- Количество слайдов: 33
Best Practices for Vendor Management and Cybersecurity GC’s Role in Mitigating Cyber Risk for Third Parties
Governance 1. Accountability of Executive Leadership, Board, Officers & Employees i. Education ii. Risk Tolerance 2. BOD’s Fiduciary Responsibility 3. Employees and Training
Governance – Education Common Myths About Cyber Security • Hackers are tech geniuses • It’s an IT issue • Policies are enough / one size fits all • Only the big banks are targeted • It’s all about personal information • 100% security is possible
Governance – Education What Information? Tax returns and W-2 forms Driver licenses and other IDs Pay stubs Confidential credit-report information • Recent bills • Banking statements • • Securing the Transmission
Governance – Education Types of Attacks: What Information is Transmitted and How Type of Attack How it Works How to Prevent It Malware Email attachments, software downloads or operating system vulnerabilities Avoid clicking on links or downloading attachments from unknown senders “Malvertising” Attackers upload infected display ads to different sites using an ad network Don’t click on ads Phishing Sent via email asking users to click a link and enter their personal data Verify any information requests that arrive via email over the phone; if the email itself has a phone number, don’t call it Brute Force / Pw Attacks Programs that guess passwords, or guessing based on information Set long, incomprehensible, and alphanumeric passwords Man-in-the-Middle Impersonates endpoints in an online information exchange Gains access through a non-encrypted wireless access point (i. e. no WAP, WPA, WPA 2) Only use encrypted wireless access points; make sure URL is “https” Do. S / DDo. S Overload the server with traffic Cannot prevent; monitor data flow Trojans, viruses, worms Malware acquired by clicking an advertisement Request for data by an illegitimate third party Guess your password Attempt to make a machine or network resource unavailable to its intended users
Governance – Risk Tolerance Overall Understanding about Quantifying the Value of Cyber Plans 1. Banks spend million on brinks trucks to secure physical assets, but a fraction of that to secure digital assets. 2. Quantifying the costs of a data breach is essential for convincing the C-suite of the need for cybersecurity.
Governance Board’s Fiduciary Responsibility In re Caremark, Stone v. Ritter, and their progeny establish the Board’s duty to be informed and have adequate monitoring, reporting, or information controls in place. Absence of cyber-security monitoring could expose a Board to liability. These cases have been used to formulate arguments in the shareholder derivatives lawsuit against Target. While the shareholders lost, the suit created substantial legal costs.
Governance Employees and Training Roughly half of security incidents are caused by disgruntled or disillusioned employees. Internal Actors were responsible for 43% of data breaches. Prevention: 1. Provide adequate mental, physical, financial, and spiritual support to employees. 2. Watch data during time of employee departure. 3. Close employee accounts after they leave. 4. Require routine password changes. 5. Invest in data loss prevention software that will alert to data exfiltration, such as downloading to certain types of media (i. e. flash drive, personal devices, FTP server, etc. ). Be sure to alert employees of this software. 6. (Gently) let employees know that Big Brother is watching. 7. Prevent emailing of documents and installation of USB media.
Internal Partnerships 1. Legal to Partner with Business Units & IT 2. Laws and Statutory Notification upon Vendor Breach 3. Vendor Notification 4. Incident Response Preparedness and Team
Internal Partnerships Legal to Partner with Business Units & IT 1. Selection of Vendor 2. Confirm Network Security 3. Confirm Vendor Penetration Testing 4. Being Prepared - Checklist
Internal Partnerships Legal to Partner with Business Units & IT Selection of Vendor 1. Review of systems and security 2. Does Vendor have capital to implement proper security? 3. Does the Vendor’s Board and Leadership consider cyber security a top consideration? 4. Continuous auditing 5. Right to notification, investigation and audit upon breach 6. All of this to be added into contract at commencement of onboarding 7. Include R&W as to data, system and product integrity 8. Review vendor policy and procedures.
Internal Partnerships Legal to Partner with Business Units & IT Confirm Network Security 1. Firewalls 2. Internal Network Zones 3. Network Monitoring
Internal Partnerships Legal to Partner with Business Units & IT Confirm Vendor Penetration Testing 1. Hire company to try hacking into and accessing data. 2. Should be done annually, large banks do it quarterly. 3. Include contractual language to permit.
Internal Partnerships Legal to Partner with Business Units & IT Preparedness – Checklist
Internal Partnerships Laws and Statutory Notification upon Vendor Breach STATE • 47 different jurisdictions + D. C. , Guam, and Puerto Rico o Requirements vary FEDERAL • Federal Trade Commission (FTC) • Gramm Leach Bliley (GLB) Act • Consumer Financial Protection Bureau (CFPB) • Federal Financial Institutions Examination Council (FFIEC) • State Attorney Generals
Internal Partnerships Vendor Notification Contact vendor to inquire what parties were affected by the breach (i. e. , clients, employees or other related parties). Determine if vendor is sending notifications to affected parties or whether company needs to take affirmative steps. If company needs to take affirmative steps, it must:
Internal Partnerships Incident Response Plan Timeline 1. 2. Hire Attorney and/or Forensic Specialist Involve Law Enforcement (if necessary) 3. Assess Damage & Harm 4. Assess Contractual 5. Determine Required Notice – Customers; Regulators 6. Prepare Notification Letters 7. Determine Security Changes and “Fix” for the Breach 8. Manage Public Relations 9. Client Relationships and Customer Conversations
Technology Helm of IT – Legal to Understand Identify 1. Data Loss Prevention – Software 2. Using Group Policy to Limit Storage 3. URL Filtering, Precautionary Tools, and Limiting Storage Devices
Technology URL Filtering, Precautionary Tools, & Limiting Storage Devices • Limit access to any website on which the employee could post information • Inform employees of the reason for data filtering • Data wiping hard-disks after employees leave • Encrypting internal communication • Disable USB storage devices, CD-ROMs, Floppy Disks and LS-120 drivers on computers to stop employees from taking company data
Due Diligence Rights with Regard to Vendors 1. Vendor Background • BBB ratings • Reference checks • Regulatory complaints 2. Onboarding • • 360 -view Automate Relevant data Audit yearly, semi-annually or periodically 3. Using NIST Cybersecurity Framework/SSAE 16 • National Institute of Standards Technology “NIST” framework • Provides a common roadmap for Companies
Contractual Provisions for Vendor Oversight I. Indemnification for Security Incidents Company shall fully indemnify, hold harmless and defend (collectively “indemnify” and “indemnification”) ABC and its directors, officers, employees, agents, stockholders and Affiliates (collectively, “Indemnified Parties”) from and against all claims, demands, actions, suits, damages, liabilities, losses, settlements, judgments, costs and expenses (including but not limited to reasonable attorney’s fees and costs), whether or not involving a third party claim, which arise out of or relate to (1) any breach of any representation or warranty of Company contained in this Agreement, (2) any breach or violation of any covenant or other obligation or duty of Company under this Agreement or under applicable law, (3) (4) (5)] [other enumerated categories of claims and losses], in each case whether or not caused by the negligence of ABC or any other Indemnified Party and whether or not the relevant Claim has merit.
Contractual Provisions for Vendor Oversight II. Insurance Provisions 1. Maintain cyber risk liability that includes coverage for malware, malvertising, phishing, brute force, and Do. S attacks 2. Consult insurance professionals to assess the exact coverage needs of the company Insurance Sample Clause: Vendor shall purchase and maintain at all times, during the term of the Contract, a professional liability insurance policy and a cyber liability insurance policy with coverage limits of at least $10, 000. In some instances, Vendor may be required to provide cyber liability insurance policy with higher coverage limits.
Contractual Provisions for Vendor Oversight III. Saa. S/Could-Specific Language as to Access Data Part 1 During the normal operation of the Services, [Vendor] will collect and store on its systems solely and physically located in the United States certain information and data provided, created, or collected by the [Customer] (“Customer Data”). Solely during the Term, [Customer] authorizes [Vendor] to store [Customer] Data on its secure internal systems and to use and transmit [Customer] Data solely for the purpose of providing the Services, including backup and disaster recovery, to [Customer] in accordance with this Agreement.
Contractual Provisions for Vendor Oversight III. Saa. S/Could-Specific Language as to Access Data Part 2 [Vendor] will not resell or share any [Customer] Data with a third-party or [non-Vendor] employee whether during or after the Term of this Agreement. During the course of performance under this Agreement, [Vendor] will use, at a minimum, industry standard, up-to-date encryption of all [Customer] Data transmitted over public and private networks, including, but not limited to, any networks outside of [Vendor’s] secure production environment and Internet and back-up records residing at off-site storage facilities. [Vendor] warrants that Customer Data is protected as commercially reasonably as possible against loss and/or damage.
Contractual Provisions for Vendor Oversight IV. Background Screening Supplier shall at its expense, conduct or cause to be conducted by a person or organization reasonably approved by Company in compliance with all applicable Laws the following background screenings on each individual performing the Services: (i) a credit check; (ii) a criminal background check in all counties in which the candidate has lived in for the past seven (7) years; (iii) a National Criminal Database search; (iv) a Sex Offender Registry search; (v) an education check of highest degree obtained; (vi) an OFAC search; and (vii) a social security number verification. For those individuals who are the following (1) assigned full-time to the provision of Services to Company, (2) have unescorted badge access to Company’s property, or …(3) who require rights to access the secured or restricted areas of the information technology environment of Company that requires Company to issue a user name and password or similar credentials to such individual, Supplier shall ensure that the required background screening is conducted within twelve (12) months prior to assigning such individual to perform Services under the Agreement. Supplier shall not and shall cause the Supplier Agents not to assign any individual to perform the Services that fails to pass such screening, and Supplier shall notify Company immediately if any individual performing Services for Company does not pass a background screening or commits an act or otherwise becomes involved in circumstances that would cause the individual to later not pass a background screening. Supplier represents and warrants that all individuals performing Services were screened by Supplier at the time of hire and successfully completed all training required by Supplier and Supplier has no knowledge of any activity that would raise a ‘flag’ on or otherwise cause a non-passing or non-clean result in the background screenings for such individuals.
Contractual Provisions for Vendor Oversight V. Audit Rights (Forensic Expert Control) (1 of 3) • At onset, include R&W as to data, system and product integrity • Right to audit, data ownership provisions, incident response procedures, and data security measures – Audit - SSAE 16 - SOC 2 Type 2 audit, which reports on the design and effectiveness of trust service principles like security, confidentiality, and availability – Supplier shall conduct regular self-testing and independent audits to ensure compliance by Supplier and Supplier Agents with this Agreement and all applicable Laws, including all confidentiality, nondisclosure, security, disaster recovery, contingency planning, and obligations applicable to Supplier and Supplier Agents, and provide the results to Company for review
Contractual Provisions for Vendor Oversight V. Audit Rights (Forensic Expert Control) (2 of 3) Commencing on the Effective Date, Supplier shall, at its sole cost and expense, engage a nationally-recognized accounting firm to conduct an annual end-to-end SOC 2 Type 2 audit (“SOC 2”) of the security, availability, confidentiality, and privacy-related controls of the information processing and management systems (including procedures, people, software, data, and infrastructure) used by Supplier and Supplier Agents in the provision of the Services and the storing, accessing, and processing Company Data received by Supplier under the Agreement. Supplier shall provide a copy of the resulting report to Company as soon as reasonably practicable following Supplier’s receipt of the report (and within thirty (30) business days of Company’s request) (the “SOC 2 Report”). The SOC 2 Report shall be prepared in accordance with attestation standards established by the American Institute of Certified Public Accountants.
Contractual Provisions for Vendor Oversight V. Audit Rights (Forensic Expert Control) (3 of 3) The SOC 2 Report must be comprehensive and cover all Services provided to Company or any of the Service Recipients during the period specified in the SOC 2 Report (“Period”). Supplier shall review and notify Company of any significant weakness, deficiency, exception and objective not met, or any qualified opinions. If the SOC 2 Report is qualified or reveals any weaknesses or deficiencies, Supplier shall submit, in addition to the SOC 2 Report, a corrective action plan describing actions Supplier will implement to correct the weaknesses or deficiencies or the situation that caused the auditor to issue a qualified SOC 2 Report, a timetable for promptly implementing the planned corrective actions, and a process for monitoring compliance with the timetable. Supplier shall promptly correct any weaknesses or deficiencies in accordance with such corrective action plan.
Contractual Provisions for Vendor Oversight VI. Penetration Testing Supplier grants Company the right, either directly or through a third party, to conduct penetration testing on the Solution and the Systems used to deliver the Solution and host the Company Data. Any vulnerabilities, weaknesses and deficiencies will be promptly corrected by Supplier at its sole cost (and before the Solution launches into live production if discovered prior thereto). Supplier will conduct quarterly internal and external vulnerability scans of the Solution to ensure Solution and Systems used to deliver the Solution and host the Company Data stay secure over time. In addition, Supplier will provide Company with notice of any vulnerabilities, weaknesses and deficiencies identified by such scan, and Supplier will either itself correct or with the applicable hosting provider promptly resolve vulnerabilities, weaknesses and deficiencies found in such scans. Company should be notified if any vulnerabilities, weaknesses and deficiencies cannot be resolved within thirty (30) days from the date of discovery of such vulnerability.
Contractual Provisions for Vendor Oversight VII. Notification – Option 1 If Vendor, or its Subcontractor, suspect, discover or are notified of a data security incident or potential breach of security and/or privacy relating to Personal Information, Vendor shall immediately, but in no event later than forty-eight (48) hours from suspicion, discovery or notification of the incident or potential breach, notify Company of such incident or potential breach. Vendor shall, upon Company’s request, investigate such incident or potential breach, inform Company of the results of any such investigation, and assist Buyer in maintaining the confidentiality of such information. In addition to the foregoing, Vendor shall provide Company with any assistance necessary to comply with any federal, state and / or provincial laws requiring the provision of notice of any privacy incident or security breach with respect to any Personal Information to the affected or impacted individuals and / or organizations, in addition to any notification to applicable federal, state and provincial agencies. Vendor shall reimburse Company for all expenses, costs, attorneys’ fees, and resulting fines, penalties, and damages associated with such notification if due to Vendor’s, or its Subcontractor’s, negligence, unauthorized use or disclosure of Personal Information, or breach of its obligations under the Contract.
Contractual Provisions for Vendor Oversight VII. Notification – Option 2 (a) Service Provider shall: (i) provide Customer with the name and contact information for an employee of Service Provider who shall serve as Customer’s primary security contact and shall be available to assist Customer twenty-four (24) hours per day, seven (7) days per week as a contact in resolving obligations associated with a Security Breach; (ii) notify Customer of a Security Breach as soon as practicable, but no later than [twenty-four (24)] hours after Service Provider becomes aware of it; and (iii) notify Customer of any Security Breaches by [telephone at the following number: [TELEPHONENUMBER]/e-mailing Customer with a read receipt at [E-MAIL ADDRESSES]] and with a copy by e-mail to Service Provider’s primary business contact within Customer. (b) Immediately following Service Provider’s notification to Customer of a Security Breach, the parties shall coordinate each other to investigate the Security Breach. Service Provider agrees to [fully/reasonably] cooperate with Customer’s handling of the matter, including, without limitation: (i) assisting with any investigation; (ii) providing Customer with physical access to the facilities and operations affected; (iii) facilitating interviews with Service Provider’s employees and others involved in the matter; and (iv) making available all relevant records, logs, files, data reporting and other materials required to comply with applicable law, regulation, industry standards or as otherwise [reasonably] required by Customer. with in
Contractual Provisions for Vendor Oversight VIII. Root Cause Analysis Each time there occurs a failure to provide any Services due to system outages or interruptions, the parties shall each promptly use commercially reasonable efforts to: (a) conduct a root cause analysis of the failure and prepare a written report identifying and describing in reasonable detail such root cause(s), (b) discuss the root cause(s) of the failure and each party’s position with regard to such root cause(s), (c) correct the problem and begin providing the impacted Services as soon as…
While Not a Contractual Provision: Data Destruction Obtain a certificate from vendor if data on their system needs to be erased as part of the remediation: “I hereby state that the data erasure has been carried out in accordance with instructions given by the Company. ” __________ Data Erasure Executive