You’re only as strong as your weakest link. Even if you maintain good cyber security practices, a less diligent vendor could open the door to an attack on your data. When selecting vendors and writing contracts, it’s important to address cyber issues, liability and indemnification.
Cyber Attacks on Vendors
Vendors often possess valuable data from multiple clients, making them an attractive target for hackers. Many companies have already had to deal with the fallout of a cyber attack on a vendor.
- Health IT Security says that Virtual Care Provider, an IT vendor that serves 110 nursing homes and acute care sites, was hit with a ransomware attack in 2019. The attack cut off electronic health record access and disrupted services.
- According to ZDNet, CyrusOne, a data center provider, was hit with what appeared to be a targeted ransomware attack in 2019. Six managed service customers, including a financial and brokerage firm, were impacted by the attack.
- ZDNet has also reported on a 2020 ransomware attack against Blackbaud, a software and cloud hosting solutions provider. Although the attempted encryption was thwarted, the attackers stole customer data and threatened to publish it, and Blackbaud decided to pay the ransom demand to prevent this.
Liability and Indemnification
When determining liability after a cyber incident targets a vendor, many factors will be important. These factors could include the details of the contracts you have with the vendor, as well as the regulatory requirements that apply to your industry.
You shouldn’t assume that your company will be off the hook completely. In addition to the reputational damage that can follow a data breach or ransomware attack, your company may be held legally liable.
Your company is responsible for the vendor agreements it enters into, and this can be especially important for health care organizations and other companies that deal with sensitive information. For example, HHS says that a physicians’ group agreed to pay $500,000 in 2018 to settle potential HIPAA violations for sharing protected health information with an unknown vendor without a business associate agreement.
Ultimately, it’s your company’s reputation that’s on the line, and you’re responsible for vetting your vendors. You’re also responsible for ensuring that all contracts address cyber liability and indemnification issues appropriately.
- Don’t just assume that your vendors are being cyber smart. Verify that basic cyber security measures are being followed, and require these practices to be maintained.
- Ask to see vendor contingency plans. How will the vendor operate if its data is encrypted or erased? How will this address your reliance on vendor availability? Is there flexibility in timelines to allow recovery after an incident?
- Verify that all vendors have sufficient cyber insurance and that you will be covered if anything happens. Consider having your company named as an additional insured. Also check your own policies to see whether coverage extends to vendor incidents.
- Include clauses in contracts to clarify liability and indemnification issues. Also check for liability caps and other clauses that could impact liability and indemnification. Review the contract with the possibility of an expensive cyber attack in mind.
Have questions about your company’s cyber insurance? Contact us.