Cyber risk: Addressing the elephant in the room

One of the biggest risks to data security is lack of vendor (third party) and vendor subcontractor (fourth party) management. Companies can mitigate ever-increasing vendor data security risk through the purchase of appropriate cyber insurance coupled with well-thought-out due diligence and contract negotiations.

Managing increased risk from reliance on third- and fourth-party service providers

Companies are increasingly using more vendors and in the process entrusting them with access to company- and customer-sensitive data. Without proper vendor evaluation and controls, vendor risk cannot be adequately understood and addressed.

To complicate matters further, vendors themselves are more often relying on subcontractors (“fourth parties”) to render services. For example, some vendors use fourth parties to host data or even the vendors’ platforms or infrastructure. If primary vendors are not properly assessed, or controls are not placed on fourth parties that may be used to render primary vendors’ services, numerous unknown parties with varying degrees of security controls can have access to sensitive information without companies’ knowledge.

Companies can contractually limit this exposure by prohibiting vendors from using fourth parties without pre-approval. Such pre-approved fourth parties should be identified during contract negotiations, and the contract should identify requirements that approved fourth parties must meet.

To further mitigate risk, companies can require security reviews of fourth parties. 

Legislatures and regulators are stepping in

By March 1, 2019, the New York Department of Financial Services Cybersecurity Regulation (“Regulation”), N.Y. Comp. Codes R. & Regs. tit. 23, § 500.00 et seq. (2017), requires certain vendor management practices that are independent of, and in addition to, vendors’ own compliance and certification requirements under the Regulation. Other jurisdictions are following suit. For example, Colorado’s recently enacted law (H.B. 18-1128 (Colo. 2018)) requires oversight of vendor security procedures when vendors store or process personal identifying information on a company’s behalf.

The right insurance policy can mitigate vendor risk

Companies cannot assume that cyber insurance covers cyber incidents (“breaches,” malware, ransomware, etc.) on vendor or fourth-party systems. Cyber insurance policies may impose any number of conditions:

  • That the insured have a written contract with the entity on whose system the incident occurred;
  • That the compromised entity maintain a computer system on the insured’s behalf;
  • That the compromised entity provide services directly to the insured.

Cyber insurance policies may also drastically reduce the amount of coverage for incidents that occur on vendor (or fourth-party) systems, or exclude coverage entirely. Companies need to thoroughly understand both their vendor relationships and their cyber insurance policies to effectively mitigate cyber risk through insurance. Counsel experienced in responding to data incidents and their aftermath (including litigation) and negotiating technology vendor contracts can greatly assist clients in this respect.

Vendor (and fourth-party) cyber insurance

In addition to a company’s own cyber insurance policy, vendor cyber insurance policies may cover the company for cyber incidents. Companies should consider requiring that vendors maintain insurance that protects companies as additional insureds in the event of cyber incidents related to vendor services, including any incident that may occur through fourth parties.

Cyber insurance is not a silver bullet

Vendor and fourth-party risk can be managed by cyber insurance policies, due diligence and/or contractual controls. However, analysis of legal risk presented by vendor services, negotiation of contractual controls and creation of vendor management programs can be daunting. Experienced attorneys who have counseled clients on these issues, both as external and in-house counsel, can successfully guide businesses through these issues.

Christopher Hayes is special counsel at Phillips Lytle LLP, a CompTIA Security+ professional and member of the firm’s Data Security & Privacy Practice Team: chayes@phillipslytle.com; attorney Elizabeth Bove also is a member of that team: ebove@phillipslytle.com.