Want Your Third Parties To Take Security Seriously?

In the last decade, outsourcing to third parties–especially in the gig economy–has taken over key functions that enterprises used to handle internally. Today’s companies are frequently virtual–using third-party services that span the likes of application development, back-office corporate functions, contract manufacturing and research, marketing, and core IT services. Few enterprises these days have a complete list of every downstream third-party provider that the company relies upon to support its business operations. Each of these relationships introduce potentially material risk to the company.

Regulators worldwide are increasingly focused on cybersecurity and third party and supply chain risks to the economy. Of note, the following regulations highlight supply chain risk:

  • Canada’s Critical Cyber Systems Protection Act proposes that risks to critical cyber systems from supply chain and third-party products and services are identified and managed and “designated operators” are obligated to mitigate these risks.
  • EU’s NIS 2 Directive notes in Article 7 that Member States must adopt policies to address cybersecurity in ICT product and service supply chains. More broadly, in Article 21 it says that Member States must appropriately manage supply chain security risk.
  • The U.S. established the Federal Acquisition Security Council in the Federal Acquisition Supply Chain Act of 2018 to complete supply chain risk assessments during government procurement and then in 2021 further reviewed supply chain risks and highlighted the need for resiliency in Executive Order 14017

These requirements make clear that enterprises can be held responsible for the security shortcuts their third-party providers take.

This means that enterprises must dramatically change how they vet third-party providers and how they contract services.

Third party and supply chain risk management begins with the request for proposal (RFP) process. Use your RFPs to unambiguously convey your organization’s requirements from a security, privacy, and risk management perspective. Your prospective vendors and suppliers should know with absolute clarity that good security and privacy practices are a condition precedent for your business relationship. Your contracts should codify your security, privacy, and risk management requirements accordingly. 

The following are suggestions to include in your contracts with third-party providers moving forward to up level your security and manage your risk associated with these external parties. 

  • Require your provider to evidence the status of their security programs and relate the program to a recognized security standard or framework such as NIST CSF or ISO 27001 and 27002.
  • Look for assurances that your provider can meet your organization’s defined security controls and requirements. 
  • Ensure that your contract has right-to-audit and breach notification clauses. Validate that the timing of breach notification is consistent with your organization’s disclosure obligations, such as CIRCIA
  • Establish expectations for more technical due diligence as required (e.g., code reviews, pentests, and other high assurance reviews).
  • Require your provider to inform you in advance of material changes to their cybersecurity program. The contract should include an exit clause if their changes undermine your organization’s security requirements.
  • Require that your provider furnish a software bill of materials (SBOMs) that accurately describe software components or system elements.
  • Ensure that your contracts stipulate ongoing stewardship meetings between security stakeholders of your organization and your provider’s security leadership. These meetings are integral to collectively reviewing new threats, changing security practices, service-level agreement (SLA) status, and other factors that could influence the assurance related to the contemplated services. Use these discussions to validate understandings, notably around service demarcation. 

Prioritizing security, privacy, and risk management in your contract negotiations sends a clear message. Third-party vendors and suppliers who proactively develop robust security programs simplify the onboarding process for organizations with due diligence requests and regulatory mandates. The efforts employed to establish clear, unambiguous security requirements from both sides at the beginning of the relationship will ultimately pay important dividends.