By subscribing to our newsletter you agree to receive periodic e-mails from Dubé Latreille Avocats Inc.
An error has occurred. Please try again later.
Economies around the world have been severely impacted by the shutdowns, lay-offs and other disruptive consequences of the Covid-19 pandemic. As deconfinement is slowly getting under way in Quebec, various industries scramble to resume operations to survive in a changing environment. Often, this compels them to rely on new service providers to meet the urgent needs of their supply chain.
As business is mostly conducted via the internet, this is not without risks considering third party suppliers have become the preferred back door of cyber criminals to infiltrate businesses and compromise their information systems.
How well is your organization protected against third-party liability?
In the normal course of business, industries big and small enter routinely into contractual relationships with third parties to look after various needs they cannot fulfill or have chosen to outsource (production of parts, transport, monitoring, programming and maintenance of control systems [1], etc.). In order to save time and reduce costs, this delegating often requires industries to provide remote access to their information systems.
Yet, this type of subcontracting should not be dealt with lightly, in particular in times of crisis, as they can cause great harm to organizations.
By enabling remote access to their networks and critical systems (through VPN [2] or through much less secure means), organizations end up importing the liability risks associated with these third parties’ own businesses.
When an organization establishes a third-party vendor relationship, it takes the security practices of the vendor into its own risk profile. This risk should receive special consideration. Giving third parties access to an organization’s own systems or data inherently compromises the systems and exposes the data to the security vulnerabilities of a third party’s business systems and processes. [3]
More specifically, by granting some form of access to their networks and critical systems, industries in effect lower their defense mechanisms and therefore expose themselves to all the internet-related weaknesses their sub-contracting parties may be subjected to (worms, viruses, ransomware, etc.). In addition, unrestricted access to information systems put sensitive data [4] at risk of being stolen, destroyed or tampered with. Considering such perils are hard to detect, costly disruption of the supply chain and business operations may be anticipated in the event of a cyber attack or data breach.
To illustrate this, Target’s hack [5] provides a striking example. In 2013, cybercriminals broke into Target’s information systems to steal approximately 40 million debit and credit card accounts from clients and users [6]. This breach was caused by the simple theft of credentials [7] belonging to an HVAC [8] company conducting routine online temperature and consumption monitoring at various stores. The poor handling of this security breach combined with Target’s neglect to segregate access to sensitive data of its information systems were exploited by the attackers who infected Target’s point of sale systems all across the United States [9].
Needless to say, this hack had devastating repercussions on Target’s operations, reputation, liability and share value as it faced, unsurprisingly, numerous damage claims, non-compliance fines, account monitoring costs for millions of customers impacted by the breach in addition to considerable time and costs for integrating new technologies to regain the trust of their clients and stakeholders [10].
Over the years, third-party liability is a phenomenon that has been on the rise. Just before the pandemic, it was estimated that 53% of businesses had experienced one or more data breaches caused by a third party [11]. As pointed out Jake Olcott in the wake of Mitsubishi Electric’s recent hack (January 2020) caused by an affiliate and where defense-related data may have been exposed [12], third-party liability is a serious risk factor:
(…) organizations must recognize that their third parties can create risk to themselves and their core operations. Actively measuring and managing third-party cyber risk is not a ‘nice to have’ – it’s a necessity to modern businesses. [13]
In light of the above, it is essential for businesses and industries alike to carefully mitigate their risks in selecting third party suppliers during this pandemic considering the criticality for any enterprise of being able to ensure the integrity of the supply chain from end-to-end while cyber criminality is on the rise.
To help thwart third party liability threats, organizations should consider various options : 1) develop appropriate data management and access control policies, 2) conduct due diligence reviews of all potential third parties (history, security standards, data protection and confidentiality policies, cyber hygiene, transparency in the event of a breach, etc.), 3) conduct a thorough risk analysis (inbound, supply chain, outbound), 4) design contractual agreements to minimize the inherent risks of third party suppliers, and 5) seek appropriate insurance coverage.
It is clear that doing business with third parties may jeopardize the availability and integrity of the data that industries depend upon to operate. It is thus essential for them to take precautions and measures to ensure these partnerships will provide adequate protection to their supply chain and contribute to their longevity and economic success.
[1] Such as Industrial Control Systems (ICS) used in the manufacturing and the power and utilities sectors or Supervisory Control and Data Acquisition (SCADA) used to monitor factories' production line systems;
[2] VPN: Virtual Private Networks (through “tunnelling”); allow organizations to securely share data between devices across the internet;
[3] Cybersecurity: Managing Risk in the Information Age, Module 6, Unit 3, Mitigating third-party risks, 2018, Harvard’s VPAL;
[4] That is personally identifiable information, intellectual property, trade secrets, or other confidential information;
[5] Target is one of the largest retail corporations in the USA;
[6] https://krebsonsecurity.com/2014/02/target-hackers-broke-in-via-hvac-company/
[7] Credentials: confidential information (such as usernames and passwords) used for authentication and access control to various systems;
[8] HVAC: Heating, Ventilation and Air Conditioning;
[10] https://krebsonsecurity.com/2014/02/target-hackers-broke-in-via-hvac-company/
[11] https://www.normshield.com/major-third-party-data-breaches-revealed-in-january-2020/
[12] https://www.cisomag.com/japan-confirms-defense-data-breach-after-cyberattack-on-mitsubishi-electric/