The Cyber Insurance Academy was thrilled to host Stuart Panensky from FisherBroyles for a recent masterclass discussing third-party cyber risks and ways to mitigate them. Stuart explained the cyber risks associated with third-party access to policyholder data, the best practices to mitigate those risks, how to identify risks in the policyholder’s upstream and downstream supply chain, and how to apply legal and regulatory requirements.
Business has become increasingly more connected over the years, with many companies heavily relying on third-party vendors for support. This widespread use of third parties increases access to policyholder data in both the upstream and downstream supply chains.
Upstream risk is when someone else’s event affects your policyholder so their vendor, their supplier, and so on. Conversely, downstream risk is when your policyholder’s event affects someone else.
Assessing Third-Party Cyber Risks
It is important to assess the third-party cyber security risk for an insured’s third-party vendors, both as a broker and an underwriter. For a broker, one of the easiest ways to do this is by getting the risk assessment formally written down, it may seem tedious but it is cost-efficient and necessary. “Having a record of what the third party’s operations are doing with respect to its cyber security is a huge way to mitigate risks associated with third parties,” explains Stuart. Asking the simple and seemingly obvious questions allows brokers to ascertain, very quickly, if this third-party vendor is reliable when it comes to privacy and security.
Another easy way to assess a third-party vendor’s cybersecurity is by asking for proof of cyber insurance. Brokers should encourage their clients to ask third-party vendors to see a copy of the deck page. Furthermore, monitor the insured’s vendor on an ongoing basis to ensure they are complying with the policies that were set forth in their policy statements. Brokers can even negotiate a provision that allows them to revisit certain cybersecurity issues each year to make sure they are being properly contained and monitored.
Monitoring Third-Party Cyber Risks and Data Privacy Standards
Working with vendors comes with a fair share of third-party cyber security risks and it is important to ensure compliance when it comes to security and data privacy. There are both upstream and downstream third-party cyber security risks that need to be properly monitored.
Monitoring Third-Party Upstream Risk
After brokers have gotten their insured’s third-party vendors to agree to maintain certain standards, they must begin monitoring them for compliance. Upstream risk is particularly relevant for brokers giving their clients advice on potential risks or for underwriters looking to make predictions based on an application. Stuart shared a saying, “What is inspected is expected.” In terms of monitoring compliance, “audits are the tried and true way of making sure that there’s compliance, especially those done by qualified third parties.” Additionally, review vendor reports. If the vendors claim to be doing monthly reports, operation reports, or some other I.T. report, brokers should ask to see it or to have access to the system. Another tip is to monitor an insured’s third-party vendor on social media and set up an alert every time their name comes up online. This is a low-cost way to monitor vendors but most importantly, brokers should encourage their insured’s to communicate. Insureds need to pick up the phone and maintain a strong personal relationship with their vendors, getting to know the I.T. people.
Monitoring Third-Party Downstream Risk
Downstream third-party vendors, like consumers, have access to policyholder data and this creates a strange dynamic wherein there is a reverse risk. If the downstream consumer is hacked or suffers a cyberattack, it becomes possible that a policyholder can face the same cyberattack. A way to monitor this risk is through education. Insureds should create an open dialogue with downstream consumers discussing potential cyber risks and conducting security awareness training. The use of vulnerability awareness programs can be beneficial in training users to identify potential cyber risks.
Working with Vendors to Investigate and Resolve Third-Party Cyber Risks
When there is a third-party cyber security incident it is important to work with third-party vendors to investigate and resolve the incident efficiently. In upstream incidents, establishing a clear and strong communication channel ensures that the policyholder can ascertain the compliance obligation and share information in order to help with the incident response. Additionally, Stuart shares that he needs to “work with those affected clients’ I.T. to set up different roles and responsibilities for example, the collection of forensic data… [and] maybe there should be some sort of information sharing that might require a non-disclosure agreement [or] there might be some other negotiations that need to happen.” Working with third-party vendors to investigate and resolve cybersecurity incidents is extraordinarily important. For downstream incidents, to save time and resources, town hall meetings or webinars are conducted with a walk-through of the cyber incident and the incident response along with allocating liability.
In conclusion, third-party vendors are unavoidable in today’s world, but there are ways to identify cyber risks with both upstream and downstream vendors and mitigate those risks. Additionally, if an incident does occur, it is important to work with third-party vendors to resolve any cybersecurity incidents.