Checklist: Pre-engagement due diligence when assessing third party cybersecurity risk

Businesses increasingly work with third parties in ways that can render otherwise well-guarded data vulnerable to attack or accidental disclosure. These third parties can include technology service providers; other major business function vendors, such as payroll, insurance, and benefits companies; and accounting and finance, advertising, delivery and lettershop, legal, and other consulting services.

Many of these commercial relationships require sensitive information-whether the business’ own confidential business information or the personal information of its employees or customers-to be shared with, or stored by, the third parties. Such relationships also may entail third-party access to a company’s networks. There is, in turn, an inherent risk in the third-party services: they can create new avenues of attack against a company’s data or its systems and networks-and those avenues require appropriate mitigation.

Pre-engagement due diligence
A critical element of managing third-party risk is the assessment of the third party’s own security practices and posture before any contract is signed. Such diligence is crucial for the identification and evaluation of risks, and, in turn, can ensure that such risks are mitigated before the engagement, including through the use of contractual provisions.

The actual evaluation may be more ad hoc (i.e., conversations with key business or technology stakeholders) or formal (i.e., through a questionnaire or even on-site assessment), and the extent of an evaluation may depend on various factors in the prospective relationship, including, for example, whether the service provider will have access to the company’s IT systems, the nature of the information that it may access, and whether it will store such information.

Depending on the extent of the relationship and information that may be accessed by the vendor, the following areas of inquiry may be necessary to inform a cybersecurity diligence assessment:

  • whether and how often the vendor has experienced cybersecurity incidents in the past, the severity of those incidents, and the quality of the vendor’s response
  • whether the vendor maintains cybersecurity policies, such as whether the vendor has a written security policy or plan
  • organizational considerations, such as whether the vendor maintains sufficient and appropriately trained personnel to protect the data and/or service at issue and respond to incidents
  • human resources practices, particularly background screening employees, cybersecurity training, and the handling of terminations
  • access controls, particularly whether controls are in place that restrict access to information and uniquely identify users such that access attempts can be monitored and reviewed
  • encryption practices, including whether information is encrypted at rest, whether information transmitted to or from the vendor is properly encrypted, and whether cryptographic keys are properly managed
  • evaluation of in what country any data will be stored
  • the vendor’s policies regarding the secondary use of customer data, and whether IT systems are created in such a way as to respect limitations on secondary use
  • physical security, including resilience and disaster recovery functions and the use of personnel and technology to prevent unauthorized physical access to facilities
    back-up and recovery practices
  • change control management, including protocols on the installation of and execution of software
  • system acquisition, development, and maintenance to manage risk from software development or the deployment of new software or hardware
  • risk management of the vendor’s own third-party vendors
  • incident response plans, including whether evidence of an incident is collected and retained so as to be presentable to a court and whether the vendor periodically tests its response capabilities
  • whether the vendor conducts regular, independent audits of its privacy and information security practices

This article was co-written by Covington & Burling LLP – David N. Fagan, Partner; Nigel L. Howard, Partner; Kurt Wimmer, Partner; Elizabeth H. Canter, Associate; and Patrick Redmon, Summer Associate