Home

When cybersecurity incidents result from your third- or fourth-party providers, who ends up taking liability?

Sometimes companies have a third-party assessment organization that is responsible for managing its vendor relationships. Somewhere along the way, there could be a finding against that third party for their own failures. And there would likely be a contract penalty or clause that needs to be exercised in order to put them back in good graces. I'm not very knowledgeable about how those third-party assessment programs work. There are a lot of challenges with third parties because, how do you trust, but verify what a third party says to you about the security of their environment and the processes that they use? They can tell you that they patch, monitor and respond but there's a point where you can't verify that without being onsite, or on their network. 

Anonymous Author
Sometimes companies have a third-party assessment organization that is responsible for managing its vendor relationships. Somewhere along the way, there could be a finding against that third party for their own failures. And there would likely be a contract penalty or clause that needs to be exercised in order to put them back in good graces. I'm not very knowledgeable about how those third-party assessment programs work. There are a lot of challenges with third parties because, how do you trust, but verify what a third party says to you about the security of their environment and the processes that they use? They can tell you that they patch, monitor and respond but there's a point where you can't verify that without being onsite, or on their network. 
0 upvotes
Anonymous Author
Where the liability ends up when you’re dealing with third-party providers is a tough question that comes up a lot. The contracts can be written in a particular way to dictate that, but there's clearly a control gap in this situation. So how do you identify these risks that you have in a practical, operational way? SolarWinds and Kaseya are both examples of the same issue, it’s just in a different context. In both cases you have these third-party products that you're using, which are potentially using fourth parties or some number of internal contractors and developers, and you don't have control over that.
0 upvotes