Vendor Cybersecurity Policies and Procedures – The Nitty Gritty
Last week, I wrote about DFS’s requirement for written vendor cybersecurity policies and procedures generally. Now let’s talk about specific issues. What issues should you make sure that your vendors address in their own procedures? DFS is very specific.
1. What are the vendors’ access controls? Do they use multi-factor authentication when appropriate?
2. What do they encrypt? Consider encryption of both data in transit (emails and other methods of transmitting data) and data at rest (when data is on their server, laptops, cell phones, etc.).
3. Do your vendors agree to provide you with notice in the event of a successful cyber attack?
4. Do you have affirmative representations and warranties from your vendors in your vendor agreement?
Make sure that you have the periodic right to verify vendor compliance. And make sure that you can update requirements because, as with arms and armor, for every new armor that is placed around computers to protect against hackers, there are thousands of people trying to design new weapons to pierce that armor.
Today’s Takeaway? 43 years ago, when I negotiated my first bank computer contract with Ross Perot’s EDS, banks had little negotiating power on technical issues and there was no internet to worry about. How the world has changed when it comes to computers, and also computer contracts. Don’t be afraid to say, “Sorry, but DFS made me do it.” In our experience, sophisticated vendors know that they have no choice to comply when a proper demand is made, so don’t be shy about making the demand. Most of the leading vendors to banks have already changed their contracts to address the issue, but if not, force them to comply with your needs.