chevron-down Created with Sketch Beta.
March 01, 2018

Third-Party Vendors Can Be a Weak Link

ABA Vendor Contracting Cybersecurity Checklist Focuses on the Procurement Process to Strengthen Security Protections

By Lucy L. Thomson

Organizations commonly outsource a variety of services to external vendors and business partners, both domestic and overseas. Security is only as strong as its weakest link. As data breaches continue to grow, a look behind the numbers reveals that many of the breaches originated from third-party vendors and business partners.

As part of a comprehensive security program, the procurement process can be used to strengthen the security posture of organizations and their third-party business partners. The ABA Vendor Contracting Project Cybersecurity Checklist frames issues that contracting parties should consider consistent with common principles for managing cyber risk.

Third-Party Vendor Risks

Sometimes third-party vendors perform functions that, while important, may appear inconsequential in the larger scheme of things or are outside the core business of the organization—and may not appear to be a likely target of a cyberattack. They may not even be on the radar of procurement officials. Thus, outsourcing business functions may create significant security vulnerabilities for organizations, putting sensitive and confidential personal records and proprietary information and systems at risk.

The Target data breach was the first of a barrage of attacks on point-of-sale (POS) systems manufactured or operated by third-party vendors. Hackers first gained access to Target’s network with a username and password stolen from a company that provided refrigeration and HVAC systems. A 2015 breach of a federal background check contractor gave hackers the credentials needed to access the network of the U.S. Office of Personnel Management (OPM) and steal the sensitive personal data of more than 21 million of the government’s highest-level executives, judges, and members of Congress. Third-party vendors have been the entry point for dozens of breaches.

Strengthening Security through the Procurement Process

When contracting for products and services, organizations can specify cybersecurity requirements that third-party vendors must meet. Including cybersecurity in the procurement process can ensure that those purchasing and supplying delivery systems consider cybersecurity beginning with the design phase of system development. This will further ensure that cybersecurity is implemented throughout the product life cycle, improving overall reliability and reducing cyber risks. Contract representations and warranties can ensure that important cybersecurity conditions are agreed to and will be followed by third-party vendors.

Checklist Highlights

At the request of the U.S. Department of Treasury, the ABA Cybersecurity Legal Task Force, in collaboration with the Business Law and Science & Technology Law Sections, developed a Cybersecurity Checklist for use in vendor contracting. Cheryl M. Burtzel (Austin, Texas), Candace M. Jones (New York, New York), Lisa R. Lifshitz (Toronto, Ontario, Canada), and Lucy L. Thomson (Washington, D.C.) are the Checklist’s authors.

The Checklist (https://www.americanbar.org/content/dam/aba/images/law_national_security/Cybersecurity%20Task%20Force%20Vendor%20Contracting%20Checklist%20v1.1%2004-13-2017.pdf) identifies four key issues contracting parties should consider in the procurement process:

  1. Establish a cybersecurity strategy before undertaking transactions.
  2. Conduct a risk assessment of proposed vendors.
  3. Review vendor security practices and their ability to follow them.
  4. The contracting process includes setting expectations, mitigating risk, and allocating liability.

Cybersecurity Strategy: Understanding the Landscape of the Transaction

  • n Organizations should establish and maintain a documented strategy for identifying and managing their respective cybersecurity risks.
  • n The parties’ cybersecurity strategies and risk assessments will be key to establishing a solid foundation for the vendor selection process.

Risk Assessment: Cybersecurity Considerations for the Transaction

  • n Analyzing interconnections with and dependencies on third parties is an element of cybersecurity risk assessment and management.
  • n In the vendor context, risk assessments should inform the underlying decision to outsource any function or activity, as well as the specific requirements for a product to be supplied or service to be performed.
  • n Risk assessments and controls should also be referenced in the vendor due diligence and selection process to identify gaps or deficiencies that will need to be addressed by the parties to mitigate risk.

Vendor Due Diligence

  • n Purchasers should evaluate the capacity of prospective vendors to follow appropriate information security practices. The purchaser’s assessment of its own business and risk management objectives should inform the purchaser’s due diligence activities.
  • n Purchasers should conduct a security assessment of the vendor.

Contract Provisions: Setting Expectations, Mitigating Risk, and Allocating Liability

  • n Contract provisions should reflect information security considerations, even though the substance of the provision is not necessarily limited to information security.
  • n Performance
  • n Representations and warranties
  • n Confidentiality
  • n Security program
  • n Monitoring/assessment of vendor performance
  • n Risk event reporting
  • n Remedies
  • n Termination
  • n Insurance
  • n Indemnification
  • n Business continuity/resiliency
  • n Miscellaneous
  • n Software u

By Lucy L. Thomson

Lucy L. Thomson ([email protected]) is the founding principal of Livingston PLLC in Washington, D.C. She focuses her practice on cybersecurity, global data privacy, and compliance and risk management. She served as 2012–13 chair of the ABA Section of Science & Technology Law and is a member of the ABA House of Delegates and the ABA Cybersecurity Legal Task Force.