Vendor management critical to data regulatory compliance
Reprints
NEW YORK — Managing vendors and third-party contractors is a critical part of data regulation compliance, industry experts say.
Any owner of data must manage all contractors to the same standards as its own operations, and there should be an organized framework for such management, according to a panel discussion at the Professional Liability Underwriting Society’s Cyber Symposium Tuesday in New York.
“That’s the area where I see the biggest challenge for a lot of organizations,” said David Shluger, Old Lyme, Connecticut-based head of cyber risk advisory for Axis Capital Holdings Ltd.
“From a vendor consideration perspective, know that it’s still your responsibility, even if you’ve outsourced the processing, consumption, analysis, storage, or deletion of any data, it is still ultimately your customer and your liability or exposure,” Mr. Shluger said.
An organization’s compliance posture concerning privacy rights is only going to be as strong as that of any party that has access to its systems or is processing its data, said Kevin E. Dolan, Philadelphia-based partner and co-chair, advisory compliance practice, for Mullen Coughlin LLC.
Mr. Dolan added that documenting such standards as part of a contractual arrangement should also be part of an organization’s diligence.
Having such an organized framework setting out the specific goals for regulatory compliance can help an organization avoid missteps, said R.S. Richard Jr., chief of cybersecurity, Region 2 of the Cybersecurity and Infrastructure Security Agency in New York.
