Understanding and reducing third-party cyber risk
Small business owners wear a lot of hats, from managing customer databases to maintaining supplier relations. It would be impossible for them to get everything done in a day without outsourcing tasks. While third-party vendors and software applications may be lifesavers for small businesses, they could also be sources of liability if they have a data breach or experience a cyber attack.
A third-party breach can happen to anyone. Recently, multiple Canadian school boards were affected by ransom demands after a software provider was hit by cyber criminals. The attack resulted in decades of personal information being exposed, putting an estimated 60 million people at risk of identity theft or financial crime.
The Office of the Information and Privacy Commissioner of Ontario is now investigating the breach and affected school boards. While the software vendor is currently the main defendant in lawsuits, the affected school boards could face legal or reputational consequences if they are found to have failed in their duty to safeguard student and staff data.
The bottom line is that all organizations are expected to take reasonable steps to protect personal data.
As a business owner, if you provide confidential information to third-party vendors, you are still responsible to ensure that data is kept safe. If the vendor doesn’t have adequate cyber hygiene and a breach occurs, your business could be held liable for any resulting damages. The good news is that you can take steps to reduce this risk and better protect your organization.
Choose your vendors wisely
Small business owners can manage their third-party cyber risk by implementing a supplier management process. The process assesses the security of potential suppliers before contracts are awarded. A key step is having the supplier complete a security practice questionnaire.
Questions should include business information such as the name of the holding or parent company, where the physical location of the supplier is, and where their systems and data are stored.
The questionnaire should also examine the vendor’s risk management practices. For example, does it have a formalized risk governance plan and risk assessment? Do subcontractors have access to their data or facilities? Does it have a designated individual or team responsible for overseeing and implementing the cyber training for their staff and a security policy. For additional verification, consider requesting supporting documentation as evidence after reviewing the supplier’s responses.
Organizations should periodically reassess vendors for cyber controls and maintain up-to date records of all vendors who are providing services. In some cases, vendors should be integrated into the cyber incident response plans, including breach notification processes and key contacts. SMEs also should implement an off-boarding process for vendors whose contracts are ending, to ensure they no longer have access to the organization’s systems or data, and in some cases, ensure sensitive records are destroyed.
Consider a cyber insurance policy for extra peace of mind
No matter how careful you are, it’s a wise business move to plan for the worst-case scenario. Unfortunately, even the most vetted vendor can still fall prey to cyber criminals. Cyber insurance can play a critical role in protecting companies from third-party cyber risk, especially as businesses increasingly rely on vendors, cloud services and outsourced IT providers.
Your cyber insurance representative may help you review and manage vendor contracts, ensuring that cyber security responsibilities are clearly defined. This can reduce your exposure if a vendor fails to meet their obligations. In the event of a third-party cyber breach, your insurance policy may also include access to breach response teams composed of forensic investigators, legal counsel and public relations experts, as well as coverage for business interruption and recovery costs.
To learn more about cyber insurance, visit CyberSavvyCanada.ca, run by Insurance Bureau of Canada. The website includes a self-assessment tool for owners of small and medium-sized business who are considering a cyber insurance policy. This 10-question assessment can help business owners learn about the cyber security protocols and best practices that most cyber insurers look for when assessing risk. It also poses similar questions to what cyber insurers may ask a business owner during the application process. Depending on the answers, the questions will direct users to appropriate resources.
Hold your business to the highest standards of cyber safety
Don’t underestimate your business’ risk of cyber crime: Even small organizations can be targeted by fraudsters and data thieves. Make sure you and your staff are up-to-date on online theft tactics and using best practices for cyber safety, such as avoiding public wi-fi networks, keeping security tools and software current, and taking time to verify requests for information. Go to CyberSavvyCanada.ca to access trusted resources and tips for keeping your business safe.
