5 Tips for Managing Third Party Security Risk
It’s rare for an organization to not use at least one third party – whether it’s Microsoft, Salesforce or your lawyers. Sharing information with any third party increases the risk that something might go wrong either through their mishandling of your information or by that third party themselves being the victim of a cyber-attack.
Pointing the finger at a third party when a customer asks why the personal information they trusted you with is now published online won’t address their concerns or rebuild their trust.
Of course, we all try and make sure we check out vendors first, usually by getting them to complete a vendor security and privacy questionnaire and covering their responsibilities in the contract.
But, given the significant reputational and legal risk of sharing data with third parties, it’s essential to consider all the ways to reduce the risk and fallout from a third party mishandling the data your organisation shared.
5 Tips for Managing Third Party Security Risk
Here are some tips for some ways to manage your vendors:
Know who your vendors are, and how to contact them
It’s surprising how many organisations don’t have a record of their key vendors. The 2022 Risk Recon Report by the Ponemon Institute revealed that few organisations maintain a register with details about the data shared with third parties, including data that flows to those parties. This approach makes it challenging, if not impossible, for organisations to manage their privacy risk or control access to customers’ personal information
A key part of any effective vendor management program is knowing who your vendors are. Ideally, this list is populated automatically as engagements are managed via your procurement processes. But sometimes these processes are bypassed, or you may have existing arrangements that need to be identified and coordinated.
Other information that you should consider including in your Vendor inventory:
- Name and contact details for your main contact with the Vendor, including out of hour contact details and details for an alternate for your critical suppliers
- Description of the service provided
- Details of the data that might be shared with the Vendor as part of the engagement, including the classification of the data
- A ranking of the criticality of that vendor and the services provided to the business
- Details of any end-of-contract terms and what the arrangements are for transferring data etc
- Links to the contract, so you can quickly check the terms if needed
Have a data breach plan with your vendors
Data breaches are becoming increasingly common. In fact, 59% of organisations surveyed for the 2022 Risk Recon Report by the Ponemon Institute had experienced a data breach caused by a third (or nth) party.
So, even if you take significant steps to reduce the risk of your third-party vendors experiencing a data breach, it may still occur. And your organisation may be held liable for personal information breached in a third-party data breach. So, it’s not sufficient to leave the management of a data breach to the third party.
You should work with the third party to coordinate a response that minimises the potential and actual harm to the individuals whose data has been impacted. This includes your organisations and all those people whose data you’ve shared with the vendor.
Your data breach management plan and how that involves your vendors should be laid out in advance.
It should also be tested, either independently or as part of your own incident response testing exercises.
Your critical third-party service providers are key partners and should be involved in the planning and testing of your incident response and disaster recovery efforts.
Make sure your vendor has adequate Privacy Practices
You should thoroughly vet your third-party vendors before sharing data with them. But it’s not unheard of for privacy hygiene to slip – or for companies to fall behind best practices in the ever-changing privacy landscape.
Accordingly, it’s important to conduct regular reviews or audits of your third-party vendor’s privacy and security practices during the term of your engagement. This should be allowed as part of your contract and included as part of your vendor management program.
Track their external certifications (has their ISO 27001 certification been renewed? Is a new SOC 2 Type 2 report available). Re-send your vendor questionnaire and ask for confirmation that nothing has changed. Ask for current audit reports.
Take action to address inadequacies
Suppose (or when) your organisation’s regular audits of your third-party vendor’s privacy practices expose the mishandling of data or other poor privacy habits.
Depending on your existing relationship and plans with the vendor, some steps you might take to resolve their poor privacy practices include:
- Work with them to identify and implement adequate improvements;
- Outline the facts, their obligations, and ask them to make immediate improvements; or
- Terminate the contract and find another provider.
This might be a good time for you to pull out the contract and check what the allows you to do.
Know If Your Third-Party Vendor Is Sharing Your Data
Your third-party vendors should disclose any additional parties that will gain access to the personal information you share with it. These terms should be included in your contract. If they aren’t, you should renegotiate the terms as soon as possible.
And if your third-party vendor is already sharing the data you provided, you should ask that they stop immediately until you’ve assessed the level of protection the nth parties’ assign to the data.
If you discover that your third-party vendor is sharing data in breach of the terms of your contract, you should carefully consider whether the relationship is worth continuing. If not, you should review the termination clauses in your contract to see what options are available to you.
Protect the Data You Share Through Your Third-Party Agreements with Privacy 108
Privacy 108 works with organisations to create more privacy-focused third-party agreements. Our experienced team is happy to liaise with third-party providers to assess their privacy protections and will review your terms of service to ensure that the data shared with a third party is adequately protected.
If you need assistance protecting the personal information you have collected, reach out: