Target. Home Depot. Wendys. The stories of significant cyber breaches are in the headlines every day. Board members and CEOs are growing more and more concerned about cyber risk management in their organization. But most don’t realize that each of the three breaches listed above were linked to 3rd party service providers and business associates.
Most of us do review our vendors for contract compliance and service delivery. But very few are also reviewing vendors for their security position. Vendors may or may not follow your security policies which make the vendors a much easier target. If hackers gain entry into a 3rd party service providers’ systems, they can likely leverage stolen information and credentials to pivot into that your systems.
Vendor security is such a significant part of cyber risk management but it’s often overlooked. If you want to improve your cyber risk profile, you should consider the following:
- Build security requirements into contracts – Vendor contracts should clearly spell out the expectations regarding security policies and procedures. Protocols around security requirements should be written into the vendor contracts, such as:
- Specific security policies
- Access controls
- Security reviews
- Periodic audits
- Incident response
- Cyber insurance
- Risk sharing in the event of a breach
- Conduct regular security audits – Once the contractual terms are established, you should regularly audit your vendor’s security position. Questionnaires, on site visits and electronic monitoring can all go a long way in evaluating the effectiveness of the vendor’s security processes. Questionnaires should be used for lower risk environments with onsite audits scheduled at least annually for higher risk vendors.
- Demand SOC for cybersecurity - The current SOC reports do not provide assurance or insight into a vendor’s security risk management program. However, there is a new SOC report framework (the SOC for Cybersecurity) which does specifically audit cyber risk management. You should request that your vendors perform a SOC for cybersecurity audit annually or when there are significant changes to the vendor’s cyber environment.
- Schedule access and security reviews – Every company should be performing access and security reviews daily. There are several services which will perform automated monitoring of access and security issues. The downside to these services is that they may generate false positives. That being said, the activities of any vendor granted access to the company’s systems should be superficially monitored for unusual activity.
Vendor security management is such a growing and significant portion of cyber risk that the AICPA will be issuing a framework to perform audits of these risks. Taking steps today to address vendor cyber risks will help mitigate the exposure to your organization -- and reduce the risk of being the next headline.