Some of the most significant recent cyber breaches originated at vendors.  We have previously discussed the importance of effective oversight of third parties because vendor breaches can lead to regulatory actions for companies.  Indeed, recent regulatory guidance provides that vendor diligence is an essential part of any cybersecurity program.  This makes sense; there is no point in spending time and resources protecting the data on your network if that same data is unprotected at a vendor.  The NYDFS cybersecurity rules require, by March 1, 2019, a vendor diligence program that includes procedures to identify and assess vendor risks, policies outlining the “minimum cybersecurity practices” required of vendors, due diligence procedures to evaluate the vendor’s cybersecurity practices, and procedures to complete periodic tests of the risks and cybersecurity practices of vendors.  Other regulators and self-regulatory organizations that have emphasized the importance of vendor cyber diligence include the OCC, the SEC, FINRA, and the NFA.

Here are some things that companies are doing to manage their vendor cybersecurity risk:

  1. General Approach to Vendors
  • Identifying the vendors that have access to their system or their confidential data.
  • Placing vendors into different risk categories based on the nature and quantity of nonpublic company information to which they have access.
  • Creating a policy with specific cybersecurity requirements, audit rights, and cooperation rights for each category of vendor with access to their data with the goal of obtaining vendor buy-in.
    • Over time—through negotiation, consolidation, selection of alternative vendors and bringing services in-house—reducing the number of vendors that (1) have access to their sensitive data, and (2) do not meet their vendor goals.
  1. Sample questions for specific vendors to assess their cyber risk
  • Do you have any cybersecurity certifications?
  • Do you comply with any applicable guidance or regulations, such as NYDFS, GDPR or NIST?
  • Do you have a Chief Information Security Officer (CISO)?
    • To whom does he or she report?
  • Are you covered by any cybersecurity insurance?
    • What is covered and what is the deductible?
  • Describe the access control measures, physical and digital, that you use to restrict employees to the electronic data necessary for their business functions.
    • Do you employ network segmentation?
  • Do you monitor activity of authorized users to detect unusual downloading, copying, or altering of nonpublic information?
  • Do you require two-factor authentication for remote access into the Company’s computer system?
  • Do you allow the use of removable data storage devices?
  • Do you allow employees to use company data on personal smartphones?
    • Are personal and company data segregated on the device?
  • Are laptops encrypted?  Is there a means to remotely wipe data on a lost or stolen phone?
  • What are your data encryption policies?
  • What is your password management policy?
  • What cybersecurity training do you offer to your employees?
  • Do you have a written incident response plan? Has it been tested?
  • Do you maintain written disaster recovery and business continuity plans?
    • How often are these plans updated and tested?
  • Have you experienced a cybersecurity event in the past two years?
    • What happened and what is the current status of any remediation efforts?
  • Have you undergone a cybersecurity risk assessment or a penetration test in the last 12 months? If so, who conducted the test and were all of the recommendations implemented?
  • How will you cooperate in incident preparedness?
    • Will you agree to permit the Company to review your cyber policies, procedures and training?
    • Will you allow the Company to arrange for cybersecurity audits, or will you conduct your own audits and agree to share the results with the Company?
  • How will you cooperate during incident response?
    • Will you agree to notify the Company of any data incident concerning the Company’s data within a set time period (e.g., 24 hours) after discovery?
    • Will you agree to provide all reasonable assistance to the Company with any investigation into a cybersecurity incident affecting the Company’s data?
    • Will you agree to deliver to the Company any devices, or copies of the contents of any devices, that may be relevant to an incident involving the Company’s data within a certain period of time following a request?
    • Will you agree to coordinate with the Company on any external communications relating to a cyber incident that involves the Company’s data?

As the NYDFS acknowledges in its FAQ on third-party cybersecurity due diligence, there is no “one-size-fits-all solution,” and companies need to take a risk-based approach to figuring out what obligations they will impose on their vendors to ensure that all their efforts to secure their data won’t be undone by their vendors’ failure to follow suit.

The Davis Polk Cyber Portal is now available to assist our clients in their efforts to maintain compliance with their cybersecurity regulatory obligations.  We have a section on the Portal dedicated to Vendor Due Diligence.  If you have questions about the Portal, please contact avi.gesser@davispolk.com.