How to prevail when technology fails - Flipbook - Page 46
46 | How to prevail when technology fails
The majority of businesses
accept risk in their approach
to suppliers
Despite numerous, well-documented instances
of cyber attacks stemming from vulnerabilities
in suppliers’ defenses, two-thirds of businesses
assess only a small number of their suppliers’
cybersecurity credentials.
Remember that cyber vulnerabilities can be created
by the unlikeliest of suppliers. For example, U.S.
retail giant Target experienced a data breach in 2013
that compromised 41 million customer payment
card accounts. The breach started with the theft of
credentials from its heating, ventilation, and airconditioning supplier7.
“Fundamentally, any supplier who is going to hook
into our technology, online ecosystem or payment
and HR processes in any way through an API or
otherwise is going to have to go through a full
data security review,” says Dominic Perella, Snap’s
Deputy General Counsel and Chief Compliance
Officer. “It’s best to err on the side of caution.”
Given the number of suppliers a business can have,
implementing a robust supplier oversight program
is essential.
“We’ve worked with many
clients that have suffered a
breach due to the fault of a
vendor. This adds a layer of
complexity because there may
be a potential second front
for the litigation. Depending
on the relationship with the
vendor, you may want to
litigate against them or seek
some indemnification.”
Michelle Kisloff | Partner, Hogan Lovells
Fig 23 Most businesses only assess
the minority of their third-party
technology suppliers’ and vendors’
cybersecurity credentials
4%
All of them
27%
Most of them
65%
Only a small number, where we
believe there is a risk
4%
None of them
Q. How many of your third-party technology suppliers’ and vendors’
cybersecurity credentials do you assess?
7. CIO, 11 Steps Attackers Took to Crack Target, September 2014