Third-party service providers can be ‘hornets nest’ in cyber security: ICRMC speaker

Contracts with information technology service providers can be critical in managing risk from cyber incidents, and third-party providers need to be involved in exercising contingency plans for cyber breaches, speakers suggested Friday at the 2016 International Cyber Risk Management Conference in Toronto.

“It is absolutely critical to vet the third parties,” said Ira Nishisato, a lawyer with Borden Ladner Gervais LLP whose areas of expertise include cyber security litigation. “You need to know who you are dealing with. You need to know their level of expertise and you need to know their level of sophistication.”

Nishisato made his remarks during a panel discussion, titled Operationalizing Incident Response, at ICRMC. The event was produced by MSA Research Inc. and held Thursday and Friday at the Hilton in downtown Toronto.

“Third-party service providers are a hornets nest, and I think it’s fair to say that in litigation, we see case after case where problems have arisen with third parties, and there is litigation after a data breach that involves an organization but the organization has to bring in the third parties, some of whom may be very small service providers with no ability to pay damages.”

He suggested corporations need to review contracts with such parties in order to plan for cybersecurity incidents.

“If your contracts with third parties don’t run to 20 pages you might want to have them to be reviewed,” Nishisato said. “It may sound excessive … but I think at the end of the day you want your contracts with service providers to be as ironclad as possible.”

IT service providers need to understand their roles and responsibilities in the event of an IT security incident, suggested Jane Shapiro, senior vice president and national practice leader, corporate and crisis communications at public relations agency Hill and Knowlton.

“You’ve got to bring third-party providers right into the tent from the very beginning,” Shapiro said during the panel. “When you do your crisis exercises, they need to be a part of it.”

Communication with the public is critical after an incident, Shapiro added.

“It may be a very long time before you have most of the information … before you know how long it’s going to be before you can begin to then fully recover,” Shapiro said of cybersecurity incidents. “If you are silent, I think what tends to happen is that others will fill the vacuum. So in a very intense media environment …other voices will weigh in about what you ought to be doing.”

Quoting Berkshire Hathaway chairman Warren Buffett, Shapiro added: “It takes 20 years to build a good reputation and about five minutes to ruin it.”|

Moderating the panel was Nick Galletto, partner, Americas cyber, risk services leader at Deloitte LLP. He presented findings from surveys of corporate executives responsible for information security.

“A lot of the drivers are either regulatory or legislative, and it becomes more of a compliance requirement, as opposed to trying to do what’s right, and often what we ignore is focussing on the things that matter,” Galletto said. “So although there is a compliance requirement, the issue becomes, ‘Well, what about our critical assets? Our industrial control systems, some of our financial systems, customer databases,’ et cetera et cetera. Often what we do is we look specifically at requirements from what the regulators are telling us to do, and it causes issues.”

One major issue is legal liability, Nishisato noted.

“In the area of cyber breaches, the standard of care is evolving quickly,” Nishisato said. “There is no one uniform standard. There are different standards applicable to different industries, there are different guidelines involved in different industries.”

More coverage of the 2016 ICRMC

Cyber insurance underwriters may want to consider less “absolute” questionnaires: ICRMC speaker