital signature through the Vietnam Government Certification Authority (VCGA). The supply‐chain attack was done by compromising the digital signature toolkit that exploited the installers on the VCGAs website “ca.gov.vn” that contained spyware called PhantomNet or Smanager. The toolkit was distributed by the government that provides cryptographic certificates that are required to digitally sign documents in Vietnam.
The attack took place from July 23 to August 16, 2020. The two modified installers “gca01‐client‐v2‐x32‐8.3.msi” and “gca01‐client‐v2‐x64‐8.3.msi” for 32‐bit and 64‐bit Microsoft Windows systems were part of the install packages that contained the malware. Because the downloads happened over a secured pathway (HTTPS), this leads investigators to believe it is not a man‐in‐the‐middle attack. This would be where an attacker takes over the back‐and‐forth traffic between the website and the user, redirecting them to another malicious website. This meant that the attackers had altered the software directly and loaded it into the website for download by unsuspecting victims.
Once the compromised software was downloaded and installed, the application ran the PhantomNet backdoor with a regular file named “eToken.exe,” which looked like a legitimate part of the software. The trojan then contacted a command and control server for further instructions.
There have been additional supply‐chain attacks that point to Advanced Persistent Threats (APTs) going after sectors or countries as a whole. In the Able Desktop attack, the chat application was exploited to disrupt Mongolian government agencies from a likely Chinese APT. GoldenSpy was an instance of a Chinese bank that had a backdoor tech toolkit that contained an exploit which got sent to international trading firms doing business with it in China. Wizvera VeraPort device, a security software manager popular in South Korea, was compromised by the Lazarus Group, a known North Korean hacking group.
While doing business in Vietnam, Mongolia, or South Korea is not stopped due to these APT supply‐chain attacks, they do demonstrate that some countries will carry additional risk depending on adversaries and political climate. The danger of doing business offshore in some countries carries additional cybersecurity risk due to state‐sponsored APTs in certain regions.
Part of the risk of a country or region stems from cybersecurity risks. Performing work outside the home country of the company, as described, entails risk due to the distance and differing regulations. It is prudent for a company to examine the risk of working remotely with vendors and establish some guidance for the business to use in making less risky decisions on which nations or regions are considered more acceptable and those that pose undue risk. The way this can be accomplished varies by industry, regulatory guidance, and business operational decisions; cybersecurity risks also must be considered. Does the area or country have an elevated danger of open conflict or is it already at cyberwar with another? For example, the conflict between the Ukraine and Russia has produced some negative impact on business and life in the Ukraine. In some countries, the free flow of data across the internet is not the same as others. If there is known monitoring or the blocking of traffic, it could pose an unnecessary risk to work being performed in those countries.
There were times at KC where the process worked correctly for an offshore vendor. However, along the way, it somehow was “discovered” that they were, in fact, in a county of “concern.” These countries were not ones that the U.S. government said that if we did business with them, we could go to jail. These were countries that the cybersecurity teams knew had higher risk than others. When these late discoveries were made, it often led to uncomfortable discussions with the internal business sponsors and the vendor. KC decided that the firm needed a unified explainable definition of which countries weren't acceptable to perform business in and which ones were preferred, and that it was necessary to explain why these decisions were made so they could be shared internally and externally.
The team based these definitions on a list that provided options for business but also set boundaries with some explanations. First, there was the easy list of sanctioned countries, including Cuba, Iran, North Korea, and Syria, resulting in no ambiguity about their exclusion. The policy was listed in several different standards as such:
No KC Enterprise employee, contractor, agent, or representative will engage in any discussions or business operations with a country currently listed by the U.S. Department of Commerce (DoC). In instances where a country is added to this list that already has a vendor(s) performing services for KC Enterprises, all activity must stop effective the date required by the U.S. Government and regulatory guidance.
The next part of the list contained the preferred countries. The word preference meant that if these countries were selected as one of the offshore countries, then standard due diligence would take place. If another country was chosen, then due diligence could require additional questions and did not guarantee approval. Preferred locations were determined to be, in this case, where the company already had an offshore footprint and where other countries were seen as favorable for business operations. Favorable for business operations meant the government had long been friendly to western business operations, did not restrict or were known to monitor internet traffic, and contained capable infrastructure (e.g., technology, air travel, road travel).
The decision on these definitions produced a list for internal business that was easily explained:
For intake, it not only clarified preference, but stated that additional countries could be considered with the understanding that there would be more due diligence and no guarantee of approval. This had the effect of pointing most options to the three countries currently performing offshore work for the company. The process for the case‐by‐case basis was established for those times when it was required for a new country to be added to a restricted list or the preferred countries.
Countries not on the preferred list had to be reviewed by Cybersecurity Third‐Party Risk with the following criteria:
These security assessments for countries not already reviewed and having business operations enabled an open dialogue to occur between business leadership, KC's upper management, and the cybersecurity team about the risks observed and guidance provided. Their process is not designed to be a checklist, but more of a discussion of the findings and risks the Cybersecurity Third‐Party Risk team found in relation to the business's operation and benefits the offshore vendor provided. The first question of “Is there a similar provider in a country already on a preferred list?” was one that required the internal business leadership to come ready with an answer. If they were unsure or had not done the required work to find one, then that must be completed to provide a complete picture of a way to avoid the risk.
Performing work offshore to save a company money is not new, but a business can often underappreciate the cybersecurity risks with them. Setting clear boundaries of acceptable and non‐acceptable nations or regions in policy or standards provides early guidance to follow. If work is to be done offshore, then the on‐site physical validation assessment becomes a key security control itself for due diligence efforts.
Ensure that data controls are in place to address any data exfiltration from the offshore vendors' premises, especially with the pandemic and remote access from homes in those countries that typically would have worked from a controlled corporate location pre‐pandemic. The security of offshore—meaning not in your primary company location and market—requires more work and controls because by definition they are very remote. This remoteness means performing regular on‐site due diligence, and other validations require an extra level of trust that can be achieved with tighter control language in contracts and due diligence.
18.221.174.248