Webcasts, Videos and Podcasts

Thu, May 21, 2020

Minimizing Third Party Cyber Risk Starts with Contract Review

In our previous video we outlined the fundamental steps for building a data inventory to better understand where sensitive data is stored and how best to protect it. In this video, we highlight the need to identify third parties who may have access to your data, and what steps they’ve taken to protect it. Especially in the event of a cyberattack, it is important to know how your data may be at risk and what legal mechanisms your organization has to inspect third parties’ security or minimize liabilities. In a webcast co-hosted with James Melendres of Snell & Wilmer, Jonathan Fairtlough, Managing Director in the Cyber Risk practice of Kroll, a division of Duff & Phelps, discussed the importance of creating and updating contracts with third-party vendors to ensure data is securely stored to reduce vulnerabilities that can lead to cyberattacks, such as ransomware and business email compromise (BEC).

Minimizing Third Party Cyber Risk Starts with Contract Review

Watch the full webinar and download the slides: Effective Business Email Compromise and Ransomware Mitigation

It is crucial for security and privacy leaders to monitor and update contracts with third-party vendors to protect their organizations from data breaches. Very often, a data incident originates with a vendor whose security has not been validated due to a lack of legal authority, which should be present in the contract. Clauses such as a contractual right to access and a duty to assist in security reviews are fundamental to ensure a healthy third-party cyber risk management program. In doing so, an organization can audit and ensure the safety of the data being kept by a third-party.  

How to keep track of the data your third parties have? 

It is important to hold your vendors to the same security standard to which you hold your own organization. Monitoring and maintaining the data that your vendor holds should be managed the same way as your internal data inventory. Ensure you’re taking the following steps when keeping track of your third-party data: 

  • Review your vendor contracts 
  • Keep copies of contracts in a documented form
  • Include review of third parties in your audit 
  • Utilize your ability to inspect if you have a clause that allows for it 

In the infographic below, Jonathan identifies key considerations for ensuring the safety of your data. He highlights the need to take the proper steps to know who has your data. This includes verifying the legal review of vendor contracts that hold data and maintaining copies of vendor security assessments. 

Minimizing Third-Party Cyber Risk Starts with Contract Review

Shay Colson, one of our experts, wrote an excellent article on the inherent challenges of managing third-party cyber risk and how to adjust expectations to better fit business needs and strategically manage our resources to address the most pressing risks. It’s a must-read.

Your organization’s data security is increasingly dependent upon third parties, pressing the need for external reviews. Starting with a review of vendor contracts, focused on the key aspects that Jonathan and James shared in the video, helps set the course towards cyber resilience. 

 

Cyber and Data Resilience

Incident response, digital forensics, breach notification, security strategy, managed security services, discovery solutions, security transformation.

Cyber and Data Resilience

Third Party Cyber Audits and Reviews

Ensure that your third parties are handling sensitive data according to regulatory guidelines and industry standards with our cyber audits and reviews.

Third Party Cyber Audits and Reviews

Data Protection Officer (DPO) Consultancy Services

Kroll's data privacy team provide DPO consultancy services to help you become and stay compliant with regulatory mandates.

Data Protection Officer (DPO) Consultancy Services

Optimized Third-Party Cyber Risk Management Programs

Manage risk, not spreadsheets. Identify and remediate cybersecurity risks inherent in third-party relationships, helping achieve compliance with regulations such as NYDFS, FARS, GDPR, etc.

Optimized Third-Party Cyber Risk Management Programs
Insights
DORA vs. NIS2 vs. PSD2: Navigating the Evolving Regulatory Landscape
Cyber

DORA vs. NIS2 vs. PSD2: Navigating the Evolving Regulatory Landscape

October 30, 2024

by Tiernan Connolly, Hannah Rossiter

DORA vs NIS2 vs PSD2 Navigating Evolving Regulatory Landscape
Magecart Attacks: Prevention Tips and Security Best Practices
The Monitor

Magecart Attacks: Prevention Tips and Security Best Practices

October 28, 2024

by Laurie Iacono, Dan Ryan, Michael Carulli

What is Magecart Malware and How to Protect Against It
Elections, AI and Regulation: Balancing Security and Innovation
Enterprise Risk

Elections, AI and Regulation: Balancing Security and Innovation

October 16, 2024

by Ken C. Joseph, Esq., Richard Kerr

Elections, AI and Regulation: Balancing Security and Innovation
What Is a Red Team Exercise & Why Should You Conduct One?
Cyber

What Is a Red Team Exercise & Why Should You Conduct One?

October 11, 2024

by Ben Mahar

What Is a Red Team Exercise & Why Should You Conduct One?

Kroll is headquartered in New York with offices around the world.

One World Trade Center
285 Fulton Street, 31st Floor
New York NY 10007
+1 212 593 1000
Sign up to receive periodic news, reports, and invitations from Kroll. Our privacy policy describes how your data will be processed.

More About Kroll

More About Kroll
© 2024 Kroll, LLC. All rights reserved. Kroll is not affiliated with Kroll Bond Rating Agency, Kroll OnTrack Inc. or their affiliated businesses. Read more.
Return to top