If you go back just 10 years, the topic of cybersecurity due diligence wasn’t a question on the minds of many companies. But after the infamous Target data breach (which was caused by an HFAC contractor, nonetheless), it became front page news. Fast forward to today’s headlines, and the Solar Winds hack is in headlines everywhere. Some are touting it as “potentially the biggest intrusion in our history,” and it was caused by a third-party vendor.
Fundamentally, cybersecurity needs consideration in nearly all of our vendor relationships. However, one size due diligence does not fit all – you aren’t going to go ask the landscaping company for the same information as your core processor; obviously, a hyperbole, but a salient example… let’s think about a few you may not have considered:
your shred company (hey, they roll all of your confidential information out the doors every day or week- what are their underlying info sec policies and hiring procedures?); your landlord (they have afterhours access to your building, unescorted, unsupervised… hmm); your marketing company (can they re-market your customers post-contract? Are they complying with GDPR, CCPA and similar regulations?)
So, the first step is to determine which vendors even require cybersecurity diligence. This is accomplished through your inherent risk assessment process, where you identify the type and scope of data to which the vendor will have access. Then, for those that do require diligence, it should all be risk-based. The more risks they present to your own cybersecurity, the more due diligence you’ll need to do.
Most companies use some type of tiering of their cybersecurity due diligence questionnaires to align the scope of questions with the level of risk. The type of cybersecurity due diligence you perform should always align with the level of risk the third-party vendor presents to your company. Some of the common categories of cyber risk activities to assess can include:
- Cybersecurity strategy – risk management, organization and governance, policies, standards, audit and compliance
- Management – asset management, architecture management, controls management, personnel management and third-party vendor management
- Operational activities – threat management, vulnerability management, security operations, incident response and service restoration
- Core activities – end user protection, access management, data protection, endpoint security and facility security
- Cybersecurity incidents – data loss/theft, fraud, disruptive attacks
Beyond that, obvious things like basic searches on ownership, reputation risk (see the Better Business Bureau or the Consumer Financial Protection Bureau), articles of incorporation, and OFAC check of the ownership and executive leaders, simple Google news searches, and financial performance are always a good idea.