Managing third-party cyber risk that increases your organizational exposure
As organizations increasingly turn to independent contractors for products and services, third-party breaches have become a top cyber threat. Recent events with Caesars Entertainment and MGM Grand clearly illustrate this fact.
At Caesars, the social engineering attack of one of its IT vendors stole Social Security and driver's license numbers from customers. By August of this year, the number of known victim organizations surpassed 1,000, totaling more than 60 million affected individuals.
How is your organization at risk?
Vendor-related cyber threats can put your organization at risk in numerous ways, including:
- Third-party software: If a Vendor provides applications or software that the company uses and these tools have security vulnerabilities or back doors, they can be exploited by cybercriminals to compromise the company's data or systems.
- Data sharing: If Vendors require access to the company's data for legitimate purposes and they mishandle or inadequately secure this data, this can lead to data breaches.
- Inadequate security practices: Vendors without robust cybersecurity make them easier targets for cyberattacks. Once a vendor is compromised, the bad actors can turn to target the company.
- Dependency on cloud services: Many companies rely on cloud service providers. If these vendors experience downtime or security incidents, it can disrupt the company's operations or expose its data.
- Lack of monitoring: Assuming vendors are secure by not closely monitoring or auditing their vendors' security practices can leave vulnerabilities unnoticed.
- Subcontractors: When Vendors subcontract services to other third parties, without visibility into the subcontractors’ cybersecurity practices, this can increase the attack surface.
- Supply chain vulnerabilities: If Vendors have weak cybersecurity measures, attackers might exploit their systems to gain access to the company's network through the supply chain.
How to mitigate third-party cyber threats
Companies can take several proactive steps to protect themselves from cyber threats caused by vendors and other sources, including:
- Vendor risk assessment: Before entering into any contracts, conduct thorough assessments of vendors' cybersecurity practices: evaluate their security policies, procedures, and compliance with industry standards.
- Contractual agreements: In vendor contacts, include robust cybersecurity clauses which define security responsibilities, incident response procedures, and liability for breaches.
- Stay informed: Adapt your vendor management strategies while keeping up to date with evolving cybersecurity threats and trends.
- Third-party cyber insurance: To mitigate financial risks associated with vendor-related cyber incidents, consider third-party cyber insurance.
- Data encryption: Encrypt sensitive data exchanged with vendors to prevent unauthorized access.
- Exit strategy: Develop a contingency plan for vendor transitions to ensure a seamless shift of services without compromising security.
- Regular audits: Periodically verify compliance with agreed-upon security standards via security audits of vendor systems.
- Vulnerability management: Regularly assess and remediate vulnerabilities in vendor-supplied software or services.
- Security policies: Limit vendor access to the minimum necessary for them to fulfill their role. Align vendor access policies with your organization's security policies.
- Communication: Ensure open communication with vendors to quickly address security vulnerabilities and concerns.
- Security training: To ensure vendors are aware of cyber risks and how to mitigate them, require vendors to train their employees on security best practices and data protection.
- Incident response plans: Discuss with vendors to incident response plans to address potential breaches promptly and effectively.
- Monitoring and logging: To help detect any suspicious or unauthorized actions, implement continuous monitoring and logging of vendor activities on your network
- Multi-factor authentication: Enforce multi-factor authentication for vendor access to critical systems or data.
- Compliance checks: Verify that vendors comply with relevant regulations, such as General Data Protection Regulation (GDPR) or HIPAA.
By implementing these practices, companies can enhance their cybersecurity posture and reduce the risks associated with their vendor relationships.
How USI can help
USI works with clients to reduce cyber and privacy exposures through risk management and provides cyber risk transfer via insurance. Our cyber experts begin by reviewing existing cyber and technology errors and omissions (E&O) policies and benchmarking current limits and retention. We then use risk profile and network scanning tools to assist clients in improving their cyber risk profile prior to marketing their insurance to secure a favorable placement. For further information, please reach out to Sean McGee.
Sean McGee
Vice President, Commercial Property & Casualty, USI Insurance Services LLC
About the Goering Center for Family & Private Business
Established in 1989, the Goering Center serves more than 400 member companies, making it North America’s largest university-based educational non-profit center for family and private businesses. The Center’s mission is to nurture and educate family and private businesses to drive a vibrant economy. Affiliation with the Carl H. Lindner College of Business at the University of Cincinnati provides access to a vast resource of business programing and expertise. Goering Center members receive real-world insights that enlighten, strengthen and prolong family and private business success. For more information on the Center, participation and membership visit goering.uc.edu.
Related Stories
Protect Company Assets by Mitigating Cyber Risks
April 8, 2021
Cyber threats and insurance have become a ubiquitous business issue. Insurance is intended as a vehicle to transfer catastrophic risk to carriers contractually in consideration for premium dollars. There is no coverage area where the risks evolve more rapidly than cyber, and so the insurance must evolve with it.