Reducing Third-Party Risk During COVID-19
WHY THIS MATTERS
Ensuring that your business survives and even thrives during the COVID-19 pandemic requires the ability to pivot and deflect cybersecurity vulnerabilities as you become aware of them.
Beyond your own business, you need to ensure that third parties such as business partners, suppliers and vendors are maintaining adequate cybersecurity levels. If they are not cyber secure, then you are not cyber secure from hackers in search of weak links in the chain.
Phishing emails that entice employees to click on links that release malware, or to wire funds to a fraudulent bank account, can happen in your shop or your supplier’s facility. Virtual private network credentials could be accessed via a hack into your contractor’s network, allowing them to load malicious software into your network and steal data assets.
Businesses of all sizes are well-advised to conduct vendor risk management and consider investing in stand-alone cyber insurance (which provides you with first-party coverage for an incident response team) as part of your business continuity plan.
How to Reduce Third-Party Risk During the COVID-19 Pandemic
The COVID-19 pandemic is having a profound impact on businesses. According to IndustryWeek, the world’s supply chains are facing a root-to-branch shutdown unlike any seen in modern peacetime.
Those businesses that remain open are shifting their remote work best practices as quickly as possible. At the same time, hackers are constantly searching for new targets. Those targets may very well be your third-party vendors, supplying you with goods and services and hackers with a gateway into your network.
Your business continuity plan encompasses more than the four walls of your building, your remote work locations, and your privacy and security protection. It includes the risks you face from your business partners, suppliers and vendors.
On one hand, your suppliers are crucial to your business operations. On the other hand, they can expose your business to cyber risks.
The results of the Ponemon Institute’s third annual (2018) study Data Risk in the Third-Party Ecosystem indicate that 61% of US companies surveyed had experienced a data breach caused by their vendors or third parties (up 5% from 2017 and 12% from 2016). Dr. Larry Ponemon reported that companies need to take control of their third-party exposure and implement safeguards and processes to reduce their vulnerability.
Third-party risk can arise from a small contractor provided with access to your network. The most notable example is the Target data breach in late 2013. A small heating and air conditioning (HVAC) firm that remotely connected to Target’s network became the gateway to a data breach. The HVAC firm experienced a breach via malware delivered in an email during which the cybercriminals stole Target’s virtual private network credentials. From there, the hackers pushed malicious software down to all point of sale cash registers at more than 1,800 Target stores. Subsequent reports indicated Target did not fully control access to its systems.
Krebs on Security reported some of the daunting data breach numbers:
- 40 million– The number of credit and debit cards thieves stole from Target between Nov. 27 and Dec. 15, 2013.
- 70 million –The number of records stolen that included the name, address, email address and phone number of Target shoppers.
- 46%– The percentage drop in profits at Target in the fourth quarter of 2013, compared with the year before (costing the CEO his job).
- $200 million– Estimated dollar cost to credit unions and community banks for reissuing 21.8 million cards -- about half of the total stolen in the Target breach.
According to 10-K filings with the SEC, Target has suffered gross expenses of approximately $292 million from the breach. Reports indicate that Target had $100 million in cyber insurance coverage written by multiple insurance carriers (with a $10 million deductible). The Target breach illustrates how important it is to have cyber insurance that addresses your company’s risk tolerance and balance sheet requirements. This type of data breach could happen to a company of any size dealing with outside suppliers. Understanding the financial loss that you can bear on your own and what risk needs to be transferred to a cyber policy will help you survive the breach.
More than six years later, that is not the end of the story for Target. Currently, Target is embroiled in coverage litigation seeking $74 million under its general liability policy for payment card replacement costs. Bear in mind that lengthy coverage disputes seeking compensation for cyber losses under a general liability policy (aka “silent cyber”) are not feasible for most companies. You are better off with a stand-alone cyber insurance policy that affirmatively provides you with coverage for data breach losses.
Tracking third-party relationships through vendor risk management is important. Staying ahead of the risk requires planning for third-party detection and mitigation, including a third-party inventory and risk assessment that addresses, for example:
Sharing Data with Vendors
- Does your company share customer date with marketing companies?
- Does your company share data with a billing and payment processing company?
- Does your company outsource deliveries to another company that has access to your sales data?
Allowing Vendors Access to your Systems
- Does a third party monitor your physical security systems or your HVAC systems?
- Does a third party manage your internal network or internet access?
During a pandemic, some of these practices may be overlooked due to the urgent need for suppliers. Third-party data breaches can occur when your data is stolen from the third-party systems, or as in the Target breach, when their systems are used to access your system to exfiltrate your customers’ personal information.
Action steps if you suffer a data breach caused by a third-party vendor
You need to stop the breach as quickly as possible and notify your incident response team manager, who in turn will notify the rest of your team and your cyber insurance carrier. Your incident response team will collaborate with the staff at the third-party vendor to stop the breach (at both ends), investigate what has occurred, and find a way to mitigate the loss.
A fast response means a less costly data breach. According to the Ponemon Institute, it takes an average of 197 days for a company to identify a data breach—and another 69 days to contain it. Also, the average breach cost in 2019 was $3.14 million (with more than half of that amount assessed for business interruption).
Keep in mind that regardless of who performs the work, the legal obligations after a privacy breach, under most privacy and data security laws (e.g., FTC, HIPAA, NAIC Model Rules, EU GDPR, CCPA) remain with your company. Your company will need to comply with notification and reporting requirements under these laws and could face fines and penalties for non-compliance.
Stand-alone Cyber Insurance
Your business can survive a cyberattack (directed at you or a third-party vendor) with the help of cyber insurance to protect your bottom line:
- If you suffer a data breach, your business will need to stop the breach, investigate, notify all those impacted, recover or restore your data, and possibly face claims or lawsuits by injured parties.
- This is difficult to do without an incident response plan/team to:
- Stop a data breach or fend off a ransomware attack.
- Investigate a data breach or ransomware attack to stop future cyberattacks.
- Notify your clients, consumers and employees (in compliance with various laws) after a cyberattack.
- Assist you with recovering or restoring lost or stolen data.
- Assist you with meeting your business continuity plan.
- If you suffer a ransomware attack, you can be compensated for the ransom payment (made with prior written consent of the insurer) and for lost profits during the time business operations were disrupted or halted.
- If you are fined by regulators or credit card companies after a data breach, those fines are covered by cyber insurance (so long as allowed in the relevant jurisdiction).
- Currently, striving for perfection during the COVID-19 pandemic may not be realistic. Surviving it will take some precautionary planning. Not only are you facing the economic threat, and the health threat, but also the cyber threat. It is a good time for you to invest in a stand-alone cyber policy from a reputable provider. This investment could make a difference in whether your business survives or thrives.
- Ideally, third parties that access your network or touch your company or customer data should have their own cyber insurance to respond first to a cyber incident. You can confirm this when you conduct your cyber risk assessment and discuss relevant contract provisions (again keeping your legal obligations to do so in mind).
- In the wake of COVID-19 supply chain disruption make your best effort to ensure that alternative third-party suppliers or vendors are cyber secure.
Watch for our next article on the important role that stand-alone cyber insurance plays in business interruption.