The following articled appeared in The Cybersecurity Law Report on April 8, 2015.
Vendors and other third parties are vital to most businesses, but can leave a company dangerously vulnerable to a breach of its data or network. As the Target breach demonstrated, even a non-IT vendor can cause widespread damage. Properly vetting third parties remains one of the most challenging aspects of cybersecurity programs. In order to appropriately allocate due diligence resources, companies must first assess potential third parties to determine which of them present low, medium or high levels of cybersecurity risk and subsequently conduct the corresponding levels of diligence. This article, the first in our series, provides a framework for companies to (1) categorize potential vendors based on risk, including specific questions to ask; and (2) conduct initial due diligence on vendors that present a medium and high level of risk. Part Two will address the third step of deeper due diligence for high-risk vendors.