“Our 3rd party service provider’s systems are unavailable, it’s not our fault!” 3rd party service provider risk. Part 1 – Recent issues.

Have you heard this before - “Our data is all stored in the cloud so it’s totally secure” or “we have guaranteed 99.9999% uptime (6 nines!) as we use the cloud?” I have heard this from IT teams, executives and board members alike. These misconceptions can lull entire leadership teams into a false sense of security, thereby reducing the amount of effort on building and testing incident response plans and leaving organisations exposed to massive risks.

Before I launch into the risks and how to check exposure, just a few comments on using large cloud service providers. They spend heavily on:

·        Top-of-range servers and storage

·        Highly resilient data centres

·        Fast and resilient networks

·        Dedicated, highly qualified and experienced cybersecurity personnel

·        Many other security and resiliency risk mitigation techniques

One of the largest cloud service providers suffered an incident on 23 October 2019 with some of their customers experiencing up to 12 hours of service interruption.

Also, an Australian bank that has all the above technology themselves experienced a system outage on Thursday 17th of October 2019 causing so many repercussions that they took responsibility and have already provided some financial compensation to those affected. They took responsibility but some have assumed that the root cause of the problem was a patch from their 3rd party software vendor.

This is just in the last three weeks. Countless organisations and individuals all over the world were affected by these issues caused through their service providers’ dependence on 3rd parties for delivery of technology services:

·        In the example of cloud companies, they are the 3rd party platform provider – aggregators of service

·        For the bank they are a 3rd party provider and aggregator of financial services

So, the rabbit hole goes very deep in terms of cause, impact and responsibility. For these few incidents alone, I read one story about an individual who was denied critical surgery overseas due to an inability to access funds. I also heard of a company that missed out on a tender due to a lack of access to critical software. What about the problems these incidents also created for millions of people who had no part in the cause of the outages?

I’ll talk more about 3rd party service provider risk and liability management in the next installment. In the meantime, please contact the CAP with any questions.