FTC's Proposed Amendments Show a Growing Demand for Third-Party Cyber Risk Management
By explicitly including provisions addressing 'external risks to the security, confidentiality, and integrity of customer information' and 'the sufficiency of any safeguards in place to control these risks,' the FTC is shining a spotlight directly on third-party cyber risks.
April 30, 2019 at 07:00 AM
6 minute read
The Federal Trade Commission (FTC) is updating the requirements for organizations to establish a reasonable cybersecurity program, with revised recommendations involving internal actions of a company—like designating a chief information security officer (CISO) who will report on cybersecurity, at least annually, to the board of directors. This suggestion is neither new nor novel, and closely mirrors regulation released by the New York Department of Financial Services (NYDFS). Some of the biggest changes, however, reflect external actions and partners.
The FTC recognizes that in today's technology and business environment, many operational systems involve cooperation, coordination and inter-operability of data and access between the systems operated, owned or licensed by multiple organizations. While this is significant, it should not be a surprise. Many of the largest data breaches have involved compromises that began not within the company, but at a business partner, supplier, outsource or other outside organization. By explicitly including provisions addressing “external risks to the security, confidentiality, and integrity of customer information” and “the sufficiency of any safeguards in place to control these risks,” the FTC is shining a spotlight directly on third-party cyber risks.
|Managing Growing Third-Party Cyber Risks
The findings from Kroll's investigation of thousands of cyber incidents mirrors those of the FTC, indicating that many, if not most, of these events were preventable. Our investigators regularly find that incidents at third-parties occurred because the original company didn't consider, inquire or fully evaluate the risks of partnering with the third party. The fact is that when it comes to third-party cybersecurity, not knowing is no longer acceptable.
Some third parties may provide outsourcing of cyber infrastructure (for example, Amazon Web Services or Microsoft Azure). These services typically document their security features and often have independent certifications and reviews available for customer review, but only reviewing their documents is insufficient. It's vital to determine that you are using their security services appropriately. Just because they offer a security feature doesn't mean that you've chosen to use it.
Most third-party business partners, suppliers or vendors are likely much smaller and less sophisticated, and it should be required to actively determine the security that they employ, the access they will be given and the degree of risk that the connection to that organization represents. For an organization of any size, the number of engaged third parties can quickly scale into the hundreds, or even thousands. This is where a third-party cyber risk management solution helps in carrying out and interpreting vendor risks, along with factors to consider when evaluating a potential (or actual) partner organization.
These solutions accelerate the data gathering and analysis phase, allowing an organization to quickly make risk-informed decisions utilizing industry standard security frameworks such as the NIST Cybersecurity Framework—the same standard controls on which the NYDFS regulations and the FTC's proposed regulations are based. To optimize these decisions, risk assessments and control compliance must be contextualized within your relationship with a given third party.
|Understanding the Impact of Third Parties
It is important to understand the impact third-party organizations can have on your company's cybersecurity. Whether you allow third parties to access your systems, you access theirs or you provide data to a third party, there is risk that must be actively managed. Ignoring this fact doesn't manage or control the risk, it just sets you up for unpleasant surprises at some point down the road.
You also need to determine the degree of connectivity between your systems and the third party. This is largely driven by the functions that need to be performed by the third party and the architecture of your systems. Once this is understood, you should ask three questions:
- Are we providing access to only those systems and functions that are necessary?
- How are we limiting the access?
- Do we know that the restrictions are working?
We repeatedly see that providing more trust, access or privilege than is required to a third party can lead to serious issues.
When a third party is permitted to access your systems, it is important to determine the security of access codes or other authentication methods that are used to carry out the access. Have you considered using the IP address to limit access so that even with the access codes, access will only be granted if the IP address of the person/system requesting access is one that has been provided by the third party? Alternatively, is remote access controlled with dual-factor authentication? For example, when a correct user ID and password are provided, the system might send an authentication message to the authorized user's mobile phone and require a response.
When you provide organizations access to your data, once they have it, you are essentially responsible for their data security failures. If you don't know how effective their security is, you're assuming their risk in the dark. You either need a review by an independent third party (a cybersecurity firm, most likely) documenting the state of security, or to use a tool to obtain enough information to make a determination as to how effectively they are carrying out their cybersecurity responsibility.
It is not unreasonable to ask a potential partner whether they have active cyber insurance, what that insurance consists of and how much coverage there is. You want to make sure if there is an incident involving your (or your customer/client's) data that there is coverage to assure a complete response. Consider having your risk manager or general counsel involved in reviewing their response.
Finally, ask the partner whether they are willing to execute an agreement which mandates good cybersecurity practices and an obligation to notify you if they know or suspect that a breach may have occurred. Work with your general counsel (or outside counsel) to draft the terms of such agreement.
Regulatory standards to “implement and maintain reasonable security procedures and practices” are included in California's forthcoming Consumer Privacy Act (CCPA), and will no doubt appear in others. The updated guidance from the FTC and NYDFS show a rising pressure to manage risks both within and outside of your organization—with a particular focus on third parties. While there is no magic formula for managing third-party risk, ignoring the risk is simply unacceptable.
Alan Brill is a senior managing director with Kroll's Cyber Risk practice. As the founder of Kroll's global high-tech investigations practice, Alan has led engagements that range from large-scale reviews of information security and cyber incidents for multibillion-dollar corporations to criminal investigations of computer intrusions. Shay Colson is a director in the firm's Legal Management Consulting practice at Duff & Phelps and leads the Assessment Team for CyberClarity360. He joined the firm from the U.S. Department of the Treasury and has over a decade of experience in cybersecurity and information assurance, with a focus on designing and building secure systems.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllTrending Stories
- 1Call for Nominations: Elite Trial Lawyers 2025
- 2Senate Judiciary Dems Release Report on Supreme Court Ethics
- 3Senate Confirms Last 2 of Biden's California Judicial Nominees
- 4Morrison & Foerster Doles Out Year-End and Special Bonuses, Raises Base Compensation for Associates
- 5Tom Girardi to Surrender to Federal Authorities on Jan. 7
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250