Cybersecurity risk from third-party service providers, vendors, suppliers and contractors (collectively referred to in this article as third-party providers) is a significant source of risk to businesses and professions. According to a recent study of information security practices, 74 percent of companies do not have a list of third-party providers who handle their employee and customer data.1 Another survey revealed that only 42 percent of businesses even consider vendor risk in their work.2 Not surprisingly, this lack of attention to third-party providers has consequences. In a 2013 Global Security Report by Trustwave, the authors discovered that out of 450 investigations of data breaches, 63 percent of them were directly linked to a third party providing IT services.3
Managing third-party provider risk is plainly integral to an organization’s overall cybersecurity risk management program. Responding to the growing recognition of “third-party risk,” regulators are sharpening their focus on how businesses manage third-party providers, to the point of mandating (or at least strongly encouraging) specific types of terms in contracts with parties that access or manage a company’s systems or data. Regulators are further extending their reach by mandating cybersecurity policy content and certain risk management practices for third-party provider arrangements. The much-discussed new rule pending with New York’s Department of Financial Services (the “DFS Rule”)4 is just one of the latest examples of regulators picking up the pen on commercial contracts involving cyber risk and on cyber policies involving third-party providers. As currently worded, the DFS Rule (effective on March 1, 2017) requires financial entities to create written security policies specifically addressing third-party providers. This includes the use of certain contract terms requiring third-party providers to establish multifactor authentication and encryption capabilities and to adhere to 72-hours notification requirements following a breach.5
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
LexisNexis® and Bloomberg Law are third party online distributors of the broad collection of current and archived versions of ALM's legal news publications. LexisNexis® and Bloomberg Law customers are able to access and use ALM's content, including content from the National Law Journal, The American Lawyer, Legaltech News, The New York Law Journal, and Corporate Counsel, as well as other sources of legal information.
For questions call 1-877-256-2472 or contact us at [email protected]