DUE DILIGENCE Designing and Implementing a Three-Step Cybersecurity Framework for Assessing and Vetting Third Parties (Part One of Two)

Transcription

1 DUE DILIGENCE Designing and Implementing a Three-Step Cybersecurity Framework for Assessing and Vetting Third Parties (Part One of Two) By Amy Terry Sheehan Vendors and other third parties are vital to most businesses, but can leave a company dangerously vulnerable to a breach of its data or network. As the Target breach demonstrated, even a non-it vendor can cause widespread damage. Properly vetting third parties remains one of the most challenging aspects of cybersecurity programs. In order to appropriately allocate due diligence resources, companies must first assess potential third parties to determine which of them present low, medium or high levels of cybersecurity risk and subsequently conduct the corresponding levels of diligence. This article, the first in our series, provides a framework for companies to (1) categorize potential vendors based on risk, including specific questions to ask; and (2) conduct initial due diligence on vendors that present a medium and high level of risk. Part Two will address the third step of deeper due diligence for high-risk vendors. The Weak Link in Cybersecurity To truly secure a company s sensitive data and networked systems, companies must have a thorough and thoughtful due diligence and selection process in place for selecting responsible and reliable third-party vendors. Making a decision regarding a third-party vendor driven by pure business considerations without factoring in the security considerations is a common mistake, David Fagan, a partner at Covington & Burling, said. Regulators, enforcers, plaintiffs lawyers are all looking to vendors as a recurring weak link in data security, Alan Raul, a partner at Sidley Austin, said. Even if they are not the weak link, it s incumbent upon the company to confirm the vendor is at least as secure as any other component of the computing architecture. Companies should not treat every vendor the same, said Andrew Serwin, a partner at Morrison Foerster. A vendor who gets little to no personal information or who does not have broad access to the company s systems has a far different risk profile than a vendor who gets sensitive personally identifiable information (PII) or personal health information (PHI) or has network access, he said. Taking a one-size-fits-all approach to due diligence is a mistake, Serwin said. Companies should approach third-party due diligence in segments or buckets. Step One: Preliminary Risk Assessment Determining whether the vendor belongs in the low, medium or high-risk category will in turn trigger the appropriate level of due diligence. For certain vendors, no specific due diligence on this issue is required. For others, the first step will require a series of questions and requests for documentation. And the riskiest relationships will require additional deeper due diligence. Companies should have a process in place to categorize vendors in terms of levels of risk and then they should apply assessment from that basis, Fagan said. The first step should be to assign a risk classification to them. And that should track to what kind of assessment you provide. Through the preliminary risk assessment, companies can group third parties into at least three categories: 1. Vendors that present no data or cybersecurity risk and therefore warrant little to no related due diligence; 1

2 2. Vendors that present some risk and require initial questioning, the results of which may be sufficient or may lead to deeper diligence; and 3. The riskiest relationships that require deep cybersecurity diligence, possibly including a third-party assessment or a boots-on-the-ground examination. Data Classification One element of the preliminary risk assessment involves determining the type of data the potential vendor will have. Sensitivity of information is a key factor in determining the vendor s risk level. Sensitive data consists of proprietary and confidential business information in addition to individual customer and/or employee information. Companies should ask themselves detailed questions regarding the data that will be shared with a potential third party such as: What data would the vendor have access to? What is the volume of that data? Is the data sensitive and/or non-public? Does the data include private employee information (i.e., social security numbers or dates of birth)? Does the data contain private customer information (social security numbers, bank account numbers or credit card numbers)? Does the data include proprietary business data, confidential information or trade secrets (i.e., law firm; cloud vendor)? Is the data regulated (i.e., PHI)? Is the data subject to contractual obligations? Does the data include any other sensitive information? Sensitive personal information about a company s customers or employees creates the potential for significant harm to its reputation in the event that the vendor fails to adequately protect the information, Richard Harris, a partner at Day Pitney, stated. Examples of sensitive customer information include non-public information such as social security numbers, bank account numbers, dates of birth and credit card numbers. Companies should be thinking about whether that vendor has appropriate data protection programs in place sufficient and appropriate for the type of information being entrusted to them, he said. Network Access In addition to thinking about data, companies must ask central cybersecurity questions to determine what level of diligence to conduct with a potential vendor, such as: Would the potential vendor have access to the company s networked systems? What part(s) of the system would it have access to? How critical are those parts of the company s system? Any vendor that is going to have access to your data network should be considered a higher-risk vendor, Harris said. For example, non-it vendors often have system access, such as the refrigeration, heating and air conditioning subcontractor that allegedly caused a system breach at Target in I expect that nobody focused on the fact this subcontractor had access to a network that was interconnected with Target s payment system network, Harris said. For these types of high-risk vendors that connect to a company s network, the company should conduct a specific cybersecurity assessment, Fagan said. Services Companies should also consider what type of service the potential vendor would provide. Questions should include: What is the role of the vendor? Would it provide a critical function? What is the expected length of the relationship with this potential vendor? 2

3 Depending on how critical they are to your operation, if the firm is not going to function without them being in place... then obviously a stronger and deeper diligence is warranted, Raj Bakhru, a partner at ACA Aponix, said. Proactive Approach Ideally, in addition to evaluating the risk of a vendor piecemeal as that relationship is considered, companies should step back and do a broader internal assessment of their own vulnerabilities and the third parties connected to those areas. The company can make this part of an overall information governance strategy where the company s own risk assessment and data mapping is taken into account from the get go, Raul said. A company should conduct an internal risk assessment and inventory of their computer systems, and information databases, Raul said. So in determining which of their vendors and service providers pose the greatest risks to them, they ought to know their internal risk points, potential vulnerabilities and data flows and then decide which of their service providers are implicated in those risk control points, he said. Examples of third parties that would be implicated through this method include cloud vendors if the company is securing sensitive or proprietary information in the cloud or a payroll processing vendor if the company is outsourcing that HR function. Step Two: First-Level Due Diligence for Medium- and High-Risk Third Parties The first category of vendors that present no risk at all (such as an office supplies provider that does not receive data or connect to a network) should be chosen on the product and the price, Fagan said. However, the medium- and high-risk categories of vendors require initial due diligence as the next step. Any potential third party who will receive any kind of data or access should receive a questionnaire, series of questionnaires or questions as part of a request for proposal. In some instances, the responses to those initial questions will determine whether additional scrutiny is required or whether the company should walk away and fulfill its need for those goods or services another way. In other cases, satisfactory answers to the questionnaire with proper documentation will be sufficient to complete the diligence process. Initial Questionnaire The initial questionnaire should request the third party s relevant policies and procedures. The first step is seeing what is on paper. You want to see if the company has the right policies and procedures in place, Serwin said. It is certainly by no means the only step, but if the paper is not there it raises questions about the maturity of the program, he said. The questions should be very specific about data security and information governance, Bakhru said. It is very hard for a third party to circumvent a specific question such as Can your employees access external or file sharing sites? whereas if you were to ask Have you implemented data loss protection? the answer will always be yes, he said. Questions should include: Are there written information security plans and processes? Is there a written cybersecurity plan? Has there been a breach or other type of network compromise in the past five years? If so, what changes have been made? Has there been a third-party audit or certification of the vendor? If there has been an audit or certification, what standard was used? Where is data stored (which country, who controls it, what type of place)? Would data be segmented off from other companies data? 3

4 What principles are applied to the data for security (i.e., ISO 27001; NIST framework)? Does the vendor have cyber risk insurance? How does the vendor protect against insider risk? Do employees have direct access to data? Do the vendor s offices have badge-restricted access in place? How are personnel vetted? Does the third party perform background checks on employees who will have access to the company s data or system? If so, are checks regularly conducted before hiring? What is the vendor s incident response plan? Does the vendor conduct penetration testing? What are the qualifications of the personnel involved in cybersecurity? What training do relevant personnel receive? What is the vendor s program for sub vendors? In addition, companies should request all relevant supporting documentation such as written plans, processes, audits, assessments and/or certifications. Customized Questions Additional questions should also be formulated based on the company s own practices. The company should try to verify that the vendor has similar security provisions to their own, Bakhru said. For example, if the vendor will have the ability to access the firm s network drives and the firm has blocked USB access, it s only sensible to ensure the vendor has blocked USB access as well. The FINRA Report on Cybersecurity Practice also recommends ensuring that the vendor s practices match the level of security in place at the company. And questions can be formulated based on a company s own security policies. These may include, depending on the company s practices and the risk level of the vendor: What limits are placed on data access by vendor employees? What virus protection is in place? Is data encrypted while at rest and/or in transit? What subcontractor controls are in place? What is the system patch management that is used to make code changes? Is ethical hacking used to discover potential vulnerabilities of systems? What change management processes are used? What program coding methodologies are used? What are the business recovery practices? Regulated Data Certain data is subject to regulation and companies need to understand whether any of the information that is shared is subject to regulation, Harris said. And then, in order to comply with those regulations, the company must ensure the vendors treat that data in ways that comply with the relevant regulations. Certain industries need to pay particular attention to specific regulations such as government contractors/defense, financial, health, education, telecommunications and energy sectors. Relevant questions should be included when conducting vendor diligence. Contractual Obligations In addition, contracts govern the use of some data. For example, a company that is sharing credit card information with a third party needs to apply the payment card industry data security standards [DSS]. That company, as a condition to its acceptance of credit cards, likely has promised to protect the data in accordance with DSS standards. It needs to pass that obligation onto any vendor that is going to be handling that information, Harris said. Specific questions to ensure the vendor meets those obligations should be added to the relevant questionnaire. Core Cyber Assessment According to Fagan, if somebody will be connecting directly into the network, a company should be doing more of a core cyber assessment than just data security. A company s procurements impact the integrity and 4

5 reliability of its network and information and therefore the company needs to assess the integrity and reliability of the vendor s product or service. For example, if the company is procuring IT equipment, the questionnaire should include questions such as: Where are you sourcing equipment from? Who has access to it? How do you screen them? How do you know when someone checks in? How is it tested? Certain industries need to follow specific regulations to ensure their vendors meet the specifications, for example, financial institutions and the defense industry, Fagan said. Resiliency Particularly for long-term vendor relationships, companies should consider the size, sophistication and stability of vendors. Regardless of the risk, companies should assess the resiliency of the vendor, Serwin said. The questions to ask are (1) are they going to be around long term to provide the service they are providing you? and (2) do they have the resources to adequately deal with cybersecurity or security issues and if something goes wrong do they have the ability to stand behind the promises they have made? he said. Next Steps for Medium- and High-Risk Third Parties For some vendors, the relevant questions and a review of the relevant documents are sufficient and the relationship can move forward. However, if the answers require follow-up or more detailed responses, the next steps should include further questioning in writing or conference calls to discuss the policies and how they work, Serwin said. Follow-up questions will depend on the initial answers. For example, after a company reviews the written policies, subsequent questions should address the procedures behind the written policies, how rigorously these policies are enforced and the consequences for a breach. If the initial risk assessment indicated a high-risk status, or answers to further questions raised additional concerns, deeper due diligence is required. That may entail, in addition to further questioning in writing or on the phone, an independent evaluation and verification, checking references or sending a team to put boots on the ground for a firsthand examination. Part Two of the article series will explore deeper due diligence. Flexibility When examining the vendors policies and procedures, a company needs to have principles it is applying, while at the same time allowing for some flexibility so that it can compete and make a decision where security is a factor but it s not the only factor, Fagan said. For example, businesses cannot insist that every vendor across the board, regardless of the type of data that is going to be shared, needs to be certified. That is just not practical, he said. 5