These days you’d be hard-pressed to find a company that does not conduct business electronically or use outside vendors. Using outside vendors, third-party businesses and vendors, and electronic business makes all of us more vulnerable to cyber-security breaches.
According to one recent study on Third Party Risk Management, more than 60 percent of all data breaches can be attributed to a third-party vendor.
Two recent examples of such breaches were at Equifax in 2016 and Target in 2013. At Equifax, tax and salary data from the company’s clients, such as Kroger and Stanford University, were stolen last May through vulnerabilities in Equifax’s security access. The hack of Target’s database exposed the personal data of more than 70 million customers. In that incident, the hacker gained access through attacking one of the retailer’s vendors, an HVAC company.
To help avoid and minimize the impact of breaches like these, the ABA Cybersecurity Legal Task Force has released its Vendor Contracting Project: Cybersecurity Checklist.
The checklist is designed to manage cybersecurity risk when working with third-party vendors – from vendor selection, to contracting and vendor management.
The checklist provides guidance on:
Conducting a risk management assessment of the proposed vendors, to identify relevant threats to security, vulnerabilities and the potential for exploiting those vulnerabilities, including the likelihood that harm could occur.
Reviewing vendor security practices and the ability to follow them.
Does the vendor have an incident management plan that complies with relevant laws? Is it regularly tested and updated?
The contractingprocess, including setting expectations, mitigating risk and allocating liability.
How will the contracting parties interact, share and manage information? What is the vendor’s commitment to an appropriate security program? How will the vendor’s compliance to that program be assessed, and if necessary, remediated?
The document also includes information in its full appendices.
The task force advises that each of us modify and add to the checklist reflecting the particular regulatory requirements and needs of our clients.
Access to the full checklist is available through this link: