Using Contracts to Manage Vendor Cyber Risk

You’ve worked hard to build out your cybersecurity and cyber risk programs. You’ve engaged with cybersecurity consultants, hired the right internal staff, built out and maintained a risk management system, and have proper controls in place. You have a strong cybersecurity posture and your stakeholders are satisfied with the results.

One fine summer day a news story shocks your whole organization: credit cards from all of your customers have been found on the internet. Malware was found on your point-of-sales system. The lawyers are involved, your leadership is furious… things are a mess.

The source of the issue? One of your vendors managing your point-of-sales systems experienced a breach. You had nothing to do with the breach, however your organization is the one being blamed.

Even if your organization works to build out a proper cyber risk management program, implements an Information Security Management System (ISMS), uses proper change controls, etc., a single vendor that doesn’t adhere to these same risk management techniques can undermine everything your organization has done to protect itself. To that end, even if all of your vendors do the same, if a single one of their vendors does not properly manage risk, your risk program is undermined as well.

How do you manage this additional risk?

Creating Contract Requirements

In our last blog post, we discussed that airports, governments, and all other critical infrastructure organizations have the responsibility to appropriately manage cyber risk. Management of that risk, however, also applies to third parties, fourth parties, and n-th parties as well.

One way to manage that risk is by defining cybersecurity and cyber risk requirements at the beginning of a vendor relationship through contractual obligations or by appending such requirements to a contract renewal.

The two most common requirements that can be implemented are:

  1. requiring vendors achieve and maintain ISO 27001:2013 (International Standards Organization) certification; and
  2. requiring vendors participate in AICPA (American Institute of Certified Public Accountants) SOC (System and Organization Controls) audit and attestation.

These requirements are complementary and provide a full picture of how a vendor manages cyber risk.

An Overview of ISO and SOC

An ISO 27001:2013 certification demonstrates to your organization that a vendor properly manages the confidentiality, integrity, and availability (the CIA triad) of information in their organization and has a functional ISMS. Certification is an ongoing process and must be continually maintained. Vendors wishing to keep this certification must have ongoing internal and external audits of the ISMS and related ISO controls.

A vendor who achieves and maintains ISO 27001:2013 certification shows to a potential customer that:

  • the vendor has reviewed the information security standards and has selected controls to implement;
  • the vendor has implemented those commonly accepted information security controls; and
  • the vendor has built out information security management guidelines for their organization.

SOC reports focus on controls and control effectiveness per standards set forth by the AICPA. SOC audits and attestation demonstrate that a vendor has proper controls in place and that those controls are effectively used in operations either at a specific point in time or for a period of time. There are different types of SOC reports available. The most common of these reports are:

  • SOC 1 – Internal controls relevant to financial reporting. The results are intended for restricted use by the organization requesting the audit. Based off of attestation SSAE 18 (Statement on Standards for Attestation Engagements).
  • SOC 2 – Internal controls relevant to operations and compliance as defined by the AICPA Trust Services Criteria. The results are intended for restricted use by the organization requesting the audit. Based off of AT-C 205 (AICPA’s Attestation Standards).
  • SOC 3 – Simplified version of SOC 2 that may be freely distributed for general use based off of AT-C 205.

The SOC 1 and 2 reports are further broken down into two types.

  • Type I reports represent an audit of controls at a specific point in time.
  • Type II reports represent an audit of controls over a period of time, with a minimum of a six-month period. Type II reports also include a testing of controls for suitability of design and operating effectiveness. Type II reports are considered more authoritative.

Steps to Achieving Certification and Attestation

There are two main steps a vendor will need to take to provide these. First, the vendor needs to prepare for certification, audit, and attestation. Both the ISO and SOC provide a set of requirements that must be adhered to. This process can be done internally, however this work is oftentimes performed with the help of a cyber risk management firm as it can be extremely taxing.

Next, the vendor has the actual certification (in the case of ISO) or audit (in the case of SOC) performed by an independent third party. In the case of ISO, this must be done by an accredited certification body. The certification bodies may only provide certification and not preparation and consulting in relation to the certification. In the case of SOC, an independent CPA firm must perform the audit per AICPA rules.

Fourth-Party, Fifth-Party, Sixth-Party…

Your organization should also consider downstream, nth-party requirements. Your vendors’ vendors can also put you at risk. Are they ISO certified? Would they pass a SOC 2 Type II audit and achieve attestation? These are questions you should ask as you build out a risk register on your projects and look at your contract needs.

The Hard Reality

If your organization flipped a switch today and required all of your vendors to be in complete compliance, odds are you’d have no more vendors. The hard reality here is that these processes cost time and money, and vendors are forced to decide on cybersecurity and cyber risk matters based on budget in the same way as you.

Unfortunately, no airport, government, or other critical infrastructure organization can wait any longer. Your organization is actively under attack, and threat actors will use whatever vector necessary to gain access to your systems. Vendors are one such vector.

The best approach may be a gradual introduction of these requirements. For instance, require that a vendor perform a NIST (National Institute of Standards and Technology) Cybersecurity Framework review for internal use immediately and attain ISO certification one year after contract certification. If you’re looking for SOC attestation, request a Type I report first, and then a Type II a year later.

A Path Forward

A good service ecosystem is built on good relationships. Organizations rely on their vendors, and vice versa. These requirements may seem burdensome at first, however they provide a common language between parties that clearly articulates the expectations and importance of managing cybersecurity and cyber risk.

Not all vendors (nor all organizations, for that matter) are fully equipped to flip the switch today. Organizations and vendors may need to ease into the process, knowing full well that it will be a requirement in the future. Support goes both ways.

Organizations and vendors should enlist the support of qualified cybersecurity and cyber risk management firms for preparation, certification bodies and auditors for official reviews, and cybersecurity counsel to help craft contractual language that clearly outlines the requirements for the relationship.

%d bloggers like this: