Data breach headlines are putting more pressure on corporate counsel to ensure that the company’s data is properly protected. This includes data managed by third party vendors, which have been spotlighted by the large number of breaches resulting from the exploitation of a vendor’s vulnerability. Both the Target1 and Home Depot2 hackers gained access to the companies through their service providers. This left the latter with a breach of about 56 million customer payment card accounts and 53 million email addresses. The list continues with upward of a third of all breaches occurring through vendors or affiliates.3 It is no wonder controlling vendor risk is moving toward the top of board agendas.
To address this risk some companies now require vendors to demonstrate that they have appropriate security controls in place. To overcome the burden of monitoring compliance, many also require certification to a particular standard by an independent auditor, typically in alignment with the company’s own internal security requirements. Vendor certification may also be required by other governing frameworks. The most common among these include Health Insurance Portability and Accountability Act (HIPAA) assessments, the American Institute of Certified Public Accountants Service Organization Control Reports (SOC 2), the Payment Card Industry Data Security Standard (PCI), and/or ISO 27001 certifications. Similarly, Securities and Exchange Commission Guidance requires that companies not only disclose material cybersecurity events when they occur but also disclose material risks that could occur.4 For those companies that outsource functions with material risks, the Guidance requires a description of those functions and how companies address the risks.
The biggest challenge for everyone receiving attestations from their vendors, however, is the question of adequacy. Not all certifications are equal, and some appear to be mismarketing them. Companies need to carefully consider certification claims – for example, they may boast of Type II SOC 1, SOC 2, SOC 3 and ISO 27001 certifications for new data centers. Yet, a closer look could reveal that the vendor is simply using a third-party data center that is so certified, as opposed to the vendor’s controls being certified. Using a certified data center means those certifications apply only to the level of controls available at the center itself; it does not mean the vendor is applying these standards to all of its own physical, technical and administrative controls deployed across all its processes and workflows. This difference is especially important in an era of rising cyberthreat levels. Just as the best safe in the world is useless if left unlocked, the most secure data center offers little security if the credentials that allow access aren’t properly managed. It is also meaningless if your employees’ laptops aren’t locked down, or they routinely use portable media without proper encryption. It’s imperative to dig past these statements and closely examine the actual controls deployed across their entire operation.
This is particularly critical in the age of rising cybersecurity events. Once a public company has outsourced a data processing function to a vendor and that vendor experiences a security incident, it can create a material issue for the company that must be disclosed. The company will then be required to defend itself against a claim that it should have disclosed the (now apparent) material risk associated with the original outsourcing decision. The fact that the company did as much due diligence as possible, including selecting a supplier that was certified to acceptable standards, and subject to ongoing certification audits, could be the best defense in such circumstances.
The opinions expressed are those of the author and do not necessarily reflect the views of AlixPartners, LLP, its affiliates, or any of its or their respective other professionals or clients.
David White is a director at AlixPartners LLP, where he advises clients on information governance, information security and electronic discovery. He can be reached at [email protected].
Footnotes:
[1] Brian Krebs, “Target Hackers Broke in Via HVAC Company,” KrebsOnSecurity.com, February 14, 2014, accessed March 9, 2016, http://krebsonsecurity.com/2014/02/target-hackers-broke-in-via-hvac-company/.
[1] Tara Seals, “Home Depot: Massive Breach Happened Via Third-Party Vendor Credentials,” Infosecurity Magazine, November 7, 2014, http://www.infosecurity-magazine.com/news/home-depot-breach-third-party/.
[1] Warwick Ashford, “Bad outsourcing decisions cause 63% of data breaches,” Computer Weekly, http://www.computerweekly.com/news/2240178104/Bad-outsourcing-decisions-cause-63-of-data-breaches.
[1] “Cybersecurity Guidance,” Securities and Exchange Commission, April 2015, https://www.sec.gov/investment/im-guidance-2015-02.pdf.
Published March 29, 2016.