Using Contracts to Manage Vendor Cyber Risk

You’ve worked hard to build out your cybersecurity and cyber risk programs. You’ve engaged with cybersecurity consultants, hired the right internal staff, built out and maintained a risk management system, and have proper controls in place. You have a strong cybersecurity posture and your stakeholders are satisfied with the results.

One fine summer day a news story shocks your whole organization: credit cards from all of your customers have been found on the internet. Malware was found on your point-of-sales system. The lawyers are involved, your leadership is furious… things are a mess.

The source of the issue? One of your vendors managing your point-of-sales systems experienced a breach. You had nothing to do with the breach, however your organization is the one being blamed.

Even if your organization works to build out a proper cyber risk management program, implements an Information Security Management System (ISMS), uses proper change controls, etc., a single vendor that doesn’t adhere to these same risk management techniques can undermine everything your organization has done to protect itself. To that end, even if all of your vendors do the same, if a single one of their vendors does not properly manage risk, your risk program is undermined as well.

How do you manage this additional risk?

Creating Contract Requirements

In our last blog post, we discussed that airports, governments, and all other critical infrastructure organizations have the responsibility to appropriately manage cyber risk. Management of that risk, however, also applies to third parties, fourth parties, and n-th parties as well.

One way to manage that risk is by defining cybersecurity and cyber risk requirements at the beginning of a vendor relationship through contractual obligations or by appending such requirements to a contract renewal.

The two most common requirements that can be implemented are:

  1. requiring vendors achieve and maintain ISO 27001:2013 (International Standards Organization) certification; and
  2. requiring vendors participate in AICPA (American Institute of Certified Public Accountants) SOC (System and Organization Controls) audit and attestation.

These requirements are complementary and provide a full picture of how a vendor manages cyber risk.

An Overview of ISO and SOC

An ISO 27001:2013 certification demonstrates to your organization that a vendor properly manages the confidentiality, integrity, and availability (the CIA triad) of information in their organization and has a functional ISMS. Certification is an ongoing process and must be continually maintained. Vendors wishing to keep this certification must have ongoing internal and external audits of the ISMS and related ISO controls.

A vendor who achieves and maintains ISO 27001:2013 certification shows to a potential customer that:

  • the vendor has reviewed the information security standards and has selected controls to implement;
  • the vendor has implemented those commonly accepted information security controls; and
  • the vendor has built out information security management guidelines for their organization.

SOC reports focus on controls and control effectiveness per standards set forth by the AICPA. SOC audits and attestation demonstrate that a vendor has proper controls in place and that those controls are effectively used in operations either at a specific point in time or for a period of time. There are different types of SOC reports available. The most common of these reports are:

  • SOC 1 – Internal controls relevant to financial reporting. The results are intended for restricted use by the organization requesting the audit. Based off of attestation SSAE 18 (Statement on Standards for Attestation Engagements).
  • SOC 2 – Internal controls relevant to operations and compliance as defined by the AICPA Trust Services Criteria. The results are intended for restricted use by the organization requesting the audit. Based off of AT-C 205 (AICPA’s Attestation Standards).
  • SOC 3 – Simplified version of SOC 2 that may be freely distributed for general use based off of AT-C 205.

The SOC 1 and 2 reports are further broken down into two types.

  • Type I reports represent an audit of controls at a specific point in time.
  • Type II reports represent an audit of controls over a period of time, with a minimum of a six-month period. Type II reports also include a testing of controls for suitability of design and operating effectiveness. Type II reports are considered more authoritative.

Steps to Achieving Certification and Attestation

There are two main steps a vendor will need to take to provide these. First, the vendor needs to prepare for certification, audit, and attestation. Both the ISO and SOC provide a set of requirements that must be adhered to. This process can be done internally, however this work is oftentimes performed with the help of a cyber risk management firm as it can be extremely taxing.

Next, the vendor has the actual certification (in the case of ISO) or audit (in the case of SOC) performed by an independent third party. In the case of ISO, this must be done by an accredited certification body. The certification bodies may only provide certification and not preparation and consulting in relation to the certification. In the case of SOC, an independent CPA firm must perform the audit per AICPA rules.

Fourth-Party, Fifth-Party, Sixth-Party…

Your organization should also consider downstream, nth-party requirements. Your vendors’ vendors can also put you at risk. Are they ISO certified? Would they pass a SOC 2 Type II audit and achieve attestation? These are questions you should ask as you build out a risk register on your projects and look at your contract needs.

The Hard Reality

If your organization flipped a switch today and required all of your vendors to be in complete compliance, odds are you’d have no more vendors. The hard reality here is that these processes cost time and money, and vendors are forced to decide on cybersecurity and cyber risk matters based on budget in the same way as you.

Unfortunately, no airport, government, or other critical infrastructure organization can wait any longer. Your organization is actively under attack, and threat actors will use whatever vector necessary to gain access to your systems. Vendors are one such vector.

The best approach may be a gradual introduction of these requirements. For instance, require that a vendor perform a NIST (National Institute of Standards and Technology) Cybersecurity Framework review for internal use immediately and attain ISO certification one year after contract certification. If you’re looking for SOC attestation, request a Type I report first, and then a Type II a year later.

A Path Forward

A good service ecosystem is built on good relationships. Organizations rely on their vendors, and vice versa. These requirements may seem burdensome at first, however they provide a common language between parties that clearly articulates the expectations and importance of managing cybersecurity and cyber risk.

Not all vendors (nor all organizations, for that matter) are fully equipped to flip the switch today. Organizations and vendors may need to ease into the process, knowing full well that it will be a requirement in the future. Support goes both ways.

Organizations and vendors should enlist the support of qualified cybersecurity and cyber risk management firms for preparation, certification bodies and auditors for official reviews, and cybersecurity counsel to help craft contractual language that clearly outlines the requirements for the relationship.

Managing Third-Party Cyber Risk at Airports

Airports must ensure the safety and security of passengers and employees as well as the continuous operation of their critical infrastructure. Cybersecurity incidents and cyber risk pose significant challenges to that goal. In 2019 alone, over 20 municipal governments and a number of major airports in the US have been hit with cyber attacks. These incidents disrupt services and have the potential to put lives at risk.

It is vitally important that airports appropriately manage risk in their environment. From assessments to business continuity plans, there are a number of steps that can be taken internally to appropriately handle risk. But what about third-party vendors? While an airport can work hard to manage risk, if a single vendor has a data breach or is a victim of a cyber attack, the effects of that incident can quickly spread to any organization they support.

Supply chain integrity and third-party vendor risk management is essential to an information security and cyber risk program for any airport. A 2018 study by the Ponemon Institute revealed that 56% of organizations have experienced a breach directly caused by one of their vendors. As an example, the major data breach at Target in 2014 was caused by a breach at one of their HVAC vendors.

Managing Third-Party Vendor Risk and Supply Chain Integrity

Airports engage in a significant amount of outsourcing and managed services to meet their needs. From master planning to vertical construction to IT systems, there are a myriad of services and systems that are handed off to vendors for management and completion. Each time an airport adds new systems or obtains new services the organizational risk profile changes. When those systems or services come from a third-party vendor, airports assume the risks brought on by that third-party.

For instance, an airport is considering a new FIDS system from a vendor. Has the vendor developed their product using SDLC and the STRIDE methodology? Are endpoint systems patched and what is the patching schedule? If the service is in the cloud, what is the security offered by the provider? Is data encrypted both at rest and in motion? How long is PII handled for, if at all? Does the vendor have a risk management plan? How does the vendor handle our infrastructure drawings and other SSI? These and countless other questions strike at the heart of managing cyber risk by way of verifiable standards.

Airports should confirm that their vendors manage cybersecurity and cyber risk to an appropriate level. To that end, they can use contracts as an enforcement vehicle. In the case of the FIDS vendor, an airport could require that all bidders have an updated ISO 27001:2013 certification or require SOC II or SOC Cybersecurity attestation before the contract conforms. It is also crucial that airports update their internal ISMS to account for the new assets, risks, threats, continuity requirements, and disaster recovery needs.

Vendors can increase their trustworthiness and reduce potential liability by proactively managing cyber risk. The ISO 27001:2013 certification and the SOC II and SOC Cybersecurity attestation processes can seem burdensome, however significant value is generated with the certification and with the reduced risks. Airports see a certified or attested company as trustworthy and diligent, even more so when others within a space do not have those credentials. If a cybersecurity incident should arise, managing risk and creating a true ISMS will show that a vendor has acted in good faith, with due diligence and due care in the situation.

It Takes Two to Tango

Airports and the vendors that serve them have a responsibility to ensure safe and secure operations for all stakeholders. Cybersecurity incidents pose a real danger to safe and secure operation of critical infrastructure. Airports and vendors can manage cyber risk by maintaining internal cybersecurity and cyber risk programs that are continually updated and audited. Vendors can demonstrate due diligence and due care through the certification and attestation processes, and airport can do the same by requiring and verifying those credentials.

Our Services

Cyprus Lake assists airports and their vendors to certify that cybersecurity and cyber risk are being adequately managed. For airport vendors, we provide certification preparation and internal auditing services for ISO 27001:2013 and SSAE18 as well as preparation for SOC II and SOC Cybersecurity audits and attestation. For airports, we can help manage internal risk through NIST 800-30, NIST 800-53v4, NIST Cybersecurity Framework, CIS CSC, and ISO 27001:2013 preparation and remediation as well as with advisory services on contract engagements to ensure third-party compliance and attestation.

If you would like more information regarding our services, please contact us at (267) 888-8022 or email us at info@cypruslake.com.

 

Ransomware at Louisville Regional Airport Authority

Airports were once again subject to ransomware attacks this week as the Louisville Regional Airport Authority (the managing entity for Louisville Muhammad Ali International Airport and Bowman Field) fell victim. The good news in this case is that the attack was isolated, the issue contained, and data restored. Hats off to the team at LRAA for their work! You can read more about this story in the Courier Journal.

As we’ve seen with Cleveland, Atlanta, Bristol, and countless others, airports have become a major target for cyberattack. Not only that, over twenty US municipalities have been caught in similar situations, leading to loss of services and discontinuity of operations. Since over 70% of airports in the US are owned and operated by municipalities, we can expect to see more incidents sooner rather than later.

The LRAA incident shows that there are strategies that can help mitigate the risk associated with these types of incidents. In their case, isolation and reaction time was key: while the event did occur, their teams were able to maintain business operations and restore key systems in an effective manner.

Cybersecurity incidents will happen: it’s only a matter of time. This includes cities, airports, and private companies. What matters is proper assessments, planning, controls, and response plans are in place so that business can continue to operate and there is no risk to the safety of customers and citizens. Unfortunately, without proper plans in place, it’s only a matter of time until incident negatively affects safety. It is imperative that organizations and governments dedicate time to putting plans and measures in place to prevent that from happening.