From CrowdStrike’s 2018 report titled Securing the Supply Chain: “Although almost 90 percent of the respondents believe they are at risk for supply chain attack, companies are still slow to detect, remediate and respond to threats.”
The Capital One breach is a classic example of an at-risk company who succumbed to the third-party supply chain threat and it is particularly heinous considering Capital One is supposedly the digital banking pioneer and should be one of the more cyber-savvy companies on the planet.
Vendor and Customer, A Risky Digital Relationship
PWC just reported that the digital interconnectivity between vendor and customer like that between Cap-1 and AWS has given either direct or indirect birth to 63% of all cyber-attacks in the last 5 years. And, 56% of respondents claim they only conduct either reactive or informal TPRM’s leaving just 1/3 that manage third party risk proactively.
Some examples of TPR-related breaches include the Target breach, where the cyber-attackers gained entry by stealing credentials from Target’s third-party air conditioning subcontractor, the JP Morgan breach, where the cyber-attack began through J.P. Morgan’s Corporate Challenge online platform that was run by a third-party website vendor, the hacked AMCA billing services vendor that impacted 6 business-associated entities, Applebee’s, Arby’s, Sonic, Chipotle, Forever 21, Whole Foods, and Brooks Brothers all of whom relied on a third-party point-of-sale system that was compromised and Sears, BestBuy, Delta and Kmart, all of whom used the third-party 7.ai chat-bot vendor which was also hacked.
And these are only a handful of the reported examples of breaches resulting from our increased dependence on third-party digital interconnectivity without adequate vetting and extraordinary protections.
What Does the Board Understand About Third Party Risk?
As a result, Boards and C-suite executives are forced to deal with a myriad of expensive and time-consuming fallout activities which often begin with the misguided termination of the CISO, but include responses to litigation from all parties affected – shareholders, customers, third-parties, the SEC, international, federal, state and local regulatory compliance agencies – the provision of no-cost credit monitoring and identity protection services, insurance claims litigation, the ensuing public relations shit-storm, managing the endless communications long-tail with customers, partners, employees, affiliates, insurance carriers, and ultimately both professional and personal liability defenses.
Add on the reputational and brand damage, extensive loss of productivity, the management drag, the negative impact on employee morale and the overall business and stock price performance and you have a monster circus of unimaginable proportions.
And, why? After witnessing the fall-out from just the Target Stores breach which included the termination of their CEO and the C-suite officers responsible for IT and security and the $250 million+ it spent just on legal fees to defend against shareholder and customer lawsuits, the fact that any company would choose to ignore this threat vector is beyond perplexing.
And then, if you add the other dozen or so examples above, is there not sufficient, screaming-out-loud evidence that third-party security threats pose a substantial enterprise risk?
CISO’s Power Stops Here
Enterprise risk must be dealt with at the Board level and while politically convenient, it is not within the sole purview of the CISO or the CIO. The Board cannot continue to ignore the down-side of our recent addiction to outsourced technology services and our increasingly intimate cyber-integration with third party supply-chain vendors and continue to press for more, bigger, faster growth while abdicating their fiduciary duty of care.
Unless of course, they want to either end up in jail or become the latest recipient of fabulous exit packages like those received by Messrs. Smith of Equifax ($90 million) and Steinhafel of Target ($37.8 million).
All joking aside, no one intentionally seeks out the ridicule and shame associated with notoriety around overseeing a massive data breach, regardless of compensation.
So, again, why?
Could it be that no one wants to do the work required? Because, it takes a heaping dose of hard stuff to properly vet and engage a third-party partner, work that is largely not performed by most enterprises today.
Among other things, it requires a set of high standards that vendors must qualify against insuring that they have been in business for a reasonable amount of time and have earned and can demonstrate specific information and cybersecurity compliance certifications (PCI/DSS, HIPAA and SOX).
It requires segmenting their risk based upon the nature and quantity of company information to which they will have access. This requires data-flow mapping and extraordinary system controls, developing new security policies and executing exceedingly rigorous information handling procedures and auditing;
The vendors must also be forced to prove that they conduct at least semi-annual third-party risk and security assessments, that they make proper use of encryption and that they use and can demonstrate the latest methodology, policy, and process to protect and control access to their own networks, systems and data as well as to any shared.
They should be able to demonstrate that they are current with all regulatory compliance mandates, use some form of multi-factor authentication, conduct regular cybersecurity awareness training for their employees, run some form of acceptable SIEM and associated intrusion detection and remediation technologies and incident response and recovery plans that have been table-top tested and have adopted some form of zero-trust protocols for information and network access.
To engage with confidence, conducting a comprehensive review of the vendor’s past cybersecurity incidents and the way in which they dealt with and remediated those events would be instructive and a site visit to observe the effectiveness of their cybersecurity technologies and processes operating in real-time is also required.
From a legal perspective, of course, it is necessary that your legal staff works up a bullet-proof set of agreements that specify [with clarity] the audit rights, cooperation rights and relationship-based demarcation definitions, cybersecurity incident notification provisions, identification of the applicable laws and regulatory insistence to which they will be held liable, especially those relating to data privacy [e.g. the General Data Protection Regulation (GDPR), Privacy Shield Framework, and the California Consumer Privacy Act (CCPA)], and the specific liability that arises from a related incident or class of breach.
If this all seems like a lot to do, you are now beginning to gain an appreciation for what your CISO does. Every. Freaking. Day.