Closing the gaps on third-party cyber liabilityPosted On: Nov. 4, 2018 12:00 AM CST
Third-party vendors’ cyber security is becoming an increasing concern for companies as the popularity of outsourcing data processes and other functions that are not within their basic areas of expertise grows.
It is a difficult task because of challenges companies face ascertaining who their vendors are, determining the extent to which they may be putting their own cyber safety at risk, and then addressing the issue.
“It’s actually quite a large problem, and one that our insureds and the industry in general is struggling with, and I don’t think there’s been a perfect solution to date with this,” said Yosha DeLong, technical director for Schaumburg, Illinois-based Zurich North America.
“Third-party vendors accounted for more than a quarter of all the claims that we saw” in Willis Towers Watson PLC’s proprietary claims data, said Jason Krauss, New York-based cyber/errors and omissions thought and product leader for the brokerage’s FINEX North America business.
However, there are steps firms can take to get handle on this task.
“Any kind of connection to an outside party” brings with it a certain amount of risk, said Bob Wice, Farmington, Connecticut-based head of the U.S. cyber underwriting team for Beazley PLC.
One reason for firms’ greater vulnerability is many have embraced the cloud for a wide variety of functions, including payroll, data processing and staffing, experts say.
But companies’ success in grappling with this issue has been a mixed bag.
“I think it’s fair to say it’s something that most companies understand as a risk, but they have a hard time knowing what to do about it, and smaller companies have a much more difficult time managing vendor risk because they simply lack the resources,” said William Boeck, senior vice president and insurance and claims counsel at Lockton Cos. LLC in Kansas City, Missouri.
In response, “Many organizations are building a robust set of expectations that are conditions of doing business” with vendors, said Kevin Richards, Chicago-based global head of cyber risk consulting for Marsh Risk Consulting.
“The regulators are forcing this conversation, even more so than the businesses themselves,” said Adam Cottini, managing director of insurance and risk management in North America at Arthur J. Gallagher & Co. in New York.
He pointed to the European Union’s General Data Protection Regulation, the California equivalent scheduled to take effect in 2020 and the New York State Department of Financial Services Cybersecurity Regulations, with other states considering introducing comparable regulation.
“A lot of people are looking toward regulatory schemes like GDPR or various data protection statutes to provide some guidance and answers” to address the issue, said Tom Sheffield, New York-based head of specialty claims at QBE North America, a unit of Sydney-based QBE Insurance Group Ltd.
Stephanie Snyder, Chicago-based senior vice president and national sales leader for cyber insurance with Aon PLC, said that with other states likely to follow California and the potential for federal regulation around privacy as well, “organizations are much more mindful not only about the data they have, but what they’re sharing,“ and want to protect themselves, both through their contracts and insurance.
Mr. Richards said firms can exercise significant control over third-party vendors
in regulated industries, including health care, financial services and utilities, but in other sectors “it gets a little bit harder.” Richard May, Seattle-based managing principal for Integro Ltd., said financial institutions, for instance, “are commonly requiring law firms who for various reasons touch their data to perform very detailed self-audits.” They may also require a physical on-site audit process, “with questionnaires that are thousands and thousands of pages long around security.”
Part of the problem is getting a handle on the multiple vendors being used, say experts. In some cases, an outsourcing vendor may be being paid for by “some manager’s credit card,” said Alan Brill, senior managing director at Kroll Associates Inc. in Secaucus, New Jersey.
“The first thing you have to do is figure out what vendors you need to worry about,” said Mr. Boeck. Vendors can range from cloud vendors who hold important data and whose compromise would cause the business to suffer, to those who pose relatively low risk and to whom “you’re not going to apply the same level of rigor.”
“You want to consider limiting the data to which a vendor has access to, if that is possible,” said Mr. Krauss. ”Another possibility is to encrypt data” to lessen the impact of a breach, he said.
“Fundamentally, companies need to be as specific as they can be in their contracts with vendors about what information governance and cyber security measures they have in place, so that there’s a contractual commitment that is specific and that is measurable,” Mr. Boeck said.
They should also be concerned with how well vendors’ employees are trained, evaluated and supervised, Mr. Boeck said. “The human element is always, unfortunately, the weakest link,” he said.
Resilience must be considered as well, said Mr. Boeck. If a vendor system is attacked, “how quickly can the vendor recover? If they can’t recover quickly, that vendor represents a significantly higher risk to anybody doing business with them, so their resilience is critically important.”