Archived Insight | October 1, 2020

Third-Party Cyber Risk: Looking at Partners' Cybersecurity

Your business partners are a critical part of your success, potentially providing such services as running payroll, administering funds, or printing annual tax statements. 

In this article, we look at the importance of extending your cybersecurity beyond your own systems, considering your partners' programs and staying on top of third-party cyber risk. 

third party cyber risk

Partners can be weak links

Managing your business partners is a large part of cybersecurity, because the helpful services they provide could also be putting you at risk. 

In fact, according to survey responses on the 2019 Hiscox Cyber Readiness Report, 57% of U.S. firms said they had experienced one or more cyberattacks as a result of a weak link in their supply chain over the past year.

Start with the vendor requirements process

The place to start when choosing a vendor is your requirements definition process. You have to let the potential vendors understand that cybersecurity is a big deal and that any work they propose must come with their assurances that your data is safe. 

Note that the vendor should be open to allowing you to audit their cybersecurity protections at least annually.

You should also confirm they're willing to participate in cybersecurity testing or simulations at a frequency you identify, such as once or twice annually.

Your requirements should detail the expected amount of vendor involvement as it can range significantly from one person on a phone call to providing full personnel support on the vendor’s equipment to run the cybersecurity tests.

Computer Programmers Working Late To Complete An Assignment Computer Programmers Working Late To Complete An Assignment

The vendor should provide a review of their cybersecurity protection program

This should include:

  • how often they have external, objective cybersecurity assessments done
  • how they screen their personnel who will be handling your data
  • how they monitor their own business partners from a cybersecurity perspective
  • how they test their own applications to ensure they are secure
  • what security governance policies they have in place and are enforcing

They may possibly even provide you with the results of their most recent cybersecurity assessment.

What has the vendor done to fix critical issues in the past?

Ask your partner what they've done, since their most recent cybersecurity assessment, to remediate any critical or high-risk issues they found.

How will your partners will tell you if there's a cyber threat? 

Get this in writing. Find out how the vendor will notify you of a cyber incident at their organization and how quickly that notification will occur. 

Confirm they'll take responsibility for threats

When setting requirements with a potential vendor, make sure tbhy agree to being responsible for all of their costs relating to a cybersecurity incident and all of your costs if the incident happened as a result of the vendor falling victim to a cyberattack.

Make sure they've got insurance

The vendor should provide proof of enough cyber insurance to cover potential breaches or losses of your data.

How much downtime if there's an incident?

Make sure you outline this in a written agreement.

This is especially important if you have outsourced time critical processes such as payroll or governmental reporting and their outage will cause you to be late delivering those services or artifacts.

This requirement tells the vendor what their backup and disaster recovery schedules need to accommodate.

Ask to see their data retention plan

The vendor must have a data retention plan that you agree with for all data and actions relating to your data.

They should also be willing to return all of your data if your contract with them is terminated for any reason, and they must have the same rule in place for any third-party providers they deal with.

Last, the vendor must be required to destroy all of your data residing anywhere on their systems after providing you with copies of that data upon contract termination and they must have the same rule in place for any third-party providers they deal with.

Monitor vendor performance, manage third-party cyber risk

Once you've contracted with a vendor, you should routinely monitor their performance to ensure they are meeting your contractual cybersecurity requirements. You can do this in several ways including:

  • Reviewing daily, weekly, or monthly reports from the vendor’s cybersecurity monitoring tools to show their protections are in place and working.
  • Physically auditing the vendor site and performing your own cybersecurity review and/or assessment.
  • Asking the vendor to provide annual copies of approved third-party cybersecurity assessments.
  • Contracting with your own cybersecurity experts to do penetration testing against your vendor (with your vendor’s knowledge that the tests are occurring of course).
Female Software Engineers Working On Project Together Female Software Engineers Working On Project Together

Consider your own risk comfort level

The last item to consider is your own organization’s risk comfort level. You may need services from business partners who do not have the size or financial wherewithal to implement full cybersecurity protection because it is very costly to do.

The risk you are willing to accept from that vendor should be clearly documented in your contracts with them to avoid unnecessary legal issues should an incident occur.

Questions about third-party cyber risk?

Get in touch. Our HR and benefits technology team is here to help. 

Contact Us

More insights on cybersecurity

Young Woman Looking At Data On Screen

Understanding Social Engineering Fraud Insurance

Your existing insurance may not provide adequate protection.

Insurance, Technology, Cybersecurity Awareness Month, Cybersecurity consulting

Read Full Insight

A Duo Of Server Room Technicians Back At The Server Room

Mitigating Evolving Risks with Cyber Liability Insurance

With constant signs of cyber risks increasing, organizations need to move quickly to protect the private information of millions of plan participants.

Insurance, Cybersecurity consulting, Multiemployer Plans, Public Sector, Healthcare Industry, Higher Education, Architecture Engineering & Construction, ATC, Cyber Advisor, Cybersecurity Awareness Month

Read Full Insight

Two data center engineers assessing risk

Getting Started with Managing Operational Risk

Learn how to manage or mitigate operational risk when working with a workplace retirement program in the latest Retirement Plan Insider podcast.

Retirement, Technology, Cybersecurity consulting

Listen to the Podcast

This page is for informational purposes only and does not constitute legal, tax or investment advice. You are encouraged to discuss the issues raised here with your legal, tax and other advisors before determining how the issues apply to your specific situations.