March 13, 2017

New ABA checklist: Ensuring your cybersecurity when using outside vendors

These days you’d be hard-pressed to find a company that does not conduct business electronically. And as companies outsource, use cloud services and otherwise pursue outside help to maintain their business, they become more vulnerable to cybersecurity breaches because of these third-party vendors.

Your security is only as strong as your weakest link, and increasingly, that weak link is an outside vendor that may or may not have adequate cyber protection against hackers and other malicious infiltrators. According to the Soha Systems Survey on Third Party Risk Management, more than 60 percent of all data breaches can be attributed to a third-party vendor.

Two recent examples of such breaches were at Equifax in 2016 and Target in 2013. At Equifax, tax and salary data from the company’s clients, such as Kroger and Stanford University, were stolen last May through vulnerabilities in Equifax’s security access. The hack of Target’s database exposed the personal data of more than 70 million customers. In that incident, the hacker gained access through attacking one of the retailer’s vendors, an HVAC company.

To help avoid and minimize the impact of breaches like these, the ABA Cybersecurity Legal Task Force has released its Vendor Contracting Project: Cybersecurity Checklist.

The checklist is designed as a way to manage cybersecurity risk when working with third-party vendors – from vendor selection, to contracting and vendor management.

The checklist provides guidance on:

  • Conducting a risk management assessment of the proposed vendors, to identify relevant threats to security, vulnerabilities and the potential for exploiting those vulnerabilities, including the likelihood that harm could occur.

  • Reviewing vendor security practices and the ability to follow them. Does the vendor have an incident management plan that complies with relevant laws? Is it regularly tested and updated?

  • The contracting process, including setting expectations, mitigating risk and allocating liability. How will the contracting parties interact, share and manage information? What is the vendor’s commitment to an appropriate security program? How will the vendor’s compliance to that program be assessed, and if necessary, remediated?

The document also includes information in its appendix on the critical elements needed in any security program, whether a vendor or the procuring organization.

The task force acknowledges that cybersecurity provisions are not one-size-fits-all, and should instead be informed by parties’ assessment of risk and strategies to mitigate risk. The task force advises that practitioners modify and supplement the checklist to reflect the particular regulatory requirements and business needs of their clients.