Cybersecurity: Revisit Your Procurement Strategies

A recent Bryan Cave memo discusses actions companies can take to prepare for cybersecurity incidents and to limit their risks.  One of those suggested actions involves revisiting company procurement strategies. This excerpt explains:

Many data breaches suffered by organizations do not actually happen on their own systems, but on those of their service providers (g., a third party central HRIS system). Nevertheless, the reporting obligations and primary liability generally run to the organization rather than the service provider. Thus, protection of data means more than hardening company servers, endpoints and other assets, and training employees.

As important, if not more, is the development of a procurement strategy that ensures: (i) that the company is protected contractually, through indemnification and other risk-shifting provisions, in the event of a breach; (ii) that the company has received sufficient assurances through actionable representations and warranties concerning the service provider’s security standards and protection of the company’s sensitive data; and (iii) that the company has a meaningful audit strategy for key vendors. Indeed, an inventory of key vendors ranked by risk and an audit strategy for those vendors is one of the more valuable (and rare) mitigation strategies.

Other recommended actions include mapping breach reporting requirements, revisiting insurance coverages (including D&O) and using resources available from insurers to harden systems & controls, and enhancing overall compliance efforts.