Because That's Where the Risks Are: Vendor Management in a Connected World

When the infamous bank robber Willie Sutton (reputedly) was asked why he robbed banks, he answered “because that’s where the money is.” Thomas J. Curry, Comptroller of the Currency, cited Sutton’s quote in a recent speech explaining why financial institutions are such attractive targets for cybercriminals. Not surprisingly, the Office of the Comptroller of the Currency (OCC) and other bank regulators have recognized the critical importance of information security in protecting (among other things) “the money.”

These days, banks aren’t the only businesses grappling with the challenges of protecting valuable assets from criminals. As a report on cybersecurity published in The Economist recently pointed out, the internet was built for connectivity, not security. Companies in many industries are discovering that the benefits of connecting and sharing information with others (including doing business in “the cloud”) come with a price: their valuable information assets (and those of their customers) are increasingly at risk.

Information security risks extend beyond the (fire)walls of a business and frequently involve third-party vendors. The Target breach -- and an HVAC contractor's role in same -- underscored just some of the myriad risks associated with third-party vendors. One lesson is that although business partners may be at fault when information security or networks are compromised, the ultimate responsibility for those incidents -- the financial, legal, and reputation damages -- cannot easily be shifted from the business to the otherwise-responsible third parties.

The OCC understands the potential risks of doing business with third-party vendors. Its OCC Bulletin 2013-29 (the "Guidance") identifies a number of issues that banks must consider when assessing and managing risks associated with third-party relationships.

The Guidance's holistic approach to risk management is particularly instructive for any business connecting with vendors and entrusting third parties with valuable information (e.g. personal identifying information, intellectual property, competitively sensitive information).

Implement Effective Information Risk Management throughout the Life of the Vendor Relationship (A Work in Progress and Process)

Because information risk is dynamic (emerging technologies, the ever-changing threat landscape, an evolving legal and regulatory landscape), it cannot be "managed" at any given single point in time. For these reasons, the Guidance emphasizes that management of vendor information risk, like all information security and risk management, is an ongoing process or project, involving a combination of people, policies, and technology that is assessed and adjusted based upon particular circumstances.

The “lifecycle” of a vendor relationship includes the following milestones:

• Planning. Identify the potential information risks associated with a vendor before those risks arise;
• Vendor Selection. Evaluate and choose vendors with an eye towards addressing and minimizing those risks;
• Contract Negotiation. Insist upon written contracts that take into account the value of information assets and address information risk as appropriate; and
• Ongoing Oversight. Monitor vendor performance over the life of the relationship.

Planning (Identify Information Assets and Risks)

• Designate those individuals and groups with specific responsibility for vendor management that will continue during the life of the relationship;
• Identify those information assets (e.g. personal identifying information, intellectual property, confidential information, trade secrets) that will be shared with a vendor (or put at risk as a result of a vendor relationship);
• Consider the laws and regulations applicable to the business and the third-party vendor, plan for how the business will assess potential vendors, negotiate a contract with appropriate information privacy and security provisions, and oversee the vendor's performance of the parties' contract;
• Determine the potential negative consequences (e.g. financial risk, legal and regulatory risk, reputation risk) that a third-party data breach, system outage, or network intrusion might have on your business..

Vendor Selection (Make Sure the Vendor Can and Will Protect Information)

• Undertake a proper investigation before selecting a third party to manage information assets. Due diligence at a minimum requires an assessment of a vendor's legal and regulatory compliance, financial condition, and business experience and reputation.
• Consult reference information available on the Web and elsewhere (including background and reference checks through the Better Business Bureau, the Federal Trade Commission, state attorneys' general offices, state departments of consumer affairs, etc.) to learn about a prospective partner’s business and history; customer complaints or litigation; Securities and Exchange Commission and other regulatory filings; and its website and other marketing materials.
• Review the vendor's risk management and information security programs (and any written documentation, including policies, processes, and internal controls, which may be associated with those programs), consider any certifications (ISO/IEC, NIST) the vendor may hold, and review the results of any information security assessment or audit the vendor may have conducted.
• Evaluate the vendor's resilience, or ability to respond to various service disruptions or breach events. Does the company have a disaster recovery or business continuity plan? And what kind of incident-reporting and management programs does the vendor have in place, especially in the event of a data breach? In other words, has the vendor considered information risk in creating its own processes and systems?

Contract Negotiation (Define Rights and Responsibilities)

• Negotiate a written contract specifying the rights and responsibilities of the parties, particularly when a business has direct privacy and information security obligations. If a vendor will have access to personally identifiable information or other confidential or sensitive information, then the contract must define the specific information that will be provided to the vendor, as well as the vendor's obligations with respect to that information. If legal or regulatory requirements (e.g. GLB, HIPAA, various state statutes) govern information provided to the vendor, then the vendor's compliance with all such authority should be spelled out clearly in the contract.
• Spell out in sufficient detail the information security safeguards to be employed by the vendor, and the oversight rights to ensure vendor compliance with those safeguards. The business may require annual third-party assessments, audits and/or examinations of the vendor's security systems and practices, in order to ensure ongoing compliance with the terms of the agreement.
• Designate the requirements and procedures to be followed by the vendor in the event of a security breach, including timely notification, full cooperation, and assignment/allocation of responsibility for response, mitigation, and remediation activities.
• Include reimbursement, indemnification, and applicable insurance requirements (including, but not limited to, cyberliability insurance) as appropriate and necessary.
• Define the events that will bring about default and termination under the contract, and consider the transition from that vendor to another provider and the effect it may have on the business.

Ongoing Oversight (Assess, Adjust and Adapt)

• Maintain clear roles and responsibilities for monitoring the performance of the vendor over the life of the relationship.
• Examine and evaluate a vendor’s performance and compliance periodically. In the same way a business must continually assess, adjust, and adapt to evolving information risk, so too must its business partners.
• Consider whether the information security standards, insurance requirements, and other obligations set out in the contract must be revised based upon the parties' experience, changes in the legal or technological landscape, or other factors.

Conclusion

Nassim Nicholas Taleb has written that “It is preferable to take risks one understands than understand risks one is taking.” Understanding the risks of connecting with and entrusting information to third parties, and taking steps to manage those risks is an essential requirement for doing business in the information age- and protecting your “money”.

Thanks to Lyndey Zwing for her help in putting this post together.