How to Ensure Your Vendors Comply With Cybersecurity Expectations

Vendor cybersecurity compliance continues to be a top priority for many organizations within their vendor risk management (VRM) programs. Notable events, like the MOVEit breach, have brought more awareness to the widespread impact of vendor cybersecurity incidents and the importance of validating a vendor’s cybersecurity preparedness.

Verifying your vendors are complying with cybersecurity regulations and your organization’s standards is an ongoing effort, yet necessary to help protect against vendor incidents like data breaches and ransomware attacks. This blog will provide some tips and considerations to validate your vendor’s cybersecurity compliance. You’ll also learn how to evaluate a vendor’s preparedness to identify threats, protect its infrastructure, and recover from an incident.

2 Critical Steps to Ensuring Vendor Cybersecurity Compliance 

Step 1: Evaluate the cybersecurity regulation landscape  

The first step in ensuring your vendor is adequately complying with cybersecurity regulations is to understand the landscape itself. The main question to ask is, “How can we confirm our vendor is complying with current cybersecurity regulations?” It’s not enough to simply ask vendors once a year if they’re compliant without following through with verification. This offers little assurance that your vendor has identified and understands specific regulations, which can vary depending on location and industry.

The key to ensuring that both your organization and its vendors are compliant is to identify and understand industry-specific rules and standards.

Let’s take a look at few examples:

• Healthcare: The healthcare industry must comply with the Health Insurance Portability and Accountability Act (HIPAA). This requires healthcare organizations and their business associates to ensure the confidentiality, integrity, and availability of protected health information (PHI).
• Cards/payment processing: Vendors that perform payment processing on your behalf will need to comply with Payment Card Industry Data Security Standard (PCI DSS) requirements. PCI DSS outlines security requirements to protect cardholder data, including maintaining secure networks, implementing strong access controls, and regularly testing security systems.
• Financial institutions: Financial institutions in the U.S. are required to comply with the Gramm-Leach-Bliley Act (GLBA) and the Financial Industry Regulatory Authority (FINRA), which requires U.S. broker-dealers to have written data protection policies to protect consumer data and outlines rules for detecting and managing potential cyber threats.
• Region specific: Organizations that have international business relationships with other individuals or organizations within the European Union must consider compliance with the EU General Data Protection Regulation (GDPR), which addresses areas like citizens’ rights to data privacy and data breach notification time frames. The EU’s Digital Operational Resilience Act (DORA) focuses on cybersecurity standards within information and communication technology (ICT), and there continues to be a growing list of U.S. states that have implemented their own privacy laws. Data breach notification laws also vary by state, and certain agencies like the New York State Department of Financial Services (NYDFS) have enacted industry-specific cybersecurity regulations.

When evaluating your vendors’ cybersecurity processes, you’ll need to consider the true cost of incomplete or poor compliance standards. If the vendor’s processes aren’t as up to par as they should be, how could that impact your organization? When (not if) a cyber event occurs, consider the financial and labor costs needed to recover from a damaged reputation, lawsuits, and lost customers.

To properly ensure the vendor has processes in place to secure data, your organization should also understand what types of data are subject to compliance. Some of the major types of data regulated include: 

• Personally identifiable information (PII): This includes information such as first and last name, date of birth, and Social Security number.
• Protected health information (PHI): PHI may include medical history, admission and/or prescription records, as well as data around insurance or appointments.
• Financial data: Social Security numbers, credit and debit card numbers, as well as credit history and ratings are among protected financial data.
• Miscellaneous data: Additional sensitive information may include race, marital status, religion, email addresses and/or passwords, and IP addresses and biometrics.

Once you have an understanding of what your vendor is responsible for from a regulatory perspective, and you’ve ensured they’ve established the importance of cybersecurity compliance from a program-perspective, you’re ready to evaluate their preparedness.

Step 2: Determine the vendor's cybersecurity preparedness   

A core principle of cybersecurity is to acknowledge that incidents aren’t fully avoidable. Many cybersecurity regulations and standards are developed with the assumption that incidents will occur, so organizations and their vendors should be prepared to respond and recover.

Here are 3 key activities to perform that help ensure your vendors are prepared and compliant with these cybersecurity expectations:

• Identify inherent risks: Your organization should clearly understand the cybersecurity and compliance risks vendors may pose to your organization. An inherent risk assessment is a solid methodology to identify the inherent risk of a vendor’s cyber threats. This assessment is completed internally by the vendor owner or manager and should evaluate the vendor’s products and services, what technologies they use, and the connection types. It’s also important to understand what type of data your vendors have access to, and which cybersecurity regulations you and your vendor must comply with. 
• Evaluate the vendor’s cybersecurity practices: During initial and periodic due diligence, you’ll need to evaluate a vendor’s cybersecurity practices for proof of compliance. This includes reviewing various information and documents, such as the vendor’s security testing results, cybersecurity insurance policies, and practices around employee, contractor, and vendor management. Data security practices should also be reviewed, such as the vendor’s encryption standards, data retention and destruction policies, and data classification and privacy policies. Reviewing the vendor’s incident detection controls and response plan will also give insight into how the vendor will identify threats and respond to and recover from an incident. 
• Confirm the vendor has adequate cybersecurity controls: Once your organization has a solid understanding of the vendor’s inherent risk and cybersecurity practices, the vendor may need to implement additional controls. 
  
  For example, your vendor performs social engineering testing, but the results show that only 70% of its employees have completed it. An additional control from the vendor for cybersecurity compliance may be an updated security policy that states the consequences for employees failing to complete security testing on time.
   
  It’s important to understand whether or not your vendor is conducting a regular third-party audit of their controls to verify that their organization demonstrates it has the proper people, processes, and technology in place to sufficiently protect your data.

Third-party cybersecurity incidents can have significant impacts on an organization’s operational resilience and financial well-being. Ensuring your vendors comply with cybersecurity expectations and are prepared to address threats is an important step in protecting your organization from the severity of these impacts.