Cyber Hot Topics: Vendor Management

Similar documents
Building a Program to Manage the Vendor Management Lifecycle

Hot Topics in Software as a Service and Cloud

Information Security and Third-Party Service Provider Agreements

By David F. Katz, Richard D. Smith, Elizabeth K. Hinson, Jason Mark Anderman and Sarah Statz

HEALTHCARE BREACH TRIAGE

Cybersecurity Threats: What Retirement Plan Sponsors and Fiduciaries Need to Know and Do

Drafting Complex Cloud Computing Agreements: Negotiation and Risk Mitigation Strategies

Cybersecurity Curveballs in Vendor Risk Management Programs

OECD PROJECT ON CYBER RISK INSURANCE

Taking your career to a new level Contract / Procurement / Negotiation Specialist - Professional Development Programme

2018 Cyber & Tech Liability Risk Transfer Update Part 2

ICT PROCUREMENT A PRACTICAL GUIDE

Reviewing and Drafting IT Agreements

The General Data Protection Regulation s Impact on M&A

Lifecycle. html

PRIVACY AND CYBER SECURITY

Financial Services Authority

Contract Fundamentals Part II

Cyber Risk Proposal Form

HIPAA COMPLIANCE ROADMAP AND CHECKLIST FOR BUSINESS ASSOCIATES

GUIDELINE ON OUTSOURCING

You ve been hacked. Riekie Gordon & Roger Truebody & Alexandra Schudel. Actuarial Society 2017 Convention October 2017

Privacy and Security Issues Facing Qualified Retirement Plans

Cybersecurity and the Law Seminar

CLOUD COMPUTING RISKS AND HOW TO MITIGATE THEM

Top Ten Tips for Negotiating an LTSA

How to mitigate risks, liabilities and costs of data breach of health information by third parties

FRIENDSHIP PUBLIC CHARTER SCHOOL REQUEST FOR PROPOSALS FOR RFP TEMPORARY STAFFING

Data Privacy Alert: California Consumer Privacy Act of 2018 Just Enacted

Equifax Data Breach: Your Vital Next Steps

Software Development Agreements: Negotiating and Drafting Key Provisions

The Security Risk Analysis Requirement for MIPS. August 8, 2017, 2:00 p.m. to 3:00 p.m. ET Peter Mercuri, Practice Transformation Specialist

NEW YORK STATE DEPARTMENT OF FINANCIAL SERVICES PROPOSED 23 NYCRR 500 CYBERSECURITY REQUIREMENTS FOR FINANCIAL SERVICES COMPANIES

RISK COMMITTEE TERMS OF REFERENCE. The Board has resolved to establish a Committee of the Board to be known as the Risk Committee.

Privacy and Security Standards

Legal Considerations in Negotiating Cloud Contracts

BITS KEY CONSIDERATIONS FOR MANAGING SUBCONTRACTORS

CONSTRUCTION NEGOTIATIONS

Risk and Governance: Global Procurement Models, Structures, Practices and Trends. Baker & McKenzie. Adrian Lawrence Partner. Peter George Partner

Terms of Maintenance, Support and Auto-renewal

FINRA E-Learning Courses

Enhanced Cyber Risk Management Standards. Advance Notice of Proposed Rulemaking

GE Healthcare Hosted Contract Summary

Emerging legal and regulatory risks

RISK MANAGEMENT FRAMEWORK OVERVIEW

Introduction. Consumer Credit Reporting. Guidelines for Debt Buyers & Third Party Collection Agencies. Presented by: CDIA Metro 2 Format Task Force

Advisory Standards I. GOVERNMENT REGULATIONS & GOVERNING DOCUMENTS

Fiduciary Responsibility, Delegation & Oversight Multnomah Group, Inc. All Rights Reserved.

Third Party Risk Management

CBOE GLOBAL MARKETS, INC. RISK COMMITTEE CHARTER. Proposed Changes December 18, 2018

Conducting KYC of Third Parties: Best Practices for Conducting Due Diligence

ASX SETTLEMENT OPERATING RULES Guidance Note 9

MITIGATING RISK IN VENDOR TECHNOLOGY CONTRACTS

Compliance With the Red Flags Rules

Contracts 101 for Non-Lawyers. Presented by ASU Procurement and Office of General Counsel

American Bar Association (ABA) Cybersecurity Legal Task Force Vendor Contracting Project: Cybersecurity Checklist 1

Smart Metering Infrastructure Program

DESERT COMMUNITY COLLEGE DISTRICT General Terms and Conditions

EHR Contracting and Data Security

Oregon Healthcare Quality Reporting System Participating Provider Organization Portal Access Agreement

IV:07:11 IDENTITY THEFT PREVENTION POLICY SECTION 1: BACKGROUND

Insights for fiduciaries

PRIVACY: BRIDGING THE GAP BETWEEN THIRD PARTY/VENDOR RISK MANAGEMENT AND CYBER RESILIENCY. Annmarie Giblin, Esq. Thursday, April 21, 2016

Claims Traders Beware: More Risk Than You Bargained For!

This Webcast Will Begin Shortly

MASTER SUPPLY AND SERVICES AGREEMENT BETWEEN THE CROWN IN RIGHT OF ONTARIO AS REPRESENTED BY THE MINISTER OF TRANSPORTATION. - and - ACCENTURE INC.

eclinicalworks Hosted Contract Addendum Summary

Zebra Technologies Corporation Audit Committee Charter (November 3, 2017)

CYBER LIABILITY REINSURANCE SOLUTIONS

Negotiating SaaS and Cloud Contracts May 28, Peter J. Kinsella 303/

MITIGATING RISK IN VENDOR TECHNOLOGY CONTRACTS

GUIDELINES ON REINSURANCE PRACTICES AND PROCEDURES

Protecting Your Credit Union

Product Schedule Software Maintenance Services Schedule Definitions Form of Escrow Agreement (not included)

Protecting Knowledge Assets Case & Method for New CISO Portfolio

This Webcast Will Begin Shortly

DOUKPSC04 Rev Feb 2013

HEALTHCARE INDUSTRY SESSION CYBER IND 011

The Economic Impact of Advanced Persistent Threats. Sponsored by IBM. Ponemon Institute Research Report

Third party risk management: Friend or foe?

APPLICATION FOR DATA BREACH AND PRIVACY LIABILITY, DATA BREACH LOSS TO INSURED AND ELECTRONIC MEDIA LIABILITY INSURANCE

BOARD OF EDUCATION Office of Capital Programs 440 North Broad Street, 3 rd Floor Suite 371 Philadelphia, PA TELEPHONE: (215)

Practical Tips for Vendor Management

HIPAA 2014: Recent Changes from HITECH and the Omnibus Rule. Association of Corporate Counsel Houston Chapter October 14, 2014.

ALERT. November 20, 2009

RISK COMMITTEE CHARTER THE CHARLES SCHWAB CORPORATION

Best Practice: Responding to a Privacy Breach

Cyber Liability State of the Insurance Market & Risk Update Sept 8, ISACA North Texas

Cybersecurity Privacy and Network Security and Risk Mitigation

FRIENDSHIP PUBLIC CHARTER SCHOOL REQUEST FOR PROPOSALS FOR RFP COMPENSATION DESIGN CONSULTANT SERVICES

The working roundtable was conducted through two interdisciplinary panel sessions:

Data Security Addendum for inclusion in the Contract between George Mason University (the University ) and the Selected Firm/Vendor

CYBER REPORT CYBER REPORT 2018

Cyber & Privacy Liability and Technology E&0

UNDERSTANDING HIPAA & THE HITECH ACT. Heather Deixler, Esq. Associate, Morgan, Lewis & Bockius LLP

Risk Allocation, Contractual Defenses and General Risk Management Practices to Mitigate Claims. DPLE 283 November 2, 2016

What U.S.- Based Investment Advisers Should Know

Attachment to Identity Theft Prevention Service Provider Attestation

Senior arrangements, Systems and Controls. Chapter 13. Operational risk: systems and controls for insurers

Litigation & Dispute Resolution

Transcription:

Cybersecurity & Privacy Cyber Hot Topics: Vendor Management Paige M. Boshell September 20, 2017 Bradley Arant Boult Cummings LLP

Agenda Vendor cyber risk Managing cyber risk through the lifecycle of the customer/vendor relationship Due diligence of potential vendors Negotiating the critical contract provisions Managing the customer/vendor relationship Questions

Vendor Risk Management is a Hot Topic Vendor Risk is one of the largest drivers of data breaches Focus on third party service relationships is increasing Continued targeting of financial institutions and healthcare providers; increased targeting of smaller companies 90% of organizations have been compromised in some fashion 76% of data breaches resulted from a vendor which introduced the security deficiencies that were exploited. Only 24% require vendors to comply with baseline security procedures. Target, Home Depot, Miller Coors Takeaway: Beware the smaller breaches; beware the unsophisticated vendor. 3

Lifecycle Approach to Vendor Risk An effective risk management process throughout the lifecycle of the relationship includes: Planning Due diligence Third-party selection Contract negotiation Ongoing monitoring Oversight & accountability Documentation & reporting Independent reviews regulators, SOC2, PCI Termination and transition 4

Risk Assessment Identify crown jewels Identify access vectors Identify systems access 5

Key Issues to Assess What is the vendor s experience and expertise? What is the overall health of the vendor? What is the vendor s financial condition? Does the vendor have a strong management structure? Is there key man risk? Are the vendor s standards, policies and procedures adequate? What are the vendor s security protocols? Does the vendor have adequate insurance coverage? What is the risk profile of the vendor relationship? Access to sensitive data? Mission-critical processes? Balance the cost of investigation with the cyber risk 6

Miller Coors Suit $100 million suit for breach of contract MillerCoors wanted to implement SAP software for ERP (enterprise resource planning) Software = SAP; blueprints for customizations = Deloitte; vendor for customizations and implementation = HCL Tech (existing MC vendor) (1) software development contract (2) project implementation contract Series of work orders under existing and unrelated MSA Series of delays, problems; scope creep Go Live: 8 critical severity defects; 47 high severity defects; 1000s of defects detected in follow-up MC sued HCL countersued: info and staffing failures; inadequacy of understanding and resources; management failures; scope creep Takeaway: Deal-specific contracts with all expectations completely and objectively stated. 7

Vendor Contractual Risks and Flashpoints Customer as original data owner will be sued first. And, held accountable. Hold harmless and indemnification provisions with vendors: Often can include limiting and exclusionary language: Caps on indemnification amounts Exclusions for certain types of data breaches No protection if vendor becomes insolvent or goes into bankruptcy No protection if vendor decides not to honor the agreement Takeaway: Risks that cannot be mitigated entirely by contract should be mitigated otherwise. Consider asking for specific contract terms in RFP. 8

Contract Negotiations Terms to Consider Warranties and Indemnities - Separate IP? - Separate data breach? - Industry standards and best practices Limitation of Liability Actual, direct damages Exclusion of indirect damages Multiple liability caps (e.g., separate, exclusive cap for data breaches) Risk/revenue analysis 9

Contract Negotiations Terms to Consider Ongoing Monitoring / Oversight & Accountability Periodic business reviews (e.g., quarterly/annual) Governance structure(s) (e.g., technology review committee) Incident management process Service level standards Standardized information gathering (SIG) questionnaire SOC1/SOC2 reports Audit rights (frequency, costs, third party, deficiencies) 10

Contract Negotiations Terms to Consider Data Ownership, Use & Disclosure Data classification IP, customer, PHI, NPI Ownership rights to data/information Permitted uses or disclosures Data retention and disposal Privacy & Security -Confidentiality/NDA -Comprehensive information security program Governing information security policy Appropriate security measures to comply with regulations & guidelines Requirements to notify for security breaches 11

Contract Negotiations Terms to Consider Subcontracting Audit Rights / Independent Reviews Termination Rights (Agreement) For cause For convenience Financial condition (insolvency, receivership, bankruptcy, assignment of assets for creditors) Prohibited assignment or delegation Address transition, deconversion costs Dispute Resolution Informal process (e.g., escalation to executives) Formal process (e.g., mediation/arbitration) Insurance Types of coverage (e.g., professional liability (E&O), cyber liability/security & privacy) Insurer/carrier rating 12

Insurance as Risk Mitigant Cyber Liability Insurance does not cover all exposures to cyber risk. Intellectual property, Reputation, System Improvement First person v. third person Some forms of cyber risk are actually covered under a Crime policy. Corporate Account Takeover, Funds Transfer Fraud, Social Engineering Loss of data v. loss of funds Takeaway: Losses are too large to just insure. Other mitigants should be considered. Cyber insurance coverages should be reviewed regularly and each time that significant additional risk is posed. 13

Monitoring the Vendor Dedicate sufficient staff with the necessary expertise, authority, and accountability to monitor the relationship As-needed reporting Training and awareness Independent reviews Regularly scheduled checkups Takeaway: Mitigation is ongoing and continuous.

Vendor Risk in Cybersecurity Ecosystem Cybersecurity should be considered as part of an enterprise risk framework. What are the key risks? What is the organization doing to mitigate cybersecurity risks? Who are the responsible business owners for managing these risks? How are these risks monitored? What internal controls are in place? Failure to properly manage vendor relationships can have significant impact: Transactional risk Reputational risk Legal and compliance risk

Vendor Ecosystem 16

Questions? Paige M. Boshell pboshell@bradley.com (205) 521-8639

2024 © financedocbox.com Privacy Policy | Terms of Service | Feedback