Managing third-party cyber risk that increases your organizational exposure

As organizations increasingly turn to independent contractors for products and services, third-party breaches have become a top cyber threat. Recent events with Caesars Entertainment and MGM Grand clearly illustrate this fact.

At Caesars, the social engineering attack of one of its IT vendors stole Social Security and driver's license numbers from customers. By August of this year, the number of known victim organizations surpassed 1,000, totaling more than 60 million affected individuals.

Vendor-related cyber threats can put your organization at risk in numerous ways, including:

1. Third-party software: If a Vendor provides applications or software that the company uses and these tools have security vulnerabilities or back doors, they can be exploited by cybercriminals to compromise the company's data or systems.
2. Data sharing: If Vendors require access to the company's data for legitimate purposes and they mishandle or inadequately secure this data, this can lead to data breaches.
3. Inadequate security practices: Vendors without robust cybersecurity make them easier targets for cyberattacks. Once a vendor is compromised, the bad actors can turn to target the company.
4. Dependency on cloud services: Many companies rely on cloud service providers. If these vendors experience downtime or security incidents, it can disrupt the company's operations or expose its data.
5. Lack of monitoring: Assuming vendors are secure by not closely monitoring or auditing their vendors' security practices can leave vulnerabilities unnoticed.
6. Subcontractors: When Vendors subcontract services to other third parties, without visibility into the subcontractors’ cybersecurity practices, this can increase the attack surface. 
7. Supply chain vulnerabilities: If Vendors have weak cybersecurity measures, attackers might exploit their systems to gain access to the company's network through the supply chain.

Companies can take several proactive steps to protect themselves from cyber threats caused by vendors and other sources, including:

• Vendor risk assessment: Before entering into any contracts, conduct thorough assessments of vendors' cybersecurity practices: evaluate their security policies, procedures, and compliance with industry standards.
• Contractual agreements: In vendor contacts, include robust cybersecurity clauses which define security responsibilities, incident response procedures, and liability for breaches.
• Stay informed: Adapt your vendor management strategies while keeping up to date with evolving cybersecurity threats and trends. 
• Third-party cyber insurance: To mitigate financial risks associated with vendor-related cyber incidents, consider third-party cyber insurance.
• Data encryption: Encrypt sensitive data exchanged with vendors to prevent unauthorized access.
• Exit strategy: Develop a contingency plan for vendor transitions to ensure a seamless shift of services without compromising security.
• Regular audits: Periodically verify compliance with agreed-upon security standards via security audits of vendor systems. 
• Vulnerability management: Regularly assess and remediate vulnerabilities in vendor-supplied software or services.
• Security policies: Limit vendor access to the minimum necessary for them to fulfill their role. Align vendor access policies with your organization's security policies. 
• Communication: Ensure open communication with vendors to quickly address security vulnerabilities and concerns.
• Security training: To ensure vendors are aware of cyber risks and how to mitigate them, require vendors to train their employees on security best practices and data protection. 
• Incident response plans: Discuss with vendors to incident response plans to address potential breaches promptly and effectively.
• Monitoring and logging: To help detect any suspicious or unauthorized actions, implement continuous monitoring and logging of vendor activities on your network 
• Multi-factor authentication: Enforce multi-factor authentication for vendor access to critical systems or data.
• Compliance checks: Verify that vendors comply with relevant regulations, such as General Data Protection Regulation (GDPR) or HIPAA. 

By implementing these practices, companies can enhance their cybersecurity posture and reduce the risks associated with their vendor relationships. 

USI works with clients to reduce cyber and privacy exposures through risk management and provides cyber risk transfer via insurance. Our cyber experts begin by reviewing existing cyber and technology errors and omissions (E&O) policies and benchmarking current limits and retention. We then use risk profile and network scanning tools to assist clients in improving their cyber risk profile prior to marketing their insurance to secure a favorable placement. For further information, please reach out to Sean McGee.