“Our 3rd party service provider’s systems are unavailable, it’s not our fault!” 3rd party service provider risk. Part 2 – Risk and liability management.
The larger and more regulated an entity is, the more likely that they will have one or more teams that look specifically after 3rd party service providers. They investigate important details like service level agreements (SLAs), contract small print, termination of contracts and limitations of liability. They can do this because they have lawyers who understand contracts and service delivery managers who understand SLAs etc.
But what about everybody else who wants the shiny cloud computing, ultra-fast internet, 6-nines of uptime billed by the nanosecond of utilization, with no lock-in clauses, right now? Unfortunately, a lot of people just click the ‘Accept” box.
Briefly on the large, regulated entities. They, like all organisations, can also be susceptible to 3rd party service provider risks from “shadow IT,” Sounds scary because it is. This is where despite (and maybe because of) the best intentions of procurement policies around the adoption of new systems, sometimes people can’t wait for the correct approvals from IT and procurement. With cloud-based software and infrastructure access only a credit card number away, there are many examples of organisations using systems for operations that the IT department, let alone procurement and legal, didn’t know they had.
I remember individuals plugging in access points all over the place when WiFi came about because their IT departments hadn’t decided the technology was safe for the organisation to adopt. One of the first WiFi security standards, WEP, was quickly and relatively easily compromised.
Now back to the subject. “…it’s not our fault!” Yes, it is, and most likely you will be held accountable. Without a diagram let’s see if I can explain the responsibility chain. Say your organisation is XYZ that holds several thousand customer records which can be considered sensitive. XYZ was an early adopter of cloud services and uses Cloudy Cloud (not a real company unsurprisingly) for compute and data storage, with no problems so far. Cloudy Cloud has built a perception that they are unbreakable/unhackable.
Cloudy Cloud has a data breach and XYZ’s customers’ personal records are available for sale on the “dark web” to the highest bidder. I will do another piece on what XYZ should do should there be in incident soon but here is a high-level breakdown of responsibilities:
· The customers affected by the data breach are under contract with XYZ
· XYZ is contracted to Cloudy Cloud for data storage services
· There is no contractual relationship between Cloudy Cloud and XYZ’s customers and they may not be aware of where their data is physically stored
· XYZ most likely has an obligation under the Federal Privacy Act to notify the individuals affected and the Privacy Commissioner. XYZ has had a data breach
While the breach might be Cloudy Cloud’s fault, the impacted individuals have no direct recourse to Cloudy Cloud, only to XYZ, whose rights in relation to Cloudy Cloud fall under the terms of their service agreement. In most cases there are limitations of liability in these agreements which may not cover the full, if any, flow-on costs to XYXZ.
In many cases we have seen that the fault for data breaches of cloud customers has been due to incorrect or insufficient implementations of the cloud providers’ security management frameworks. There is a shared responsibility security model between the customer and the cloud provider.
Therefore, ultimate responsibility for managing the incident and any impacts to their customers lies with XYZ. In reality the circumstances are far more complex, however it is a good strategy to assume that your organisation, as a provider of services to your customers, is responsible for any incident that impacts them.with regard to customer impact.
In any case 3rd party IT service providers are a part of most organisations’ IT capabilities, and adoption continues to increase rapidly. Here are a few simple recommendations on 3rd party cyber risk management:
· Build a 3rd party service provider register that includes specific sections on incident handling and liability
· Review the contracts, or even better have independent specialists review them
· Build out risk scenarios, and formulate an incident response plan that includes the third-party service provider response capabilities
· Test one or more of the scenarios with risk simulations, these will highlight gaps before an incident happens
Should you have any questions or would like some assistance with the above recommendations, please get in touch.
