Back
Back
Back
Back
Back
Back
Back
Back
Back
Back
Back
Back
Back
Back
Back
Back
Back

Does Your Business Have Its Vendors Managed for Cybersecurity?

Written by: Cameron G. Shilling

1/28/2021

Whenever a business entrusts sensitive information to its vendors, it must ensure that the vendors safeguard the information at least as rigorously as the business is required to do. We give such information to a multiplicity of vendors, often without fully realizing we are doing so.  Some examples include email providers, cloud storage, software-as-a-service applications, copy rooms, couriers, professional service providers, and so on.

Businesses frequently entrust sensitive information to vendors without critically considering whether we should do so, and without knowing how to ensure we are doing so appropriately. Consequently, vendor management is one of our biggest cybersecurity risks and challenges.

Not all vendors pose the same risks, nor should they be managed identically. Effective vendor management requires categorizing, and addressing different types of vendors differently.

For example, we entrust certain vendors with large amounts of highly sensitive information, such as cloud storage, record retention, professional service, information technology, and benefits administration providers. To fulfill our obligation to ensure that these vendors properly safeguard the information we give them, we must conduct appropriate due diligence. That can include reviewing documents, such as their written cybersecurity policies, training materials, and insurance. That also can include asking them to complete written questionnaires and answer follow up inquiries. In addition to due diligence, we must enter into meaningful information security agreements with these vendors.

We give other vendors similarly large quantities of sensitive information, but due diligence is not feasible. Examples include Microsoft, Google, Amazon, health insurance providers, banks, etc. These vendors commonly offer industry-accepted certifications that we can rely-on in lieu of due diligence, and will enter into their own form security agreements.

Many vendors fall into a middle category. These include vendors that we give lesser amounts of sensitive information or that we provide sensitive information only episodically, such as landlords, cleaning services, couriers, and document storage and destruction companies. Likewise, vendors we entrust with meaningful amounts of information that is not particularly sensitive can fall into this middle category. For them, moderate due diligence (such as just reviewing their cybersecurity policies) and entering into appropriately tailored information security agreements often suffices.

Finally, vendors fall into the lowest risk category if they receive information that is confidential but is not legally protected, or if they do not have direct access to information. Examples include a website host, business development consultant, and food service vendor. While we should enter reasonable confidentiality agreements with them, due diligence is typically unnecessary.

Though diligence and agreements are required, persuading some vendors to cooperate can be challenging. Diligence should be thoughtfully tailored to not overwhelm vendors, but nonetheless be sufficient to determine whether they truly implement cybersecurity safeguards appropriate to the quantity and sensitivity of information entrusted to them. Businesses may have to decline to retain vendors that refuse to comply with reasonable diligence requests or have not adopted sufficient cybersecurity protections.

Negotiating effective information security agreement requires equal parts perseverance and foresight. For example, such agreements must select an appropriate legal regulation, achievable industry standard, or otherwise defined set of cybersecurity criteria that the vendor must meet.  The agreement also must artfully address issues that are commonly divisive and contrary to the vendor’s form services agreement, such as limitation of liability, breach notification, termination of the services agreement, ownership and return of information, and cyber insurance.

While challenging, vendor management is both critically important and manageable. Success is achievable through patience, flexibility, resourcefulness, and experience.

Cam Shilling chairs McLane Middleton’s Information Privacy and Security Practice Group. Other members of the team include attorneys John Weaver, Annie Cho, and Katelyn Burgess and technology paralegal Dawn Poulson. Founded in 2009, the group assists businesses and private clients to improve upon their information privacy and security compliance, and address any security breach or incident that may arise.

Integrity and trust

At McLane Middleton we establish and maintain long-standing relationships with our clients to help us better achieve their unique goals over time. This approach to building trust requires that our esteemed lawyers and professionals use their broad, in-depth knowledge and work together with integrity to ascertain sound resolutions to legal matters for their clients.

Strength in numbers

McLane Middleton is made up of more than 105 attorneys who represent a broad range of clients throughout the region, delivering customized solutions. As a firm we are recognized as having the highest legal ability rating. The firm is rated Preeminent by Martindale Hubbell and is recognized as one of the nation's leading law firms in Chambers USA. Our attorneys are distinguished leaders in their respective practice areas.

Meet Our People

Commitment and collaboration

McLane Middleton's versatile group of attorneys and paralegals become trusted authorities on each case through collaboration. We work with our clients to learn their individual needs first and foremost and, together, we develop comprehensive solutions to their specific legal matters. This approach helps us exceed our clients' expectations efficiently and effectively, client by client, case by case.

Practice Areas

A history of excellence

McLane Middleton was established in 1919 in New Hampshire, and has five offices across two states. However, deep historical roots don't allow you to become innate. Our firm is organized, technological, and knowledgeable. Our history means we are recognized. But our reputation is built on the highest quality of service and experience in very specific areas of law.

The Firm

Intelligence paired with action

Our team continuously seeks opportunities to enhance their professional development and put key learnings to action. The pursuit of further insight guides us to volunteer service opportunities, speaking engagements, and teaching roles. Our lawyers are sought after thought leaders across their industries, and recipients of leadership awards throughout the region.