Technology & Third Party Service Providers

Many small- to medium-sized businesses use technology service providers to manage their technological needs. This may include, but is not limited to: 

• Internet service providers
• Application service providers
• Cloud developers and providers
• Software development, integration, and maintenance services 

In addition to outsourcing technological needs, it is a common exposure for small- to medium-sized businesses to outsource their business processes. In fact, over a third of small businesses outsource a portion of their business needs, with the most common being accounting, IT services, and digital marketing responsibilities. Tasks such as travel, training, human resources, payroll, and accounts payable and receivable are frequently outsourced and pose significant risks due to the personal information being passed to providers. 

If the third-party service provider has an attack or outage affecting the policyholder, will the service provider indemnify the business owner? Many times, they do not and the expenses fall to the business owner. 

If a cybercriminal is able to infiltrate the third-party service provider’s system, then it may have potential to become a large-scale attack by using the provider’s system to gain access to many businesses’ data. Large-scale attacks such as this have occurred and, in one example, caused many offices to suffer from lost data. 

Business owners should review their contracts with providers to see who bears liability. Additionally, businesses who outsource any of their business needs may want to consider creating a vendor security due diligence checklist. This checklist will help business owners understand the level of sensitivity of information being handled on their behalf and is a quick way to obtain information regarding how service providers handle their system security measures. Information business owners should consider asking for in this checklist includes, but is not limited to: 

• Vendor contact information 
• Types of services being provided
• Mission-criticality of the services being provided (Human health/safety, revenue generating, etc.)
• Sensitivity of information being handled or processed (Private health information, personally identifiable information, payment cardholder information, etc.)
• Information security management capabilities (Confirm whether a vendor has someone in a role who handles information security practices, such as a Chief Information Security Officer)
• Regulatory/compliance activities and certifications (How often are vulnerability scans or penetration tests run against vendor’s network, and does the vendor maintain any certifications or compliance requirements?)
• Protection/segregation of client-supplied data strategy (Use this to determine what data collection and system security measures are in place)
• Application development security practices (Use this to determine what application development security practices are in place)
• Service availability and disaster recovery capabilities (Identify vendor’s business continuity and disaster recovery plans)
• Incident response and privacy capabilities (Determine the type of incident response plan and privacy capabilities the vendor has in place)

When selecting cyber coverage for your policyholders, it is important to review the terms within the cyber policy to ensure your policyholder is protected if they sustain a loss due to an attack to their service provider. In addition, ensure your policyholders are equipped to understand the sensitivity of data being handled by, as well as the level of security and response capabilities of, their service providers.