One of the biggest risks to data security is lack of vendor (third-party) and vendor subcontractor (fourth-party) management. Companies can mitigate ever-increasing vendor data security risk through purchasing appropriate cyber insurance and implementing a vendor risk management program that includes processes for systematically conducting due diligence and contract negotiations.

If primary vendors are not properly assessed, or controls are not placed on subcontractors (i.e., “fourth parties”) that may be used to render primary vendors’ services, numerous unknown parties with varying degrees of security controls can have access to sensitive information without the companies’ knowledge. Companies can contractually address this exposure by requiring pre-approval of fourth parties, imposing security requirements that must be met by fourth parties and/or requiring security reviews of such fourth parties. Vendor and fourth-party risk can also be managed by cyber insurance policies.

These practices are in keeping with increasing regulations regarding vendor management. By March 1, 2019, the New York Department of Financial Services Cybersecurity Regulation (“Regulation”) requires certain vendor management practices that are independent of, and in addition to, vendors’ own compliance and certification requirements under the Regulation, and other jurisdictions are following suit.

Creation of vendor management programs can be daunting. Experienced attorneys who have counseled clients on these issues, both as external and in-house counsel, can successfully guide businesses through these issues. For additional information regarding vendor risk management, please refer to the full article as published in the Buffalo Law Journal.