Managing third party information security risk a cohesive approach
Newspapers, trade journals and online blogs feature a growing number of stories detailing instances in which organizations have entrusted their most sensitive information and data to a vendor or other business partner only to see that information compromised because the vendor failed to implement appropriate information security safeguards. Worse yet, those same organizations are frequently found to have performed little or no due diligence regarding their vendors, and have failed to adequately address information security in their vendor contracts, in many instances, leaving the organization without a meaningful remedy for the substantial harm they suffer as a result of the compromise. That harm can take a variety of forms: damage to business reputation, loss of business, potential liability to the breached data subjects, and regulatory and compliance issues. Recent studies by the Ponemon Institute have shown that, on average, a company will pay about $202.00 per record compromised, an average of $6.6 million if it experiences a security breach.1
Since many financial institutions focus their attention on core competencies, and since strategic outsourcing of non-core services has become almost the norm in the industry, how can financial institutions continue to remain vigilant and protect themselves against the apparent necessary risk undertaken when sensitive information is shared? Two specific key tools can help substantially reduce these information security threats by ensuring that proper due diligence is conducted and documented, and by providing remedies in the event that a third-party vendor fails to live up to their data security obligations:
- A due diligence questionnaire
- Key contractual protections
The right answers start with the right questions: the due diligence questionnaire
On the whole, financial institutions have gotten better in conducting information security due diligence prior to entering into contractual agreements with third-party service providers, but this success has not been uniformed and is often not clearly documented. This ad hoc approach is no longer appropriate in today's operating environment. Developing a standard due diligence questionnaire has multiple, immediate benefits:
- It goes beyond simply requesting SSAE 16 (SAS 70) testing documents, which were never intended to be used to assess a vendor's information security controls, but rather used as a communiqué from auditor to auditor as it relates to transaction processing information integrity
- It ensures a uniform, ready-made framework for due diligence
- It provides for an apples-to-apples comparison between multiple vendors
- It provides an easy way to incorporate information security information directly into the contract, as it can be attached as an exhibit to the final executed contract
- It can and should be used for all vendors with whom sensitive customer information is shared. Too often, financial institutions risk rate their vendors using a blend of mission criticality and whether or not the vendor has access to sensitive customer information. Some instances may arise whereby vendors are not mission critical, but have direct access to sensitive data – in these cases, many financial institutions forgo the due diligence requirement since the vendor is not considered high risk. Yet, while the vendor may not be high risk as concerns mission criticality, it could be high risk in relation to sensitive information
Key areas for consideration in a due diligence questionnaire for vendors who have access to sensitive customer information include:
- Compliance with GLBA, PCI, HIPAA, HITECH or any other industry standard requirements for the particular vendor
- Information security controls in general (policy, procedures, audits, etc)
- Financial condition
- Insurance coverage
- Corporate responsibility
- Organizational security procedures
- Physical security
- Destruction of sensitive documents or information
- Technological security
- Contingency plans
- Software development concerns (if applicable)
Within each one of these areas, multiple questions can be developed to help get an understanding of the vendor's controls and protocols for securing sensitive information.
Key contractual protections
In the majority of engagements we conduct that include reviews of third party vendor contracts, there is little to no specific language protecting the financial institution's sensitive customer information. At most, there is passing references to undefined security requirements set forth in the agreement and a basic confidentiality clause.
Any agreement should contain language requiring the vendor to comply with provisions of GLBA, including a requirement to implement reasonable and appropriate administrative, physical and technical safeguards to protect the confidentiality, integrity and availability of sensitive customer information. However, today's best practices in contracting suggest that far more specific language is required.
Financial institutions should include information security provisions in their business services agreements, and should clearly incorporate those agreements into the underlying contracts themselves. The underlying contract and business services agreement should read in concert with one another and all ambiguities should be eliminated. Common sources of problems we've noted include:
- Generic confidentiality clauses, with no specific expectations outlined or contractually obligated.
- Contract requirements written to protect only the vendor, with the financial institution agreeing to safeguard the vendor's sensitive information (source code and trade secrets), but no similar requirement that the vendor safeguard the financial institution's sensitive information.
- Vendor liability for lost storage medium is limited to the cost of replacement, but makes no provision for the value of the data contained therein.
- Contracts that fail to address notification requirements in the event of an actual or suspected data breach.
- Contracts that define sensitive customer information in ways that do not align with the financial institution's internal definition of sensitive customer data (i.e. requiring that only those documents stamped confidential be treated as such).
- Contracts that do not include state-specific nuances for the state in which the financial institution conducts business. It should be noted that 47 of the 50 states have enacted specific data breach laws, which require anywhere from no changes from federal law to changes in definitions to changes in specific technical controls. Examples include Wisconsin, which defines sensitive customer information to include DNA profile, and in Massachusetts, which requires all laptops which store sensitive information to have whole disc encryption. Read a list of state-specific information.
Other considerations for inclusion within a contract or subsequent addendum could include specific language addressing the following:
- Specific information security obligations
- Responsibility for costs associated with security breach notification
- Limitation of liability
- Audit rights
It's important to the customer that the vendor is seeking the financial institution's business. Financial institutions must take tougher stances when it comes to contract term negotiations in order to ensure contractual protections are afforded in accordance not only with the state and federal law, but also in the best interest of the customers and their information.
Managing data security risks is a key management duty
As the news continues to mount about data breaches around the country, financial institutions are going to feel the pain, directly or indirectly, as data becomes the target of cybercriminals throughout the world. By ensuring due diligence is performed in an adequate, uniform manner that is commensurate with the level of risk involved in information sharing, and by ensuring that contracts legally protect the financial institution's rights and outline obligations, risks associated with the theft or loss of sensitive data are minimized. While the risk of a data breach will never truly be eliminated, the likelihood and impact of a breach can certainly be reduced to a more acceptable level.
The due diligence questionnaire will enable the financial institution to ask the right questions and obtain critical information – before entering into a contract – concerning the ability of a third-party service provider to adequately safeguard nonpublic personal information. The contractual provisions establish the financial institution's expectations with respect to privacy and security requirements, provide the basis for mandating that the service provider complies with those requirements, and give the financial institution remedies to assert a claim against the service provider in the event of a failure to provide adequate privacy and security measures. Financial institutions that fail to adequately protect sensitive data against third-party failures are failing their customers and, in the end, themselves.
1Ponemon Institute, “Ponemon Study Shows the Cost of a Data Breach Continues to Increase," www.ponemon.org/news-2/23