Why A Vendor’s Security Information Program Should be Reviewed

Oct 15, 2016

Companies can find convenience and flexibility in outsourcing to third parties. When choosing to work with vendors companies, entrepreneurs should review the vendor’s security information program. Security and IT organizations, together with business units, can review the program for technical risks and coordinate with the legal department to identify issues that may involve cybersecurity law.

Recently, data breaches involving major corporations resulting from vendors have gained more attention. After all, using vendors can expand the threat landscape beyond the perimeter of the company. Furthermore, a number of notable data breaches, such as Target and Home Depot, have contributed to the expanding landscape of cybersecurity law.

Although a data breach can be directly damaging to businesses such as loss of information or inaccessibility of information, there can also be incidental consequences, including reputational damages and vulnerability to litigation from customers, shareholders, and directors. Furthermore, there are potential regulatory risks that are related to vendor incidents. Whether the breach originates from the company or from the vendors is not relevant when it comes to the customer base—customers can respond negatively to data breaches either way. They remain concerned about their own financial consequences that are tied with data breaches. Therefore, it is important for entrepreneurs to consider the following before entering to vendor agreements:

(1)The vendor should actually have an information security program;

(2)The information security program should be attached to the agreement; and

(3)The agreement should include a warranty to comply with the attached program.

There has been substantial reliance on third parties when it comes to the overall structure of businesses. Such reliance can make businesses more prone to risks if vendor’s security practices and policies are inadequate or incompatible with the type of information a company needs to protect.

Generally, a data breach can affect the overall customer base and the market value of businesses. Therefore, entrepreneurs should consult with competent technology professionals and with legal counsel that understand technology and cybersecurity issues to help minimize the inherent risks from allowing third parties to store, process, or use a company’s information. Working with an attorney could help further in mitigating risk in vendor agreements.