Bench & Bar of Minnesota is the official publication of the Minnesota State Bar Association.

Third-party vendors and risk management

It’s always scary to think that sometimes data breaches aren’t the result of “hacking” so much as user error. Rubrik, a security and cloud management firm, recently learned this the hard way, when a misconfigured server exposed data belonging to major clients.1 As organizations use increasingly complex technology to handle increasingly vast amounts of client data, it is becoming more and more difficult to keep up with security demands. 

As Rubrik was recently reminded, security demands include proper configuration and hardware setup as well as more advanced security measures of the sort I have mentioned in previous articles. Many organizations overlook the fact that third-party vendors can cause just as much damage in the event of a breach as an internal cybersecurity event. Reputationally, operationally, and financially, where the breach originated doesn’t matter as much as who the breach is going to impact most. If the answer is an organization’s major clients, I am willing to bet those clients won’t care either. 

Managing third parties

Most organizations have some degree of third-party involvement in managing internal systems and cloud services, or in helping conduct some operational function. When entering into agreements for these services, it’s advisable to have a designated person who is responsible for overseeing the agreement process and guiding the management and review of third-party risk. All third-party vendor relationships come with a degree of risk, regardless of the service they are providing. In the massive Target data breach of 2013, it was a third-party that compromised Target’s data, affecting millions of its customers.  Keep in mind that this third party provided HVAC and refrigeration services.2 It goes to show that regardless of the company, third-party involvement always comes with dangers and requires continuing oversight past the initial stages of the agreement. Cyber risk management calls for separate ownership of different levels of risk, including third-party relationships. 

Once a responsible person or group is designated for the management and overview of third-party relationships, one key task is to keep track of where organizational data resides. Record where the data is being stored, what type of data it is (especially if it’s highly confidential or protected), and how the data is being protected by each vendor. Try to limit which vendors have access to sensitive data and incorporate ongoing reviews and audits as part of continued due diligence. Prior to entering into any new agreements, thoroughly research the prospective party’s stance on cybersecurity issues and how they have handled any past incidents. What controls are used for sensitive data and who has access to systems? Do they audit their third-party subcontractors? Do they have an incident response plan? Is it readily available for review? Does it comply with the standards of the internal response plan in place? Asking the right questions can help determine whether the value of a third-party agreement is worth the risk from the outset. 

Assessing risk

Service-level agreements should be created in compliance with the same security protocols and policies that regulate internal operations. When an organization trusts an outside source with its data or allows it access to the organization’s networks, that source is now an element of its risk profile. If that vendor is vulnerable, so are you. If that vendor has a weak security posture, so do you, no matter how stringent your internal policies are. In addition to the reputational, financial, and operational risks that may be incurred from a third-party security incident, legal risks must also be taken into account—especially in light of HIPAA and GDPR regulations. Transparency about reporting data breaches is critical when it comes to working with third-party vendors; immediate notification of cyber events should be a stipulation of any agreement. Contractual considerations should include access requirements, reputation of the third party, liability, audit procedures, and termination of access to data when the agreement is cancelled or expires. 

It is impossible to ensure perfect security, but organizations can take measures to mitigate the risks associated with advanced technology systems and growing volumes of data. Whether it’s ensuring proper configuration of systems or controlling access, third-party vendor agreements introduce another element of risk to your organization that may be difficult to fully account for or control. Considering each level of risk, including legal obligations, and promoting regular audits under the supervision of a single responsible individual within the organization can assist in identifying and mitigating the risks associated with third-party involvement. That also includes trying to ensure that the third party has the same dedication to developing cultures of security that your organization does.



MARK LANTERMAN is CTO of Computer Forensic Services. A former member of the U.S. Secret Service Electronic Crimes Taskforce, Mark has 28 years of security/forensic experience and has testified in over 2,000 trials. He is a member of the MN Lawyers Professional Responsibility Board.  




1 Kelly Sheridan, “Rubrik data leak is another cloud misconfiguration horror story,” Dark Reading (1/30/2019).  

2 Brian Krebs, “Target hackers broke in via HVAC company,” Krebs on Security (2/14/2014).

Leave a Reply

Articles by Issue

Articles by Subject