I’m seeing more and more companies managing their cybersecurity risk in part by attempting to transfer responsibility to their suppliers and vendors. In essence, they are practicing good risk management principles!
This is happening to all kinds of companies, many of whom have never before felt this kind of pressure to be extremely good at cybersecurity. This includes HIPAA business associates as well as low-profile logistics companies. And the companies are of all sizes, both publicly traded and privately held.
While most of this pressure is coming proactively as buyers go through vendor selection processes, we’re seeing it more and more in post-breach situations. And it’s affecting suppliers of cybersecurity services. Here’s the latest one:
Affinity Gaming, an operator of 11 casinos in four US states, is suing cybersecurity company Trustwave for failing to contain a breach it was hired to shut down, opening a new avenue of liability around data breaches. The lawsuit, filed in the US District Court in Nevada in late December, is one of the first of its kind where a client challenges a cyber security company over the quality of its investigation following a hack.
By the way, Trustwave was unsuccessfully sued by various banks to recover costs in the wake of the 2013 Target payment card data breach. That situation was a little different than the Affinity Gaming suit since Trustware was acting as a Qualified Security Assessor (QSA) on behalf of the Payment Card Industry Security Standards Council.
We can expect to see even more pre- and post-purchase cybersecurity pressure on supply chains coming in the years ahead. This accounts for much of the boom we’re seeing in cybersecurity insurance and it will compel just about everyone to get better at cybersecurity.
How has this trend affect your business?