The golden rule for every business man [or woman] is this: “Put yourself in your customer's place.”
—Orison Swett Marden, American author
Despite Marden's advice, it does not seem to be often that this occurs. This chapter, on the risks associated with engaging third-party vendors, is titled “Managing the Big Risk.” The reason it is called the Big Risk is that it is a big risk, perhaps the biggest. Third parties introduce a variety of risks into virtually every environment. Small and large companies alike use multiple third-party vendors. Some companies use literally thousands of third-party vendors to assist in a wide range of operations. While some third parties simply engage with companies to come in on a periodic basis to tend to the office plants or to exchange empty drinking water containers for full ones, others perform a wide array of information-related services that involve highly sensitive information.
Some third-party vendors are the proverbial back door, a door with perhaps less security, less reinforcement, fewer locks, a lower level of awareness, and less due diligence applied. This adds up to more risk. In an environment where security is strong, attackers would likely move to an alternative strategy. Sometimes this means that they attack through a third-party vendor.
Expect that the relationship between companies and third-party vendors is going to be on the fast track to change. Already the federal government is pressing for vendor management changes. Financial institutions and health care organizations are grappling with changes to the spirit and letter of increasingly restrictive regulations. Strengthening privacy regulations in the European Union will unquestionably exert influence over U.S. state and federal regulations that are, generally, less robust.
Federal and state government regulators of both financial services and health care industries are cognizant of the increasing risk posed by third-party vendors and are taking action. One of the regulations that addresses third-party vendor risk and responsibility is the health care Omnibus Final Rule, part of the Health Insurance Portability and Accountability Act (HIPAA). It was passed into law in March 2013 and the date for compliance was September of that year. But as with many regulations, the rate of compliance will not be as high as the Department of Health and Human Services would like it to be. This rule has a significant impact on third parties, or, as specified in the rule, “business associates.” The 563-page rule sets the stage for future information management practices.
The Office for Civil Rights of the Department of Health and Human Services describes the Omnibus Final Rule as “the most sweeping changes to the HIPAA Privacy and Security Rules since they were first implemented.” Business associates are now required to take responsibility for their subcontractors, an area of historical concern when it comes to third parties. Business associates must abide by the security and breach notification rules.1
The Federal Deposit Insurance Corporation (FDIC) links third-party vendors to reputation risk. FDIC guidance states that “reputation risk is the risk arising from negative public opinion. Third-party relationships that result in…security breaches resulting in the disclosure of customer information are…examples that could harm the reputation and standing of the institution. Any negative publicity involving the third party, whether or not the publicity is related to the institution's use of the third party, could result in reputation risk.”
The guidance also links third-party vendors to operational risk, “the risk of loss resulting from inadequate or failed internal processes, people, systems, or external events. Third-party relationships often integrate the internal processes of other organizations with the institution's processes and can increase the overall operational complexity.”2
The FDIC has issued recommendations on conducting vendor due diligence, practices that all companies should commit to in examining the suitability of third-party vendors. The evaluation of a third party may include the following:
Third-party companies contract with companies to manage e-mail lists, patient data, and financial information, and also often have direct access to extremely sensitive intellectual property and trade secrets. It is hard to imagine conducting business in the twenty-first century without the assistance of third-party vendors. Their use allows companies to more successfully manage head count and budgets, and to contract and expand more readily in response to market reduction and growth. In the case of outsourcing, there are tremendous financial incentives to use lower-cost resources. The use of offshore third parties has become so widespread that a few years ago one venture capital firm partner on the West Coast was quoted as saying that his firm didn't bother to read any business plans that didn't outsource certain work to low-cost providers overseas.
There's no question that outsourcing to other countries introduces new security and risk management issues into the corporate agenda. But outsourcing to domestic vendors is also not without risk. The story of the NSA leaks of 2013 shed light on this subject. Remember, Edward Snowden worked for a third-party vendor! While it remains uncertain what exactly Mr. Snowden shared with other nations, we do know that he wasn't authorized to disclose classified information. Some may believe he is a hero, others that he is a villain. It is clear, though, that his employer is the recipient of unwanted publicity. The company is one of the more prominent government contractors supplying personnel to the intelligence community.
It is also clear that the third-party background investigation firm that vetted Mr. Snowden is under examination. Northern Virginia–based USIS, which advertises that it is “the leader in federal background investigations,” is on the hot seat. Senator Claire McCaskill said during a Senate hearing in June 2013 that USIS is “under active criminal investigation.”
Additional details in this case will come forward as the investigation continues. But much of the information around this case will undoubtedly be classified, with only limited disclosure in the media and in public congressional hearings. But what is exceedingly clear is that egregious mistakes were made. The contractual obligations between third parties and the NSA failed.
Senator McCaskill also noted that there appeared to be a “systemic failure to adequately conduct investigations under its contract.” In a statement that should resonate with every company engaging with third-party background investigation services, Senator McCaskill commented that this should serve as “a reminder that background investigations can have real consequences for our national security.” The problem extends to companies outside of the Washington Beltway and the defense and intelligence arena.
While it may be unlikely that third-party employee behavior will rise to the level of policy violation exhibited by Mr. Snowden, it doesn't have to in order to compromise information integrity, breach corporate governance and contracts, and violate regulatory requirements in the forms of identity theft, trade secret theft, brand hijacking, blackmail, and extortion. The background investigation doesn't always work.
The annals of background investigation history are rich with examples of failed policies, procedures, and even strategies associated with understanding the truth about a candidate's past. Criminals have passed background checks. There is a reason that Top Secret security clearances can take up to nearly two years to conduct and may cost several thousand dollars, and sometimes much more, depending on a number of variables related to each case. Of course, not every candidate needs this level of background investigation. But companies should examine the background investigation process used by third parties that have physical, logical, or administrative access to information.
It's always good to conduct a more extensive background investigation on the basis of access. Sometimes organizations initiate background checks only on some candidates. One executive remarked that “we only conduct checks on positions with the title of vice president or above.” This can convey a false sense of security. While senior executives may have access to critical sensitive information, many lower-level positions come with high levels of access to the same information.
One of these variables is the background investigation process, which is many times a flawed process based on a flawed strategy.
The FDIC recommends 10 background investigation considerations:
The accuracy and effectiveness of background investigations of third-party employees is one of the best defenses against a breach and its consequences. Knowing who has access to your data, and whether they are trustworthy, is a mandatory tenet of strong corporate governance.
Failed background investigations have led to breaches of regulated information, from protected health information to customer financial information. In some cases there were complete breakdowns in the background investigation process, in which convicted felons passed criminal background checks. Almost unbelievably, such failures included company contractors who did not actually exist yet were still able to pass background checks. An enterprising entrepreneur created these identities, giving them names, addresses, cell phone numbers, and even Social Security numbers, and saw to it that each passed a basic background check. Enterprising, yes, but quite illegal, and these “contractors” and their creator were stealing customer financial information.
Who's to blame? As in many breaches of regulated data, as well as intellectual property and trade secrets, there is plenty of blame to go around. Companies often hold third-party vendors accountable only after there has been a breach. These same companies often conduct due diligence on third parties, but too frequently the process of determining the risk associated with any one third party is too costly and time-consuming. Plus, many vendors will simply walk away from companies that press too hard on the issue of security. Many of these third parties, and the companies that contract with them, will meet at the bar of accountability and information protection established by law and implemented by regulation. If a company utilizes hundreds or even thousands of vendors, it becomes difficult to manage them individually, at least until there has been a breach.
Another issue seen frequently is that many executives have long-standing relationships with preferred third parties. “We've been using them for 20 years and there haven't been any problems yet. We'll keep using them.” This is quite common, even when detailed due diligence clearly illustrates that the continued use of the third-party vendor elevates company risk. Sometimes the executive of the company and the vendor worked together previously and feel that loyalty is at stake, even if the corporate risk rises.
What the company executives either don't know or ignore in the hope that nothing bad will happen is that things change. This is especially true in the case of a long-term relationship. Nothing stays the same. Management changes, employees come and go, maybe some work goes overseas, some outsourced to other companies domestically. Regulations, standards, guidelines change, as do the efforts made by vendors to comply with the requirements of change. The financial integrity of the vendor could have changed: It could be near bankruptcy, or it could be the target of civil litigation or even criminal prosecution. When change happens, it's always a good bet to make sure that the change reduces risk, not elevates it.
Here's another thing. Statistics vary about the total percentage of third parties involved in data breaches. Some authorities suggest the number of breaches involving third parties is more than half, some less than half. Actually, the specific number isn't terribly important, but the trend is very important. The trend seems to point to an increase, perhaps because third-party vendors are managing more and more data. But here's another statistic, although not a broadly based one: In every breach investigation conducted by this author a third party has been involved in the breach. Every one. While this is admittedly anecdotal, when examining the entire industry it does illustrate the severity of the problem.
Third-party vendor relationships are typically managed through service level agreements. The problem? Many such agreements are drafted with a specific emphasis on legal enforcement provisions should the vendor fail to meet certain contractual requirements, productivity goals, and mandated regulatory minimum requirements for information protection and breach notification. This applies only to personal information that is subject to various government regulations. For vendors in possession of intellectual property and trade secrets, the last category, information protection and breach notification, may be absent or nonspecific because of no—or limited—obligatory public reporting requirements.
Before contracting with third parties, companies should carefully evaluate the risks of engaging third parties to manage certain kinds of information, who will have access to that information, where the information will reside, how it will be transported, whether it will cross jurisdictional lines, what regulations apply, what is the vendor's breach track record, and more. Many companies conduct extensive due diligence, pressing during the due diligence phase, asking hundreds of questions and demanding satisfactory answers and demonstrations of proof.
It may be helpful to shift from service level agreements to something like a risk-reinforced service level agreement (RRSLA). While many firms do a reasonable job in the due diligence phase, it seems, many do not, and this seems especially true in many smaller and midsize companies. RRLSAs focus on seven specific, detailed assessment points that assist the company in casting a broad net, yet a comprehensive one, over the third-party vendor relationship. In each of the seven points, which are discussed below, a detailed set of requirements is established, and so is documentation and the establishment of frequency of testing.
Companies must require documentation from vendors, demonstrations of proof that vendors have done what they said they were going to do and when they said they were going to do it. It isn't uncommon for companies to sign SLAs with vendors that state that the vendors must agree to specific requirements. Yet the reality is that companies many times do not check up on their third-party vendors, even when the SLA requires compliance with state and federal regulations governing information protection and breach notification requirements.
The result can be that the SLA, after being signed at the beginning of the relationship, is sometimes never looked at again by either party until the time comes to renew the agreement. There can be significant consequences to this. There are cases where (1) the SLA was signed by an employee, not an officer, of the third-party vendor; (2) the vendor was obligated to be compliant with U.S. federal, state, and international data privacy regulations but did not understand that it needed to be compliant; (3) the company never initially requested documentation demonstrating compliance and never did until a breach occurred. The breach in this case was significant. While the data management provider was at fault, there is no question that the company's customers shared in the blame. The customers failed to hold the vendor accountable by conducting effective due diligence, not only prior to signing the agreement but on a regular basis thereafter. Had the customers checked, the security lapses and failure to comply with both government regulatory requirements and contractual obligations would have been evident. It is likely that such due diligence would have reduced the impact of the breach, and perhaps would have prevented it altogether.
Of course, as with any program, there are varying levels of details defining each agreement. Every company must make a decision on how much detail to require. Admittedly, managing an increased flow of documentation isn't necessarily easy, and it can be costly as well. But the point is that today many companies are failing to make informed decisions about what they need to know about their service providers. Every company needs to make informed decisions about what to require, when to require, and how much documentation they need to review. It comes down to the company's appetite for third-party vendor risk.
This can be a difficult balance to achieve, based on innumerable criteria. Not all vendors need to have the same level of scrutiny. The measure of due diligence to be expended depends on what information will be in the possession of the third-party vendor and what services are offered by the vendor.
For personal financial data, the principal federal protective instrument is the Gramm-Leach-Bliley Act of 1999, also known as the Financial Services Modernization Act of 1999. A key component of the act is what is known as the Safeguards Rule. This is important for client companies as well as third-party vendors, because ultimately it is the client company's responsibility to protect the privacy of information. The Safeguards Rule requires companies to develop a written information security plan that describes their program to protect customer information. The plan must be appropriate to the company's size and complexity, the nature and scope of its activities, and the sensitivity of the customer information it handles. As part of its plan, each company must:
While the following is not intended to be a comprehensive instrument for managing third-party vendor risk, it does identify seven key risk issues to consider including in any SLA, turning it into a risk-reinforced service level agreement. These requirements are intentionally vague, allowing each company, based on its size and requirements, to develop its program within the required framework. Every company should develop its own RRSLA based on many individual factors making up its risk profile. Regulatory requirements, type of data at risk, budget, risk tolerance, and other factors will be considered in determining the level of effort that will be placed in the development of the RRSLA. The key is to make sure the third-party vendor is on board with the program. Here are the seven basic elements for consideration:
Information security is the foundation for managing operational risk, so make this a priority when dealing with vendors and service level agreements. In other words:
GAPP articulates 10 useful privacy principles, which are essential to any organization and are especially important in developing the third-party vendor service level agreement:
Define information privacy for the vendor, and how it must be observed and managed. Information privacy is about how regulated information may be used and by whom. There are a great many variables, especially by country. Information privacy in the European Union, for example, is substantially more restrictive than in the United States. Define personally identifiable information (PII) for all applicable vendors. PII is diversified and includes, generally, the following types of information:
But GAPP is also about unregulated data, including intellectual property and trade secrets, which need to be kept confidential. Information privacy means not only protecting the information from theft, but also protecting it from compromise such as change in the data. So information integrity must be part of the mission to ensure that information is guarded, from inside and outside the vendor environment. Specify what data needs to be protected! Make reference to what data is regulated by law and what must be done to protect that information. Most important, make certain that there is an understanding with the third-party vendor on what the requirement is to treat information in their custody. Included should be information in any digital form, as well as information in paper form. This is no time to be vague or imprecise. Don't let the vendor make any assumptions: Stick to the facts as you define them.
Make it meaningful. Make sure that the analysis of risk is linked to the actual threats facing the company and the third-party vendor. For example, consider the insider threat. What has the vendor done to measure that risk? How carefully have such vendors examined their own background investigation process? What are the actual threats that have been considered in their risk assessment? Have they looked at the full spectrum of likely threats facing them? How have these threats been interpreted in terms of risk? Have they examined the legal, regulatory, financial, and reputation risk arising from an event?
Determine from where the vendors are receiving threat information. Is it consistent with what is required to actually protect information? Here's an example. Suppose that the vendor has offshore operations and that data is under management there. Then suppose that the country is one with a significant level of corruption, organized crime, narcotics trafficking, social protest, and so on. In instances where there is heightened corruption, fraud, and other criminal activity, there is greater risk. Then consider how technology and culture enhance the threat and the risk to companies. How does the third-party vendor manage its employees and contractors with respect to the use of social media? Does the vendor have a “bring your own device” policy? There's the risk of hiring employees and contractors who may be engaged in illegal and unethical activities, or who are simply careless with the information they post on social media sites and keep on their personal devices. Consider if the principal company factored these concerns into its own risk equation, and then factor this into the third-party vendor risk.
A word about the social protest threat. Social protest, in most cases, is legal, and even desirable. It is a fundamental precept of a free country. However, many protest groups have the desire and the ability to disrupt the flow of information. It is also well established that hacker groups, and even terrorist groups, try to co-opt some protest groups. So the real issue is not that a region or a country may have active social protest groups, but whether those protests have the ability to interfere or disrupt information management. If so, what mitigation measures have been put in place by the third-party vendor? Have those measures been evaluated and tested? Has the need for change in policies or monitoring been required?
Another measure of the threat and risk conditions at the third-party vendor is the breach history. While many vendors are reluctant or intractable on the issue of such disclosures, it should be a point for negotiation between parties. But let's define breach. A breach is not only a breach of data that must be reported to state, federal, and foreign-country authorities. Many breaches, for a variety of reasons, are never reported to regulators. For the purposes of negotiation and agreement in a written contract, a breach should also be defined as a breach of security policy and procedure.
This requires the third-party vendor to disclose not only its breach history regarding regulated data, but also, if specified, any security incidents or breaches involving intellectual property and trade secrets. Making a decision about a third-party vendor, if it is to be handling any type of sensitive information, requires understanding its threat environment and the risk potential. Arriving at a decision about its suitability to handle that information simply cannot be done without understanding the full dimension of its historical risk performance. If the vendor decides that it should refrain from answering these probing questions, then the client company can at least make an informed decision about whether or not to engage a specific vendor.
There's often a gap between what companies and their third-party vendors believe is important. Understanding the threat and risk environment shouldn't be one of those gap areas. One of the best ways to think through the process of creating a trusted vendor relationship is simply this: Think postbreach, act prebreach. In other words, think about managing the risk from the perspective of a severe data breach. How could the breach have been averted? What steps could have been taken, what policy changes would have prevented the breach? Was it a technology issue? An organizational management issue? Was there a violation of regulation?
Examine the third-party vendor's whistleblower program. Not every company has such a program, but they have proven to be effective tools in managing the risks associated with corruption. Whistleblower programs provide an outlet for employees to alert management of bribery and other corrupt practices. Have the vendor disclose the program details. Minimally, require the vendor to disclose:
Increasingly, corruption is a critical element in successfully managing reputation risk. As in the case of data breaches, findings of corruption can have a variety of risk impacts on any company. The business press, in particular, has demonstrated an interest in covering corruption, and is usually aggressive in its coverage.
It is important to work with legal counsel on this issue. Make sure that the anticorruption program covers every country in which the third party operates. Oftentimes the client company does not verify the details of the third-party anticorruption program or verify any history of corruption in the third party. While larger client enterprises are more likely to have an anticorruption requirement and program to verify the details specific to the third-party vendor, many small and midsize companies lack this critical due diligence effort. Minimally, it is important to at least have the vendor verify in writing:
In one case, an executive signed a lucrative third-party vendor agreement with an old friend. They had worked together previously in another company. An after-the-fact assessment of the third-party vendor's security illustrated a number of crucial deficiencies. The scope and dimension of these deficiencies would clearly lead to a data breach at some point, and maintaining the agreement was not justifiable. It cost the company a substantial amount of money to get out of this contract because there were no real enforcement measures in place.
The client company should have made provisions in the contract about vendor security as a condition for agreement cancellation. But it wasn't there. Not only was there a difficult business negotiation, but it likely stressed a friendship as well.
In part, this is a decision that should be discussed in the risk committee of the board of directors as part of an information governance program. Information is valuable. In some companies it is the dominant value. In some companies it is also the prevailing risk. The risk committee of the board, especially if it is well informed, would want to know about which companies are handling its data. Too much detail for the risk committee? In the event of a breach, one that proved costly in regulatory, legal, financial, and reputation risk, who would want to be the bearer of the bad news? The bad news, in addition to the breach, is that it turns out that the third-party vendor managing the data had a flawed history when it comes to managing customer data.
The first question such a board committee might ask is, “Why didn't we know this about the vendor?” The next question might be, “Who made the decision to use that vendor?” No chief information security officer or chief risk officer, or any executive serving in that line of authority, including the general counsel, wants to be called into the next meeting of the risk committee.
How will the third party be required to make demonstrations of proof, in writing, as to the assessment of the risk posed by the aforementioned operational environment? Every nation has complementary risks as well as unique risks. It is important to understand these distinctions when making decisions about the use of third-party vendors.
Vendors can be slow, uncooperative, and even recalcitrant in providing information regarding a cyber breach. Without accurate, timely information from vendors, companies cannot make reasonable judgments relative to the operational risk profile. There is no meaningful management of risk without vendor commitment to accountability.
Historically, vendors have had superior positioning by using vendor agreements, such as the master service agreements and service level agreements, for example. Vendor agreements will also favor vendors. While some vendors are not open to negotiation, others are. Even if vendors won't budge on terms, it is critical, from a cyber risk management perspective, to put the terms on the table for negotiation. It is important to be able to demonstrate, in writing, that attempts were made to negotiate terms essential to managing cyber risk. If the vendor won't agree, a decision has to be made about whether to move forward with the agreement. Either way, you will have at least addressed the issue. Managing cyber risk isn't always about getting your way. It's about making decisions that have the potential to imperil the organization or protect it.
If the vendor chronically fails to produce desired documentation, for example, an on-site meeting should be pursued. There should be a formal accounting of the meeting, always in writing. The accountable vendor executive and your cyber risk executive should follow up on all open issues. The meetings are essential for managing issues and outcomes, and having them also conveys the message that you mean business. If you treat the cyber breach lightly, delay responding, and/or don't show up on site, vendors may get the idea that you aren't taking the breach seriously—which may lead them to take it less seriously as well. On-site meetings with vendors are viewed positively by regulators and are consistent with evolving regulatory expectations and insurers.
Require that the report from the vendor should be written for a diverse audience of interested constituents, including management, internal and external legal counsel, corporate customers, and various state and federal regulators, as appropriate. The reason to specify this in any agreement is that some vendors may present only a technical definition of the cyber attack and resulting losses. The greater the definition of the required documentation from vendors, the more useful the reports. The reporting from the vendor must enable you to adequately define the cyber event and the measures needed to manage and remediate the conditions contributing to the cyber breach. The reporting from the vendor should include the following required elements:
Embraced as a critical growth strategy by leading U.S. and foreign companies, cloud computing makes a compelling argument in the global economy. The attraction of cloud computing is that companies can expand operations using someone else's technology and at a fraction of the cost of purchasing new technology. Even President Obama is aware of the benefits of migrating electronic medical records into a cloud computing environment as one method of containing out-of-control health care costs. The future of cloud computing seems clear. But does it introduce a different set of risks? A number of emerging risk issues around cloud computing are building like a global storm front. In fact, a 2011 survey conducted by cloud computing vendor IBM indicated that 77 percent of respondents were concerned that cloud computing would increase privacy risk.
Clouds are emerging from virtually every geography, and if clouds currently do not exist in a geography, it seems certain that they will in the next few years. There's a lot at stake; clouds represent a lot of growth and a lot of revenue. Reflecting on the value of the cloud market, the press for market share is already here, and there are diplomatic, political, as well as economic issues in the mix. For example, cloud providers in the European Union charge that cloud providers in the United States should not be used by EU companies. The allegation? That the Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism, otherwise known as the USA Patriot Act, gives the United States easy access to personal information stored in U.S. cloud providers. Of course, other nations have low barriers to access to acquire sensitive personal information as well, especially when such information is relative to national security.
It is reasonable to think of clouds as the third-party vendors of the future, where a new generation of providers based in developing nations offer financially competitive storage and data management models. However, there are issues to think about from a cyber risk perspective, and these are questions that must be asked now and in the future. Some of these questions include:
This list can be extensive and should reflect the comprehensive questions posed during due diligence of traditional third-party vendors.
Ten top security and privacy executives at an investment conference in New York City were asked this question, “Would you place regulated customer data in the cloud, even if it was encrypted?” One executive from a Japanese firm was the only one who answered that sensitive information would be placed in the cloud. Every other executive answered no, even if the data was encrypted. Their reasoning was simple: No one really knows what level of encryption can be compromised by a government dedicated to breaking it. Data collected over the course of a specified period may not be breakable at the time during which it was acquired. But eventually the data may be broken, and that was a risk the nine security and privacy executives were not willing to accept. The benefit of clouds, in this case, was not worth the risk.
In fairness, though, it must be noted that all third-party vendors, including clouds, are not equal. Some companies will improve their cyber risk exposure by using external vendors, again, including clouds. Why? Because these external organizations will have cyber risk management controls that will prove superior to the client company. Cyber security is expensive, and many companies are not willing or able to invest in the protective mechanisms offered by third-party providers.
Dr. Lothar Determan, a privacy attorney in the Palo Alto, California, office of Baker & McKenzie, writes, “Whether personal data is safer on a system secured by the data controller ‘in-house’ or on an external vendor depends on security measures deployed by each particular organization. Moving data to the cloud can be a bad thing for data security if the vendor is weak on security and careless. It can be a good thing if the vendor brings better technologies to the table and helps the data controller manage access, data retention and data integrity. And it can be neutral if the vendor's cloud system is more secure, but the way the customer uses the system keeps exposing the data (e.g., because the customer does not configure security to properly restrict data to the appropriate users, the customer uses unsecured connections or the customer downloads data from the cloud to unsecured local devices).”3
No one should be under the illusion that such negotiations with traditional third-party or cloud vendors are going to be easy. Some will prove to be productive; others not. But the key consideration is that these negotiations are fundamental to more effectively negotiating agreements that will assist in managing the risks associated with cyber attacks. It is also worth restating that obtaining approvals from vendors is not the only goal. Vendors will give on some issues, and not on others. A lot of factors will be under consideration by vendors. The other goal is to at least attempt to negotiate key elements of the agreements, document all such attempts, and clearly illustrate that all elements of managing cyber risk were addressed. It may not be feasible to change every agreement to your advantage, but it is possible to include in the discussions and negotiations all of the elements pursuant to cyber risk. In the event of a cyber event, you will at least have the documentation needed to defend your prior courses of action and orient the outcome to the extent possible under the restrictions associated with the agreements in place. This alone, deflecting risk, is worth the effort.
A number of risk-related executives have asked the question, “If we know the vendor isn't going to budge, why try to negotiate the point?” The answer is this: You want to be able to demonstrate to the board, to insurers, and to any other interested parties, that the issue was addressed, that the vendor remained unmovable on the point, but that you pushed that agenda. In the confusion and energy that accompany a cyber breach, it is easy to lay blame and to point fingers at who may be at fault. Judgments will likely be made that will linger, as doubt will grow as to whether the correct decisions were made and the appropriate level of due diligence was applied to the vendor that is now associated with the breach. The aftermath of the cyber breach will carry threads of doubt that were raised early on during that stage of confusion. It is important to demonstrate, through the offering of documentation, not only what the vendor was required to do, but also what the vendor had not agreed to do but which you had firmly recommended. Or sometimes failures in negotiation are indications that it is time to move on to another vendor.
3.145.179.225