Most owners and managers are at least partially aware of the direct dangers their companies face from cyber crime, whether the crime is committed by an outsider or an employee. As a decision maker, though, there is another source of cyber risk that you need to understand: third-party vendors.
Vendors hold valuable, sensitive data
Vendors frequently possess personally identifiable information (PII) and other sensitive data. If this data is stolen or misused while the vendor is handling it, even through no fault of your own, you will have a public relations nightmare to deal with. Your company will also face numerous other potential problems that can severely damage your bottom line and reputation.
Just last month, for example, credit card giants MasterCard and Visa made major news when they revealed that millions of card numbers had been accessed through an attack on a third-party credit card processor, Global Payments. Because MasterCard and Visa generally absorb fraudulent charges, this one incident could result in substantial losses.
In another prominent case, Stanford Hospital & Clinics reported last fall that 20,000 patient names, diagnosis codes, and account numbers were published on the Internet while in possession of a third-party billing contractor. According to Computerworld, one patient has already filed a $20 million lawsuit against Stanford.
Cyber crime in the cloud
Many businesses are increasingly utilizing cloud computing vendors – those that provide software as a service (SaaS) or online storage and backup – because cloud vendors can offer continually updated products in a cost-effective manner.
But dependence on cloud vendors is potentially more dangerous than conventional ones, because cloud companies are often unwilling to contractually assume risk for data that is lost or stolen on their watch, according to the Infosec Island security blog.
Cloud providers argue that because they host resources shared by a large number of customers, one data breach can endanger the data of all customers, and if they as providers accept liability, one instance of cyber crime could easily put them out of business. Essentially, vendors in the cloud maintain that the benefits inherent in the system necessitate the beneficiaries take on the risks.
Recourse against bad vendors not so easy
Virtually every company depends on vendors of some sort for services that it cannot perform on its own. But as a decision maker for your firm, you must be aware that you are responsible for data you turn over to third-party vendors. Even if you have a contract that offers you recourse, you will still have to defend your company’s image in the court of public opinion.
Furthermore, getting a successful resolution in a data breach dispute with a vendor is neither quick nor certain. MasterCard and Visa can sue Global Payments, for instance, but litigation will take years to complete, and the outcome is not guaranteed to favor MasterCard and Visa.
Stanford has accused its vendor of violating their contract and the law. But the damage is done to Stanford’s public image, regardless of where a court ultimately places legal blame. And Stanford has already incurred large costs, including those of patient notification and litigation.
Business insurance needs to be part of your risk mitigation plan
In light of the unnerving prospect that your data falls victim to cyber crime while on a vendor’s watch, there is some good news to be had. Internet insurance (also know as cyber liability insurance) can cover a wide range of first and third-party risks. This kind of business insurance is a good low-cost solution to problems that cannot be completely resolved contractually.
Many owners and managers believe they are already covered for cyber risks. But commonplace commercial general liability (CGL) policies rarely protect against data theft, hacking, or other electronic crimes, a policy specifically protecting against cyber liability is necessary.