By Darren Craig
Managing Associate Partner
Although organisations know they should take their own cyber security and compliance requirements seriously, one key area that often tends to get overlooked is that of their third parties.
Organisations are facing the General Data Protection Regulation (GDPR), which came into force on the 25th May 2018. They have become increasingly aware of the significant legal requirements imposed by GDPR and the business risks posed by cyber security breaches. Many have devoted substantial resources to identifying and eliminating internal vulnerabilities and to mitigating their exposure resulting from potential cyber security incidents or non-compliance of GDPR.
Organisations have found that they must address cyber security and privacy risk management from multiple angles, including investing in robust IT security systems, conducting employee security awareness training, considering the purchase of cyber security-related insurance policies and developing a data breach response plan to make sure that they can meet the 72 hours data breach notification of GDPR.
An important, but sometimes overlooked element of that process is third party risk assessments or data processor risk management. Under GDPR, organisations, when asked, are legally bound to provide assurance to the regulator that these third-party service providers are compliant with the new regulations by having good cyber security and privacy controls in place.
As we have seen from many cyber security breaches, a company’s cyber security is only as strong as the cyber security of its GDPR 3rd party risk assessment service providers.
This article discusses some of the issues organisations should consider in seeking to mitigate their cyber security data privacy risk, in connection with third-party service providers.
The first step is to ensure that your organisation has a complete understanding of who has access to what data. Does your organisation store information in the cloud? Does your organisation use a vendor to host its website? These days most, if not all organisations provide some kind of data or systems access to at least some third-party providers, whether the vendor be a payroll services provider, a business consultant, a data storage provider, a printing services provider, a payment processor, a lawyer, an IT support provider or even the company providing facilities management for your building.
This is a requirement of any third-party risk management assurance program. As well as understanding who these providers are and what information you exchange with them, whether it has been classified as personal data or not, under GDPR you also need to be clear on who is the data controller or processor in each relationship. This will help you both to understand which part of the GDPR needs to be complied with.
Although it may be necessary to share some data or systems with outside service providers, such access should be on a need-to-know basis in order to meet the data minimisation principle within GDPR.
There has been many, but the well-publicised and very costly credit card data breach experienced by Target Inc started with the theft of credentials granted to the company that managed Target’s Air conditioning, Fazio Mechanical Services.
The attackers infected the vendor with general purpose malware through an email phishing campaign. While many lessons can be gleaned from Target’s misfortune, one of the most obvious is that the compromise of an air conditioning vendor’s credentials should never have led to the compromise of a company’s payment system data. This could have been easily mitigated by segregating the Air conditioning network from the company’s payment card systems network. Fazio Mechanical Services could have helped reduce its risk to phishing attacks by running regular cyber security awareness training for its staff. If you are required to become GDPR compliant, then you will have to run regular security awareness training for your staff.
A written contract will serve as a crucial foundation for a relationship with third-party service providers. If it has not already done so, your organisation should review existing vendor contracts with an eye towards mitigating cyber security risk. Under GDPR, Data processor activities must be governed by a binding contract with regard to the controller.
A number of contractual protections might help to manage such risk:
Consider extending your own security polices to service providers. Contracts can include provisions requiring providers to comply with specified cyber security procedures and technical controls. It would also help if they were built around a recognised security framework like NIST, BS 27001 or CIS top 20 security controls. Under GDPR, processors, like controllers, are required to implement appropriate security measures. What is appropriate is assessed in terms of a variety of factors including the sensitivity of the data, the risks to individuals associated with any security breach, the state of the art, the costs of implementation and the nature of the processing. Regular testing of the effectiveness of any security measures is also required.
Consider requiring the vendor to make representations or warranties regarding its cyber security practices or authorising your organisation to conduct audits regarding the vendor’s ability to meet and sustain your security expectations. Under GDPR you must have a right to audit clause within your processor contracts
Require that the service provider implements timely notification of any security incidents that it experiences. Such a provision might also define your organisation’s rights to control any responses or disclosures to third parties in the event of an incident. Under GDPR your processors are required to notify their relevant controller of any breach without undue delay after becoming aware of it
Control with good security controls and limit downstream transfers of your data, specifically personal data under GDPR.
Require the vendor to destroy copies of your data in the manner you specify on termination of the relationship
Consider how to allocate liability through indemnification provisions or limitations on liability based on the nature of the relationship, the sensitivity of the data involved and the GDPR requirements.
Consider requiring the service provider to maintain cyber security-related insurance coverage. You should consider whether and to what extent data breaches stemming from third-party service providers fall within your own insurance coverage. You should consider combined public liability and cyber-security insurance coverage for the best possible coverage
After reviewing existing contracts for these requirements, an organisation should consider whether such contracts can and should be renegotiated. It’s very likely they will, as most contracts I currently see on a daily basis, do not meet the requirements of GDPR. Additionally, the organisation should develop cyber security data protection guidelines for future contracts.
Once these revised contracts have been renegotiated and put in place, organisations should implement a Continuous Compliance Monitoring program that allows it to monitor the cyber risk and GDPR compliance of its third-party service providers on demand. This program should also have the ability to monitor not only third-party risk, but also fourth-party and firth-party risk across your eco-system of service providers and partners. One of the threads that runs through the GDPR is the requirement to demonstrate compliance. So, in the event of a data breach or audit by the regulator, you will be required to demonstrate good third-party assurance. This can be easily achieved with an on-going Continuous Compliance Monitoring program.
The fact that Target’s breach originated from a third-party service provider did not prevent Target from incurring enormous losses in the form of litigation expenses and loss of customer confidence, among other things. For that reason, the primary goal is to prevent an incident. If, however, an incident does occur, the robustness of an organisation’s procedures and practices with regard to third-party service providers could help to limit its liability in subsequent litigation, which could include a shareholder suit against directors and officers, a customer or employee data privacy suit, or regulatory scrutiny. Indeed, regulators have begun to place increasing scrutiny on third-party relationships in the context of cyber security and GDPR legislation.
Third parties are not limited to outsourcers alone, they can also be your suppliers. For example, a large global organisation with a massive supply chain could have thousands of supplier relationships with digital entities that are putting your organisation at risk of a security breach or large fines because of non-compliance.