Cybersecurity Curveballs in Vendor Risk Management Programs

Size: px

Start display at page:

Download "Cybersecurity Curveballs in Vendor Risk Management Programs"

Percival Shepherd
6 years ago
Views:

Cybersecurity Curveballs in Vendor Programs 2016 SoCal Cybersecurity, & Data Protection Retreat November 7, 2016 2016 Reed Smith

1 Cybersecurity Curveballs in Vendor Programs 2016 SoCal Cybersecurity, & Data Protection Retreat November 7, Reed Smith LLP. All rights reserved. The contents of this presentation are for informational purposes only, and do not constitute legal advice.

2 Today s Panel Mark Francis Reed Smith, New York Alan Friel Baker Hostetler, Los Angeles Steven Millendorf Foley & Lardner, San Diego Howard Miller LBW Insurance & Financial Services, Valencia Craig Harper Sysorex, Palo Alto

3 Hackers Gain Access Through Third Parties

4 Third Parties May Misuse or Sell Data

5 Regulators Focusing on Third Party s Not everyone who might occasionally need to get on your network should have an all access, backstage pass. That s why it s wise to limit access to what s needed to get the job done.

6 Regulators Focusing on Third Party s The SEC focuses heavily on third party management

7 Third Party Lifecycle Planning / Governance Termination Due Diligence Monitoring Contracts

8 Customer v. Vendor Dynamic Disclosure (Company) Recipient (Vendor)

9 Insurance & Underwriting

10 Cyber Liability Vendor Insurance

11 Key Cybersecurity Provisions Requirements for data security and privacy General language? Standards? Explicit requirements? Applicable laws (e.g., HIPAA, GLBA, EU DPD) Subcontractors Data breach and notice procedures Indemnity Scope? Carve-outs? Caps? Foreign suppliers? Cyber-insurance Will coverage extend to customer? How and when? Audit rights When? How invasive? Adopt standard industry or company provisions (e.g., riders)

12 Sample provisions security clause Vendor agrees to preserve the confidentiality, integrity and availability of Company s Confidential Information with commercially reasonable administrative, technical and physical safeguards in accordance with generally recognized best practices and industry standards

13 Sample provisions notice clause Vendor agrees to notify Company within forty-eight (48) hours of any breach or potential breach of security which has compromised, or for which there is a reasonable belief of compromise of, any Confidential Information to unauthorized parties

14 Sample provisions audit clause Vendor agrees to allow Company to perform one information security audit (i) annually, (ii) or after a security incident, or (iii) where there is other reasonable cause to believe Vendor is not in compliance with its data security program, upon at least thirty (30) days prior written notice

15 Sample provisions cyber coverage terms Omissions / Network Insurance & Liability Insurance including notification costs US $25,000,000 coverage each event/aggregate. Technology Errors & Omissions insurance covering liabilities, punitive damages, data breach regulatory fines and penalties and claim expenses arising from acts, errors and omissions, in rendering or failing to render all Services and in the provision of all Products, Hardware, Software and other Deliverables in the performance of this Agreement, including the failure of products to perform the intended function or serve the intended purpose. This policy shall include coverage for loss, disclosure and theft of data in any form; media and content rights infringement and liability, including but not limited to, software copyright infringement; network security failure, including but not limited to, denial of service attacks and transmission of malicious code. Coverage shall include the cost of notifying individuals of a security or data breach, the cost of credit monitoring services and any other causally-related crisis management expense for up to one (1) year. Coverage shall contain severability for the insured organization for any intentional act exclusions. If this coverage is provided on a claims-made basis, then it must be maintained for a period of two (2) years after acceptance of all Products, Hardware, Software, Deliverables and/or Services provided in connection with this Agreement.

16 Sample provisions cyber coverage terms Additionally, such policy shall cover consequential or vicarious liabilities (e.g., claims brought against the Company X Contracting Party or any Company X Affiliate and their respective directors, officers, and employees due to the wrongful acts and failures committed by you) and direct losses (e.g., claims made by the Company X Contracting Party and any Company X Affiliate and their respective directors, officers, and employees against you for financial loss due to your wrongful acts or failures). This policy shall have the Insured v. Insured exclusion amended to allow an Additional Insured to bring a claim against the Named Insured. Commercial Crime Insurance including third-party client s property coverage US $1,000,000 coverage per occurrence. The policy shall include coverage for employee theft/dishonesty, property of clients, theft of money & securities, credit, debit or charge card forgery, electronic funds transfer and computer fraud crime coverage. The commercial crime insurance policy shall name the Company X Contracting Party as loss payee.

17 Who owns the data before/during/after? Data use restrictions for licenses? How is PII protected? How will customer/vendor address new risks? Compliance with regulatory requirements Core data processing or incidental exposure to regulated data (e.g., maintenance) Cross-border transfers Shield, GDPR

18 Consumer-Facing Federal Laws FTC Act, Section 5 (unfair or deceptive acts) COPPA CAN SPAM TCPA State laws UDAPs Data breach notification State-specific (CalOPPA, Shine the Light, Acts) DAA Opt out Program

19 Managing A Vendor s Data Breach Cooperation Maintaining attorney-client privilege Legal and contractual obligations (e.g., notice) Involving law enforcement Interacting with vendor s other customers Indemnity Insurance Managing PR / communication Continue or terminate relationship

20 Questions?

Building a Program to Manage the Vendor Management Lifecycle

Building a Program to Manage the Vendor Management Lifecycle Libbie Canter Amelia Hukoveh Daniel Nazar October 5, 2017 Overview 1. Introduction and Background 2. Three Pillars of Third-Party Risk Management