Assessing and managing cyber-risks are difficult, and the challenge only increases when third-party service provider and vendor relationships are involved
Assessing and managing cyber-risks are difficult, and the challenge only increases when third-party service provider and vendor relationships are involved. Such relationships often require organizations to share sensitive, often personally identifiable information or provide access to their information technology (IT) networks and systems.
How can corporate counsel address these escalating risks with their limited resources?
Inserting privacy and data security risk management activities into an organization’s existing procurement procedures simplifies the process while decreasing cyber-incident and regulatory compliance risks. In a recent webinar, Data Safety: Understanding Third-Party Vendor Due Diligence, Mel Gates, Thomson Reuters senior legal editor for Privacy & Data Security, spoke with Gina Jurva from Thomson Reuters Legal Executive Institute about why vendor risk management matters and how to build a sustainable three-part process.
Regulatory & Market Risks
Public and private sector organizations often seek to lower costs, improve efficiencies, and bolster their capabilities by engaging service providers and vendors for their technology and data-related expertise. Most organizations also depend on more traditional service providers that must access valuable systems and data, such as outside counsel, business consultants, and accounting or auditing firms. However, engaging third parties to perform activities that involve accessing an organization’s IT systems or handling personal information carries certain challenges, such as:
- It changes an organization’s cyber-risk profile, typically increasing privacy and data security risks. Even using expert vendors often requires transferring sensitive data or creating new network entry points — each inevitably expanding an organization’s potential cyberattack surface.
- It requires the organization to take specific contracting and oversight steps to comply with a growing body of jurisdiction-specific laws, regulations, and industry standards.
- It also does not relieve the organization of its obligation to protect privacy and data security in the market’s view. Consumers, investors, business customers, and partners have shown an increasing willingness to discredit companies that suffer data breaches, even if a third party is at fault.
Indeed, heightened global sensitivities mean that multinational organizations must address regulatory obligations ranging from the E.U.’s General Data Protection Regulation (GDPR) to a growing set of current and proposed personal data protection laws, including those in the Asia-Pacific region and across developing economies, such as Brazil and India. In the U.S., well-known sector-specific laws, such as the Gramm-Leach-Bliley Act (GLBA) and the Health Insurance Portability and Accountability Act (HIPAA), impose specific privacy and data security requirements on financial services and health care entities that handle highly sensitive information.
Those and other organizations must be mindful of the Federal Trade Commission’s privacy and data security expectations and a rapidly expanding set of generally applicable state laws. The recently effective California Consumer Privacy Act (CCPA) garners well-deserved attention as a near-comprehensive data protection law, but some 20 states also have reasonable data security standards for protecting personal information. Further, all 50 states have data breach notification statutes, and many state laws specifically address third-party contracting and oversight.
The Process-Driven Approach
Privacy and data security risks necessarily vary according to a particular vendor’s role but addressing them on a purely case-by-case basis easily leads to gaps. Corporate counsel need a method for identifying and helping the business manage risks consistently and efficiently. Inserting key risk management steps into an organization’s existing procurement procedures minimizes administrative burdens and helps drive stakeholder engagement.
Three cyclical steps provide comprehensive risk management, including:
1. Pre-engagement due diligence — Organizations use various methods to gather important details about proposed services and identify potential privacy and data security risks. Common tools include questionnaires, independent audits, and certifications against well-known industry standards. Compliance-minded counsel can add value by:
- helping stakeholders explore options that minimize risks by limiting access to the organization’s systems and data while still meeting business needs;
- reviewing potential vendors’ policies, procedures, and cyber-incident histories;
- asking tough questions about data use and regulatory compliance; and
- helping the business weigh identified risks against its needs and tolerance levels.
2. Contract drafting & negotiation — Executing a formal request for proposal (RFP) or similar procurement process can help identify potential risks and compare them across vendors. Developing standard contract terms that reflect an organization’s cyber-risk tolerance and privacy obligations is helpful, even if counsel must accept vendor paper in some relationships. For example, standard terms can provide a useful comparison and means for explaining potential risks and scenarios to the business. Showing flexibility and a willingness to partner in key operational areas such as cyber-incident response may lower overall risks, depending on the contracted services.
3. Oversight & enforcement — Executing a contract may be an exciting moment for the business, but astute counsel know it is just the beginning of service provider risk management. Solid oversight and enforcement protocols, including periodic reviews, close the risk management process loop and help organizations identify issues early, before an incident occurs.
Inserting privacy and data security risk management into existing procedures builds awareness among stakeholders and provides a predictable, sustainable process for resource-constrained legal groups. Timing is everything in vendor risk management — addressing these risks upfront and simultaneously with service design and pricing makes it clear that the organization takes them seriously.
That message is important to send to potential vendors, but it is crucial for regulators, if a data breach or other cyber-incident occurs.
View the full webinar Data Safety: Understanding Third-Party Vendor Due Diligence here.