Third-party cyber-risk, cybersecurity threats posed to an organization that originate outside their own cyber walls, can be a more significant liability than internal security risks. Security and compliance professionals often refer to an organization's technology as a data ecosystem because of the interconnectedness and symbiosis that occurs across virtual boundaries.
Think of the challenges of the coral reef. One of the most diverse ecosystems, the coral reef includes coral, sponges, fish, sea turtles, dolphins, and a variety of other endangered marine wildlife. Its gentle balance easily becomes disrupted by pollution, climate change or storms that dangerously impact the variety of species living there. For example, seagrass both feeds and protects marine wildlife. A single pollution event that destroys the seagrass on the reef leaves some wildlife starving while others become homeless and more open to predators. This leads to changes in the ecosystem that hurt both the reef and the life it supports.
Similarly, a single third-party data event can leave a company's data at risk and its data ecosystems open to malicious actors.
The Institute of Risk Management defines cyber risk as "any risk of financial loss, disruption, or damage to the reputation of an organization from some sort of failure of its information technology systems." Organizations increasingly rely on third-party vendors to provide a variety of IT-based services from SaaS platforms to cloud storage, making this current definition one dimensional.
Data environments work like the coral reef. A data breach from a single vendor leads to a dangerous ripple effect throughout the entire information ecosystem. A compromised vendor impacts not only its customers but those who rely on its customer disrupting the gentle balance of information security.
Similar to the pollution in the coral reef, the costs of a data breach often run deeper than just the initial mitigation and data loss impact. Multiple factors can increase the cost of data breach from $5.5M to $8.1M. The IBM Data Breach Calculator allows organizations to review factors that can mitigate overall cost. All other things equal, third-party involvement increases the cost from $7.3M to $8.1M. Couple extensive cloud migration with third-party involvement and the data breach calculation increases to $8.6M per incident.
In short, more vendors, more problems.
Third-party cyber risks arise out of vendor security vulnerabilities. Organizations control their own environments, but have limited control over the security measures taken by vendor organizations today. By running vulnerability management tools as part of selection, onboarding and audits, they can review potential partner security weaknesses. While third-party business relationships rely on trust, organizations need to verify trust with action.
Payroll processing services offer an excellent example of potential risks. Payroll processors must be PCI DSS compliant. To assure their customers, they present documentation of their compliance. However, if they do not engage in ongoing monitoring, they leave customer data vulnerable. That customer data includes the personal data of all their customers. Thus, when malicious actors compromise a payroll processor's systems, they compromise all the personal data inherent in all of their business contracts both upstream and downstream.
Cybersecurity incorporates the different policies, procedures, and controls needed to protect a data ecosystem. Organizations can include role-based authorizations or multifactor authentication as cybersecurity protections. Additionally, they can teach employees cybersecurity awareness.
Establishing the appropriate third-party risk creates a symbiotic relationship. Much as the sea anemone and clownfish work together to protect each other on the reef, so should vendors and organizations protect each other. The sea anemone houses the clownfish, while the clown fish protects the anemone from the parasites that live on it. Any shift in the delicate balance causes that relationship to lose its protective qualities.
The same is true for third-party cybersecurity. The failure of one IT control shifts the protective balance between the third-party and the primary organization.
According to the Ponemon Institute's second annual "Data Risk in the Third-Party Ecosystem" study which interviewed 625 information security professionals across varied industries, 56% confirmed third-parties led to some form of data breach. Additionally, 42% noted that third-parties led to misuse of sensitive data.
Third-party security issues pollute an organization's cybersecurity environment. Just as an oil spill spreads across the coral reef, contaminating the water and shore, so does a single breach spread across the vendor's ecosystem. As that data incident spreads across all those whose data the vendor touches, it contaminates multiple companies and individuals.
Larger organizations may feel that hiring a Chief Information Security Officer (CISO) protects them from liability. Smaller organizations may attempt to engage security consultants or information security firms in establishing protections.
Unfortunately, processes alone leave organizations at risk. Controls fail. Procedures break down. Monitoring the environment requires tools to protect an organization. Cybersecurity to safeguard from owned cyber risk can overwhelm organizations. Incorporating continued monitoring of every vendor becomes an impossible dream.
Vendor risk management, also called third-party risk management, requires reviewing contractual agreements to ensure ongoing best cybersecurity practices. Service level agreements (SLAs) should incorporate a series of protections. Organizations must review SLAs annually and document third-party monitoring strategies. Any SLA should incorporate a clause discussing data access and security, including third-party responsibility to protect the data. Adding audit attestation requirements to the SLA can also help improve organizational insight into vulnerabilities arising out of vendors.
Since third-party risk leaves companies open to additional liabilities, supply chain risk management requires constant vigilance so that liabilities are contained with the party that was left vulnerable. Contractual requirements provide limited protection. True, the vendor may be the one who caused the breach, but without appropriate Board and executive management oversight, the contracting company becomes equally liable.
Legal actions arising out of claims and cross-claims cost all companies time and money.
Cyber insurance does not provide cybersecurity solutions. It does, however, provide cyber liability protections.
Time and again, courts noted in coverage litigation trials that traditional Commercial General Liability (CGL) policies do not cover losses arising out of cyber incidents. While the environmental litigation of the late 1970's and early 1980's found provisions within CGL policies to help defray litigation and liability costs for pollution claims, modern courts have consistently held that few cyber liabilities fall within traditional CGL policies. Most notably, the New York trial court found no duty to defend, thus precluding indemnification, in the Sony breach that led to sixty class action lawsuits (Zurich American Insurance Company v. Sony Corporation of America, et al., Index Number: 651982/2011 (N.Y. Sup. Ct. Feb. 21, 2014).
Thus, organizations need to purchase cyber insurance to protect against these risks. The Insurance Services Office (ISO) created policy language and coverages to address this coverage gap. This new coverage includes stand-alone insurance policies, commercial package policies, and roll-on coverage that attach to existing coverages such as business owners or Directors and Officers. The coverage and rating approaches focus on first and third-party coverages that incorporate revenue and number of records at risk.
Zeguro's partnership with Hartford Steam Boiler, part of Munich Re, an A++ rated insurance company helps organizations tailor coverage to needs.
Different organizations experience different third-party risks and have different approaches to vendor risk management capabilities. Zeguro eases organizational stress by providing the tools to continuously monitor and audit each company's security ecosystem to help it focus on maintaining a healthy cyber environment and tailor the insurance coverage appropriately.
For more information, contact Zeguro today to learn more about how we can enable better business practices by mitigating and managing cyber risk.