Organisations spend considerable sums of money to protect themselves against the cyber risks that they see in front of them.
Unfortunately, you can’t manage what you can’t see. This has been the problem with third party assurance for a significant length of time.
Historically, data was fairly immobile with mainframes and the lack of an Internet.
The idea that you can now simply give data to another company, to provide you a service around that data is well-established and entrenched.
The GDPR factor
The arrival of the GDPR may see a significant re-think in how third-party data risk, and third-party assurance are viewed by the Boards of large multinationals.
With British Airways looking to challenge a proposed fine of £183m for their June 2018 website breach, you can see what risk could be posed by a third-party, providing services to a larger organisation.
If the BA website was being managed by a third-party as a service, the size of the fine to BA verses the value of the web-hosting and management contract for the website would be grossly disproportionate.
The standard recourse for a company here would be to rely on a few clauses within their contract that could:
- Allow for the termination of the contract due to the breach (but no help with the fine)
- Recover the value of the contract or a multiple thereof (3x is pretty standard).
- Require that the third-party has some level of indemnity insurance that could be used to recover some of the fine.
Whilst the £183m fine is eye-watering, it could have been much worse. The maximum fine under the GDPR for British Airways (or AIG to be correct as this is the parent entity) would be in the order of £500m.
Risk verses Cost
No-one will be able to provide indemnity insurance to the value of £500m, where the contract value may only be a few million pounds or less.
So the risk holder (the data controller) has a potential £500m risk on a £1m contract. The economic rationale for moving data starts to break down at this point. Surely the appropriate risk decision here is to bring this capability back in house, even at the expense of acquiring an organisation to do it. At least the security controls applied to the data would then be under direct control and directly visible.
British Airways could afford to mitigate the £500m risk by spending £5m on security controls, whereas the third-party simply cannot. No-one spends £5m to secure a £1m contract.
This disproportionality means that the security applied to the data, will always be a percentage of the overall contract value for the third-party, not a percentage of the overall risk as it would be for the data controller.
Data processing to move back in-house
This looks like it will shift the demand for outsourcing in the mid-term, however there are plenty of multi-year outsourcing contracts still out there.
Depending on the contract, the data controller could seek to re-negotiate the contract in good faith, in light of the change in legislation (the GDPR or more specifically in the UK, the DPA 2018). This is likely to come with a significant change cost as the third-party has to take on more risk.
Equally, if the data controller now wants to mandate certain security controls that were not in the original contract, the cost of this change could be significant.
As the data controller you are responsible for the data at all times. If your third-party suffers a breach, it will be seen as a lack of your oversight of the supplier rather than an issue solely with the third-party. Either your initial evaluation of the supplier or your subsequent assurance processes that ensured the third-party was a capable supplier would be seen to be at fault.
What the ICO is looking for
The ICO has already laid down the ground rules for fines associated with data breaches.
If the data breach was caused by something that the average organisation would be capable of stopping and should be stopping, then the fine starts to ratchet up. This is dependent on scale of organisation, with larger organisations with larger resource availability, expected to spend a similar proportion of their revenue on security as a much smaller firm.
If you have suffered a data breach despite having a good level of security control, then we can expect a level of leniency. This is yet to be tested under the GDPR, as the breaches to date have been associated with failures of basic security hygiene.
So what can a data controller do now?
You are stuck with the third parties you have already agreed contracts with. What can you do to improve both your third-party risk position, and your scope for minimising any potential fines that may end up coming your way, as a result of the inevitable data breach?
That third-party assurance process you have currently. That one that asks if the third-party has a security policy and they are aligned to ISO 27001 security controls? That one where you haven’t performed any audits of a third-party ever. Maybe it is time for a review of that process with a view to gaining a better oversight of what is happening to that data you gave them?
Maybe it’s time to prove to your regulator and your clients that you are trying to get to grips with this problem?
Creating a Third-Party Assurance programme
Creating a functional third-party assurance programme is a lot of effort, but compared to the risk that a data breach exposes the organisation to, it easily funds itself from a risk mitigation perspective.
Historically, third-party assurance has been about sending your prospective supplier a questionnaire, and depending on the answers, some further interview or questions may have been appropriate.
You may have a right to audit your supplier in your contract, but the reality is this requires resources that the organisation usually does not have spare.
Without a clear, holistic process that initiates actions for a particular purpose, your response is either an action taken too late (if you invoke the right to audit after a breach has occurred), or it is an action taken without appropriate risk management consideration.
So what makes a good third-party assurance process
Firstly, it has to be risk based. There has to be a clear logic described within the process that triggers each of the appropriate stages of the assurance process.
These triggers must be based on reasonable assumptions and relate to the value of the data being processed by the third-party.
A clear, logical third-party assurance process that is being followed and evidenced, will go a long way to mitigating the risk of third-party non-compliance, and in reducing the scale of any fine that may come as a result of a third-party data breach.
The separate stages of a third-party assurance process
The Questionnaire
The first stage is the collection of relevant information from the third-party as to the security controls they have in place and how they plan to hold and secure your data. A simple list of questions, where it is obvious what the right answer needs to be should be avoided. Don’t make it too tempting for the third-party to agree to everything, as in the long run this may not be what is required.
An initial evaluation of your third party should not be based on a few yes/no questions, but rather an analysis of the evidence provided of the third-parties compliance to your data security requirements.
“Please supply a copy of your security policy“, rather than “Do you have a security policy?”
This is more work for the data controller (as someone needs to conduct that analysis), but without a depth of evidence provided by the third-party, a determination of the suitability of the third-party to your data security requirements cannot logically be made.
The Scoring matrix
Once evidence has been provided, you need a consistent method of evaluating the responses. Without a scoring system, you are leaving the evaluation purely to the personal discretion of the individual doing the scoring.
This is very difficult to justify, because it is very hard to audit. If an audit is based on someone’s opinion on what is acceptable, there is little scope for review. If an audit is based on whether the reviewer complied with the scoring system, this is far less subjective and creates a second-line review opportunity.
A scoring system ensures that the results can be validated, and it removes the pressure from the evaluator as to what good should look like. What good looks like has already been pre-determined in the scoring system.
Responses allocated to scores
Your response to a third-parties evaluation score must be tiered. Just because the third-party receives a really bad score, does not in the first instance mean you will not work with them.
There may be many reasons why a third-parties response may have been poor. It may have missed the people that know about this area (vacations or other perceived higher priorities). You need to take the time to confirm the scoring with the third-party and justify your actions.
Stage 2: Third-Party Interviews
You may wish to interview the third-parties representatives on a call or face to face. Look to understand their responses in certain areas and to look at areas where the original response appears to be contradictory. Understanding how the third-party arrived at the response they provided is an important part of the evaluation.
Senior Management Meeting
As a result of the interviews, you should have a pretty good handle on who are the third-parties who know what they are doing, and which ones may require a little bit more help with what is expected of them.
Assuming you have no existing relationship with the low scoring entity, you can drop them at this point. However, life is usually not that simple. This third-party may already have a contract with you.
This is where you need to drag their senior management and your senior management into a meeting to discuss what you need them to change.
What you require from the third-party should be decided prior to the meeting at part of a third-party governance process. Then you can let the Execs have their discussion.
The benefit of having an executive meeting at this stage, is that it pre-warns your Execs of the seriousness of this meeting, and the possible consequences of it.
If an agreement cannot be reached at this meeting, then we are into contract dispute territory, which is likely to be costly in its own right.
Contract Dispute
Usually at this point there are not many good outcomes. You may terminate the contract with the third-party for failing in their obligations to secure the data you have given them, but this is quite an argument to test in a court and may take considerable time and cost.
As the case law in this area is pretty thin on the ground, this is a bit of a nuclear option.
The idea is to press the third-party for changes to improve its security controls, with an appropriate sum changing hands as part of the agreed change process.
If it can be shown that the third-party has clearly lied during this contractual process, with a view to fraudulently obtaining the contract, then that is another avenue for the lawyers.
It is imperative that records are kept of all the obligations accepted by the third-party in the first place, as evidence when the lawyers want to get excited. And for the security folks to point at when the third-party claims amnesia.
Joint Cyber Simulation Exercises
A good way to encourage open dialogue and to assess your third-parties security controls without having to go through the stress of an audit, is to run Joint Cyber Simulation Exercises with your third parties. Audits can get confrontational as everyone defends their positions and looks to ensure their contractual positions are not eroded.
A Joint Cyber Simulation exercise involves a role play of a cyber data breach where you and your third-party have to work together to manage a cyber data breach scenario.
This allows you to observe your third-parties direct responses to the scenario, and provides significant evidence of preparedness on behalf of the third-party. Generally, if your security controls are weak, incident response is an area that would have been given little or no air-time. If you cannot put in appropriate security controls in the first place, you certainly are not going to waste your time testing them.
The scenario can be played out over conference calls to minimise any expense, and allows your team to conduct multiple scenarios with different third-parties with relative ease and minimal cost.
It also provides buckets of evidence to your regulator and your clients that you are doing the right kind of checks on your third-parties.
It is cheaper than auditing, less confrontational than auditing, less time consuming and generates better and more realistic evidence of compliance.
The results of the joint cyber simulation can be shared with the third-party, with a commitment made to introduce improvements as evidenced by the simulation. This allows security controls to be improved without the threat of contractual disputes, as part of a collaborative and co-operative, constructive relationship.
Creating a holistic third-party assurance programme that incorporates all of these elements, provides you with the tools you need to manage third-party data risks.
