Vendors May Be The Weak Link In Your Supply Chain

Vendors May Be The Weak Link In Your Supply Chain

September 16, 2019 Business Insurance and Risk Management, The Beacon Blog 0 Comments

As a post from cybersecurity vendor Halock puts it, “Your enterprise is only (as) secure as your weakest vendor” (posted 9/11/19 at -same page/). It’s not enough to have controls in place to secure your third party data if a hacker can access it through a vendor with inadequate controls.

According to a 2018 survey by the Ponemon Institute, 56% of organizations have had a breach caused by a vendor. 20% of healthcare sector breaches in 2017 were caused by third party vendors, but the problem exists in all industries. Both the EU’s GDPR and New York’s new financial regulations address company responsibility for ensuring their suppliers and vendors networks are secure.

Target is a well known example of how a major company was breached through a vendor that had access to their network. Recently they entered into an agreement with CVS that required CVS to use their own network.

Due diligence must extend to all levels of an organization’s suppliers and vendors. In 2016 Athens Orthopedic a Georgia clinic was hacked because their IT managed service provider used a cloud application vendor with unsecured VPN connections.

When selecting vendors, reviewing their cybersecurity must be part of the process. In addition to proper safeguards, they should not be given more access to your system than they need. Your contract should include indemnification and insurance requirements, and your own cyber insurance should cover acts or omissions of a supplier or vendor.

About the Author

Harry Cylinder

Harry Cylinder, CPCU, ARM has spent nearly fifty years in the insurance industry, the majority of the time as a consultant. He has been employed by The Beacon Group of Companies since 2008, specializing in the review and analysis of property and casualty coverage forms. Mr. Cylinder has been reviewing policy forms as they have evolved over the past decades. In 2008 he published an article in the CPCU Journal which was the first description of cyber insurance coverage for a general insurance audience. Since that time he has regularly written on cyber and other topics for The Beacon Companies’ blog.