Transferring Cybersecurity Risk To Vendors and Suppliers

I’m see­ing more and more com­pa­nies man­ag­ing their cyber­se­cu­ri­ty risk in part by attempt­ing to trans­fer respon­si­bil­i­ty to their sup­pli­ers and ven­dors. In essence, they are prac­tic­ing good risk man­age­ment prin­ci­ples!

Risk Management ACAT

This is hap­pen­ing to all kinds of com­pa­nies, many of whom have nev­er before felt this kind of pres­sure to be extreme­ly good at cyber­se­cu­ri­ty. This includes HIPAA busi­ness asso­ciates as well as low-pro­file logis­tics com­pa­nies. And the com­pa­nies are of all sizes, both pub­licly trad­ed and pri­vate­ly held.

While most of this pres­sure is com­ing proac­tive­ly as buy­ers go through ven­dor selec­tion process­es, we’re see­ing it more and more in post-breach sit­u­a­tions. And it’s affect­ing sup­pli­ers of cyber­se­cu­ri­ty ser­vices. Here’s the lat­est one:

Affin­i­ty Gam­ing, an oper­a­tor of 11 casi­nos in four US states, is suing cyber­se­cu­ri­ty com­pa­ny Trust­wave for fail­ing to con­tain a breach it was hired to shut down, open­ing a new avenue of lia­bil­i­ty around data breach­es. The law­suit, filed in the US Dis­trict Court in Neva­da in late Decem­ber, is one of the first of its kind where a client chal­lenges a cyber secu­ri­ty com­pa­ny over the qual­i­ty of its inves­ti­ga­tion fol­low­ing a hack.

By the way, Trust­wave was unsuc­cess­ful­ly sued by var­i­ous banks to recov­er costs in the wake of the 2013 Tar­get pay­ment card data breach. That sit­u­a­tion was a lit­tle dif­fer­ent than the Affin­i­ty Gam­ing suit since Trust­ware was act­ing as a Qual­i­fied Secu­ri­ty Asses­sor (QSA) on behalf of the Pay­ment Card Indus­try Secu­ri­ty Stan­dards Coun­cil.

We can expect to see even more pre- and post-pur­chase cyber­se­cu­ri­ty pres­sure on sup­ply chains com­ing in the years ahead. This accounts for much of the boom we’re see­ing in cyber­se­cu­ri­ty insur­ance and it will com­pel just about every­one to get bet­ter at cyber­se­cu­ri­ty.

How has this trend affect your busi­ness?

Please note: I reserve the right to delete comments that are offensive or off-topic.