Vendor Cyber Risk Management: Why is it important?

Perhaps you remember Fazio Mechanical, the unfortunate HVAC contractor that was the access point to Target for its massive 2013 data breach. Using network credentials stolen from Fazio, attackers broke into the retailer’s network in November, 2013. Data containing the names, mailing addresses, phone numbers, email addresses and payment card information for up to 70 million people was compromised.

Fazzio Mechanical was far from an anomaly. Hackers often look for vulnerabilities in vendors’ security systems as a way into a target company’s network. Supplier networks are often more vulnerable than those of the target enterprise, which may have more resources devoted to security. Home Depot and Boston Medical Center are other examples of organizations that were breached as a result of compromised third parties. Recently an Indiana hospital paid hackers to unencrypt patient records that were targeted in an attack launched through an outside vendor’s account.

Network security is increasingly a key consideration in vendor risk assessment, and companies are starting to integrate cybersecurity into their supplier qualification criteria. A number of cybersecurity software companies offer tools to assess vendor cyber hygiene, and many do a good job of identifying security flaws and summarizing exposures through scoring systems or in easy-to-understand reports.

Download infographic: Finding a Partner for GDPR Compliance

Vulnerability scores and reports are useful, but they focus on what could happen, not on what actually is happening in the real world where many organizations find themselves under relentless attack. Knowing when a vendor or a related company has experienced a significant cyber incident can be invaluable. Armed with this knowledge, CISOs and other security professionals are alerted to potential exposures to their data – whether on their own systems or data stored by the vendor. The incident also may highlight vendor security issues not identified by risk scoring algorithms.

Beyond cyber security, knowing that a vendor has experienced a serious event is valuable information for more general risk management purposes. A network security event could threaten the financial viability of a key supplier, for example. Additionally, as more and more devices are connected through the internet, the risk increases of hackers causing mayhem by interfering with those devices. It would be useful to know, for example, that network-connected valves manufactured by a key supplier had been implicated in a cyberattack.

Advisen’s cyber loss data – the largest of its type anywhere – is updated continuously as new information on cyber incidents becomes available. Previously, this data was offered to Advisen customers on a monthly schedule, but it is now available daily, providing as close to real-time notification of loss events as possible. Cyber event data complements vendor system security assessments, and provides CISOs and other security professionals continuous, near-real time feedback as to how well vendor security measures are working and notification of events that could negatively affect their own organizations.