A recent CPO article by Mark Lotti quipped, "…a vendor's cyber risk becomes the client's cyber risk". The sheer number of breaches and data loss make this statement ring true, now more than ever. The question is, how do you manage your vendors’ risks to keep your data secure? The article touted the benefits of performing a risk assessment on SaaS vendors, which is an excellent way to secure a clear, objective evaluation (especially when compared to just taking the vendor’s word for it). Whether this risk assessment is performed by an internal team or one external to your organization is primarily dependent on your organizational structure, capabilities, and bandwidth. You absolutely do need someone performing risk assessments on vendors, whether that person be internal or a subcontractor. As with the structure of the risk assessment team, what the risk assessment itself looks like can also vary. From a simple conversation/interview to a full questionnaire with hundreds of questions, there are many available routes to complete this assessment and you will have to choose the route that best suits your organization and the particular risks you (and your vendors) face.
One thing to keep in mind is that a SaaS vendor risk assessment is a very small piece of a very large pie. Managing your organizational risk from third-party SaaS relationships starts with understanding and assessing your organization’s exposure from utilizing third-party services versus maintaining complete control yourself. There are different types and degrees of risk (and therefore the risk tolerance will vary) depending on the application and the nature of the service being procured from the vendor. However, this risk is nearly always dependent on the type of data being processed by the vendor. This is the key…you cannot hope to mitigate risk in third-party SaaS contracts if you don’t understand what data is being processed by your vendor.
While negotiating global sourcing contracts for our Big 4 Clients, we spend considerable effort identifying exactly what data is being processed in any SaaS, largely because of the requirements imposed by the EU privacy regulations, and now GDPR. When I would ask the business team exactly what data was being shared with this vendor, it was very common for the business team to shrug off any talk of personal data and respond “nothing private”, only for them to be shocked when they discovered that processing or tracking something as seemingly innocent as a name or phone number (which we think of as being ‘out there’ in the public space), or even IP address, created the need for further analysis/protection. It isn’t a stretch for people to think about privacy when thinking about customer financial data or customer health data…but the definition of ‘personal data’ in these privacy laws is much, much broader than that. The California Consumer Privacy Act, which goes fully into effect on January 1, 2020, will definitely change the privacy landscape in the US as it imposes many GDPR-like requirements on data processors who do business in California. This is a big deal for companies who haven’t been subject to GDPR, and it seems likely that more states will pass similar laws in the future. This is the new reality.
Once you fully understand the nature of the data being processed, you can turn your focus on how you address and mitigate that risk. Your vendor risk assessment is a great start, but your written agreement with your SaaS vendor is the nexus between your risk and your vendor’s risk. The agreement should balance establishing proactive protection and retroactive recourse, although your company’s time and effort should go into prevention, because we want to prevent data loss more than we want a vendor to have to pay for the consequences of data loss. Every SaaS agreement should obligate the vendor to provide you an annual third-party attestation (like SOC 2 Type 2 report or equivalent) that confirms that the vendor has adequate security controls in place. You should endeavor to secure audit rights of your SaaS vendors (and their vendors who process your data), even if you should be prepared that you’re not going to win those in every case. You always want to obligate your vendors to warrant that they will use no less than industry standard security controls and measures, and you can always require specific security controls to bolster your protection or address specific needs. You absolutely need to ensure that your right to access, control, and even delete your data (and perhaps your customers’ right to access, control, and delete their data) matches to any legal requirements of any applicable data protection law or regulation. And, ultimately, careful consideration and negotiation should be devoted to how liability for a breach is apportioned between you and your vendor (because they will want to have very little exposure). A skilled and experienced negotiator can ensure your contract meets your needs and protects you and your organization. Remember, even with the best risk assessment capabilities in the world, if you can't negotiate a good agreement, you're going to be in exactly the same floundering boat that someone with no risk assessment capabilities is in...except that you know just how bad your situation is, while they're often blissfully unaware.