ARTICLES

From Third-Party Risks to Third-Party Partners

Bert Kaminski is an in-house lawyer who spends a good deal of his time as a director at Google Cloud. Previously he worked for a trio of tech companies, including 16 years at Oracle. So he’s learned a few things about acquiring technology. And he had some interesting things to say.

There’s a “misconception,” he said, “that a company that is buying technology can impose all of its perceived security requirements on the seller.” In other words, you can buy it and ask the seller of a standard product to re-engineer it to meet your specialized needs. “But if you have to do that,” Kaminski said, “you're buying the wrong product.”

His analysis applied equally to purchasing software or migrating to the cloud, he said. “You have to be happy with the products as they are. If you have to bring a vendor or service provider kicking and screaming to agree to all these one-offs, you are actually increasing your risk profile. It's probably introducing more complexity into your IT environment, which can present operational risks and new attack vectors.”

We spoke for nearly an hour as Kaminski prepared for a discussion on mitigating third-party risk. He will be one of four panelist on a free University of San Diego webinar that will air January 28 at 11:00 a.m. Pacific time (2:00 p.m. Eastern). Our conversation jumped from vetting software to training employees to scoping out the suppliers of your suppliers. All of it touched on some form of risk. It was leavened by Kaminski’s down-to-earth observations and practical advice.

For example, we discussed the various ways employees can—intentionally or not—create cybersecurity risks. This is an area where in-house lawyers can play an important role, he said. They have expertise in data protection, privacy, and confidentiality. They can help provide training that reflects “the latest thinking of what regulators are looking for,” he noted.

Then he added a word of caution. “I will say that lawyers should not be the only ones providing the training. Because if they speak legalese, business people will tune them out.” Why? “They’ll think the training is just a make-work, check-the-box exercise,” he said. “So you want to be sure you’ve got business buy-in and sponsorship.” The employees need to know “that their management is part of this.” Lawyers can assist by lending authority, but the training will be more effective if comes from the business—like someone from HR.

We turned to supply chain risk, which can be tricky. Especially the part that always struck me as a house of mirrors. Companies can be responsible for (read: liable for) breaches that occur due to the vulnerabilities of their vendors. But what if the weak link is not the vendor your company has a relationship with, but one that your supplier does? In other words, the vendor of your vendor. Are companies supposed to conduct due diligence on all of their vendors, and then all of their vendors’ vendors?

It’s impossible to examine them all, Kaminski acknowledged. The best that a company can generally do is work closely with their direct suppliers and “hold them accountable.” But in some instances, he noted, it may be appropriate and even legally required for your suppliers to provide more detail. The EU’s General Data Protection Regulation, for example, requires any third parties you hire that process your data to inform you of any subprocessors involved. Beyond that, a company can insist that its suppliers describe and attest to their own security, and their due diligence in choosing and vetting their vendors. And a company can include terms in their supplier agreements that address breaches and other liabilities. But there’s no practical way to get a lot more granular than that, he said.

The big subject I wanted to ask about was not SolarWinds, which we talked about briefly. It was how companies migrate to the cloud. How they vet and choose a vendor. How they work through the transition. How they manage security afterwards.

Before selecting a cloud provider, Kaminski recommended asking for lots of documents. To be sure you’re looking at a reputable provider, you want to see third-party attestations of security. If your own company works in health care, does the cloud service align with best practices in the field—the HIPAA Security Ruleand the HITECH Act? “There are third-party reports and attestations for all of this,” he said. “And then you can send them supplemental questions.” Ask about their vulnerability testing, background checks on employees, encryption policies and procedures.

The big picture was that migrating to the cloud is not like going to Best Buy and picking out software, or even a larger purchase like a computer. It’s not a matter of paying, taking it home, and you’re done. “It’s not static,” he said. “It’s evolving.” The threat landscape evolves. The company’s needs evolve. All of a sudden everyone is working from home. You may need to have your system reconfigured to reflect these changes.

“This is not the old days, where somebody sends you a stack of CD-ROMs, and you've licensed the software, and the relationship is pretty much arm's length or over,” Kaminski continued. “Cloud isn’t just a transaction,” he emphasized. Cloud “is a collaborative, long-term relationship. And it’s one that expands.”

After so much talk about third-party risks, it was a pleasure to linger on third-party partners.