Managing vendors and third-party contractors is a critical part of data security and regulatory compliance, experts say.

Data owners must manage contractors to the same standard as their own operations, and they should adopt an organized framework to enable such control, they said during sessions and interviews at the Professional Liability Underwriting Society’s Cyber Symposium in New York last week.

“Even if you’ve outsourced the processing, consumption, analysis, storage or deletion of any data, it is still ultimately your customer and your liability or exposure,” said David Shluger, Old Lyme, Connecticut-based head of cyber risk advisory for Axis Capital Holdings Ltd., during a panel discussion at the conference.

“If you are the data owner, you are ultimately responsible and accountable for protecting that data, even if the data is in the custody of a third party,” said Ken Morrison, Hartford, Connecticut-based assistant vice president for cyber risk management at Travelers Cos. Inc.

Among the cyber-related advice USI Insurance Services LLC provides to its clients, third-party risk management, or TPRM, is “front and center,” said Nadia Hoyte, New York-based national cyber practice leader at the brokerage.

“That’s something that  clients definitely need to be focused around,” Ms. Hoyte said, adding that such exposures are leading to cyber liability insurance claims.

Michelle Chia, New York-based chief underwriting officer, cyber, for Axa XL, a unit of Axa SA, noted noncore operations are increasingly being outsourced to vendors.

“In the cyber world, we refer to outsourced vendor risk as cyber supply chain risk, which has the potential to create the next cyber tsunami if not properly managed,” she said.

An organization’s compliance with privacy rights will only be as strong as that of any party that has access to its systems or is processing its data, said Kevin E. Dolan, Philadelphia-based partner and co-chair, advisory compliance practice, for Mullen Coughlin LLC.

“It’s really critical to make sure to employ the very same level of diligence with respect to any third party that’s accessing or processing the data on the same level as within your organization,” Mr. Dolan said.

“Companies must evaluate vendors and M&A targets’ cyber resilience at the same level as their internal cyber controls,” Ms. Chia said.

Documenting such standards as part of a contract should also be part of an organization’s due diligence, Mr. Dolan said.

“This can be done with contracts that explicitly articulate responsibilities, service levels and the right to audit,” Mr. Morrison said.

Organizations should establish policies and procedures that govern such relationships across their entire operations, said Mr. Shluger of Axis.

Having an organized framework that sets out the specific goals for regulatory compliance can help an organization avoid missteps, said R.S. Richard Jr., chief of cybersecurity, Region 2 of the Cybersecurity and Infrastructure Security Agency in New York, during the conference.

“Third-party risk management is not difficult in theory, but it might be difficult in practice. A company should begin by identifying all third parties that it engages with, or those who would have access to data and systems or provide a service the business is dependent on,” he said.

Organizations should conduct an inventory of critical vendors and understand their incident response plans, said Ms. Hoyte of USI.

“If there is a cyber incident, and it begins with your vendor, do you have a good understanding of what the incident response process is that they will engage?” she said.

Compliance with data privacy regulations has grown in scope as more states move to enact such rules. California was the first to adopt such a framework in 2021, and in the three years since 13 more states have done so, with another 20 or more at some stage of legislative development, Mr. Dolan said.