In today’s business world, it’s pretty common to rely on third-parties to perform or support critical operations. However, this reliance opens your organization up to cyber risk, especially if you work with vendors who have access to your customer and/or sensitive data or access to your internal network. This access effectively expands your cyber-attack surface. That’s why having a vendor management program should be a critical part of your operations. You have sole responsibility for protecting your data – you can’t outsource that – so you need to understand how your vendors manage their own internal control environment and their connection to yours, so you can ensure it meets or exceeds your internal policy and standards requirements.
Before deciding to work with a critical vendor, or any vendor who will have access to your data or your network, you must do your due diligence. A fair bit of research should go into the process because the security of your information in on the line. Your critical vendors are critical for a reason. They are critical to your operations. Something happening to them could have a serious impact on your business.
Before you enter into a relationship with a critical vendor, you should complete a Due Diligence Review, which means you have to do three important things.
#1. Do Your Research
This is the part of the process where you engage with your vendor and obtain the information you need to assess their cybersecurity readiness and resilience. You should require all your critical and high risk vendors to provide:
- Evidence that security controls are in place and that they are effective – this can be a SOC report, a synopsis of their last independent penetration and vulnerability test, or some other certification from a regulatory body (i.e., ISO/ICE 27001, HIPAA’s Certified Health Product List, Payment Card Industry (PCI), etc.).
- Evidence that they can continue to provide contracted services in the event of a disaster – this includes Disaster Recovery and Business Continuity Plans.
- Evidence that they have a strong incident management program, and will duly report incidents to you as required by law, regulations, and best practice. You need to know when they will notify you that they’ve had a breach, a vulnerability is found in their software, or some other event that will impact your business. Understand what their reporting and notification standards look like.
This process can’t just be lip service. You need to require some evidentiary documentation that can assure you that a vendor is doing what they say they are to protect your data and/or the connection to your data. Here is some documentation you should request as part of your due diligence:
- Synopsis of Information Security Program - What do their policies and standards look like? What are the sections and domains of their security program?
- Synopsis of Business Continuity Plan and Disaster Recovery Plan
- Synopsis of Incident Response Program
- Date and results of last Disaster Recovery test – Were they able to bring up your service within an expected recovery time? What are the recovery time objectives?
- List of data breaches in the last 24/36 months
- Proof of Insurance
- Financial Statements – Are they secure? Will the business be around in 5 years?
Our experience at Tyler is that collecting documentation is one of the most challenging parts of running a vendor management program, but it’s essential. Keep in mind that the vendor’s ability to deliver documentation to you in a timely and sufficient manner will be key in determining if further investigation is warranted. If they are doing business with others in your industry, they should be expecting requests, and have a package ready. If they are hesitant, it’s a red flag and may be a show stopper. If you can’t get the information you need, you should move along to someone else because it’s a clear indication that their business practices are not in line with yours.
You can contract with a third-party to connect to, store, process, or transmit your data, but you can’t outsource the risk. The relationship doesn’t move the risk to that other entity. It only moves the performance of the function. So it’s important to understand that you always own the risk, and you’re going to be the one that suffers if there is an incident during that relationship. Good documentation provides evidence that the vendor cares about security. Weak documentation tells a different story.
#2. Develop a Strong Contract
It’s one thing to do the research, but you also want contract language that requires both controls and behaviors. This is your negotiation. If you are a small fish working with a big fish, it can be a big challenge. But you still want to ask questions and see how much of the language you can get into the contract.
So, as part of the evidence of security controls, you should try to include the following in your contract:
- Requirements to keep systems and data secure per best practices and industry standards
- Confidentiality and privacy requirements
- A requirement to notify you of security beaches, incidents, and vulnerabilities
- A requirement to undergo independent penetration and vulnerability assessments
- A requirement to provide you access to audit documents
Your legal department, along with your leadership team, should create your contract.
A strong contract gives you power in the relationship, and this can be especially important for smaller organizations. You want to make sure you have lever you can pull that has a financial penalty. That gives you the power to say, we won’t pay if you don’t live up to these contract standards.
# 3. Have a Back-Up Plan
Identifying alternative vendors is an important best practice, especially in terms of business continuity planning. If the worst happens, you should have a back-up plan ready to go. At a minimum, you should identify an alternate vendor, and know their phone number, website, and location. For critical or high risk vendors, you should also do some basic research. If feasible, establish a contingency relationship with the vendor. Get to know each other, so that if you do have to call on them, you’re not starting from ground zero.
An effective due diligence review is more than a paperwork burden. It’s a critical part of your cyber-defense strategy when assessing your vendor cybersecurity risk.
Need assistance with assessing the cybersecurity of your service providers?
Tyler can help! As external dependencies continue to grow, setting up and maintaining an effective cybersecurity review program can be a daunting task. We can assist with the implementation of a program that makes sense for your organization’s business needs and is tailored to the unique conditions that are the byproduct of every third-party business relationship.