Issue 8 2019

24 CEO MONTHLY / ISSUE 8 2019 , There are a number of contractual protections which can help to manage such risk: • Consider extending your own security polices to service providers. Contracts can include provisions requiring providers to comply with specified cyber security procedures and technical controls. It would also help if they were built around a recognised security framework like NIST, BS 27001 or CIS top 20 security controls. • Consider requiring the vendor to make representations or warranties regarding its cyber security practices or authorising your organisation to conduct audits regarding the vendor’s ability to meet and sustain your security expectations. • Require that the service provider implements timely notification of any security incidents that it experiences. Such a provision might also define your organisation’s rights to control any responses or disclosures to third parties in the event of an incident. • Employ good security controls and limit downstream transfers of your data, specifically personal data under GDPR. • Require the vendor to destroy copies of your data in the manner you specify on termination of the relationship. • Consider how to allocate liability through indemnification provisions or limitations on liability based on the nature of the relationship, the sensitivity of the data involved and the GDPR requirements. • Consider requiring the service provider to maintain cyber security-related insurance coverage. You should consider whether and to what extent data breaches stemming from third-party service providers fall within your own insurance coverage. There is also combined public liability and cyber-security insurance coverage for the best possible coverage. Know your GDPR rights Under GDPR, processors like controllers, are required to implement appropriate security measures. What is appropriate is assessed in terms of a variety of factors including the sensitivity of the data, the risks to individuals associated with any security breach, the state of the art, the costs of implementation and the nature of the processing. Regular testing of the effectiveness of any security measures is also required. Furthermore, your processors are required to notify their relevant controller of any breach without undue delay after becoming aware of it. The new data regulations also mean organisations have a right to audit clause within your processor contracts. Develop a Third-Party Cyber Risk and GDPR Compliance Assurance Program After reviewing existing contracts for these requirements, an organisation should consider whether such contracts can and should be renegotiated. This step should not be neglected given that often existing contracts do not meet the standards for GDPR. Additionally, an organisation should develop cyber security data protection guidelines for future contracts. Once these revised contracts have been renegotiated and put in place, organisations should implement a Continuous Compliance. Finally, businesses should look to a monitoring program that empowers it to monitor the cyber risk and GDPR compliance of its third-parties on demand. This program should have the ability to monitor not only third-party risk but also fourth-party and firth-party risk across your eco- system of service providers and partners. One of the threads that runs through the GDPR is the requirement to demonstrate compliance. In the event of a data breach or audit by the regulator, you will be required to demonstrate good third- party assurance. This can be easily achieved with an on- going Continuous Compliance Monitoring program. A Preventative Approach to Third-Party Risk The fact that Target’s breach originated from a third-party service provider did not prevent Target from incurring enormous losses in the form of litigation expenses and loss of customer confidence, among other things. For that reason, the primary goal is to prevent an incident. If an incident does occur, the robustness of an organisation’s procedures and practices with regard to third-party service providers could help to limit its liability in subsequent litigation. This could include a shareholder suit against directors and officers, a customer or employee data privacy suit, or regulatory scrutiny. Indeed, regulators have begun to place increasing scrutiny on third- party relationships in the context of cyber security and GDPR legislation. About Northdoor: Northdoor plc is a leading provider of integrated information technology solutions. Its services encompass consultancy, application development, enterprise infrastructure and IT support and managed services. Originally founded in 1989 to serve the London Market, Northdoor has extended its expertise in insurance and banking to wider sectors, such as media, retail and property, with services now reaching over 400 businesses. Northdoor has a collaborative and high- touch customer care approach in delivering tailored solutions that help clients to achieve their business objectives.