Risk managers urged to increase oversight of cyber supply chain risk

Managing vendors and third-party contractors is a critical part of data security and regulatory compliance, experts say. Data owners must manage contractors to the same standard as their own operations, and they should adopt an organised framework to enable such control, they said during sessions and interviews at the Professional Liability Underwriting Society’s Cyber Symposium in New York last week. “Even if you’ve outsourced the processing, consumption, analysis, storage or deletion of any data, it is still ultimately your customer and your liability or exposure,” said David Shluger, head of cyber risk advisory for Axis Capital Holdings, during a panel discussion at the conference. “If you are the data owner, you are ultimately responsible and accountable for protecting that data, even if the data is in the custody of a third party,” agreed Ken Morrison, assistant vice-president for cyber risk management at Travelers. Among the cyber-related advice USI Insurance Services provides to its clients, third-party risk management, or TPRM, is “front and centre”, said Nadia Hoyte, national cyber practice leader at the brokerage. “That’s something that clients definitely need to be focused around,” Hoyte said, adding that such exposures are leading to cyber liability insurance claims. Michelle Chia, chief underwriting officer, cyber, for AXA XL, noted that non-core operations are increasingly being outsourced to vendors. “In the cyber world, we refer to outsourced vendor risk as cyber supply chain risk, which has the potential to create the next cyber tsunami if not properly managed,” she said. An organisation’s compliance with privacy rights will only be as strong as that of any party that has access to its systems or is processing its data, said Kevin E Dolan, partner and co-chair, advisory compliance practice, for Mullen Coughlin. “It’s really critical to make sure to employ the very same level of diligence with respect to any third party that’s accessing or processing the data on the same level as within your organisation,” Dolan said. “Companies must evaluate vendors and M&A targets’ cyber resilience at the same level as their internal cyber controls,” Chia agreed. Documenting such standards as part of a contract should also be part of an organisation’s due diligence, Dolan said. “This can be done with contracts that explicitly articulate responsibilities, service levels and the right to audit,” Morrison said. Organisations should establish policies and procedures that govern such relationships across their entire operations, said Shluger of Axis. Having an organised framework that sets out the specific goals for regulatory compliance can help an organisation avoid missteps, said R S Richard, chief of cybersecurity at the Cybersecurity and Infrastructure Security Agency in New York, during the conference. “Third-party risk management is not difficult in theory, but it might be difficult in practice. A company should begin by identifying all third parties that it engages with, or those who would have access to data and systems or provide a service the business is dependent on,” he said. Organisations should conduct an inventory of critical vendors and understand their incident response plans, said Hoyte of USI. “If there is a cyber incident and it begins with your vendor, do you have a good understanding of what the incident response process is that they will engage?” she said. Compliance with data privacy regulations has grown in scope as more states move to enact such rules. California was the first to adopt such a framework in 2021, and in the three years since, 13 more states have done so, with another 20 or more at some stage of legislative development, Dolan said. This article first appeared on our sister website Business Insurance. For further news from Business Insurance, please click here.

Risk managers urged to increase oversight of cyber supply chain risk

Want to read this article?

Read Next

Four in five non-EU companies to align with CSRD

Multinational corporate client practice launched by Crawford

AIG premium falls after sales but underwriting results and rates improve

Swerma to focus on AI and ESG in 2024

Four in five non-EU companies to align with CSRD

Multinational corporate client practice launched by Crawford

AIG premium falls after sales but underwriting results and rates improve

Swerma to focus on AI and ESG in 2024

Climate shifts – is your business continuity plan ready?

Want to read this article?

Read Next

Four in five non-EU companies to align with CSRD

Multinational corporate client practice launched by Crawford

AIG premium falls after sales but underwriting results and rates improve

Swerma to focus on AI and ESG in 2024

Climate shifts – is your business continuity plan ready?

Related Articles