Best Practices To Vet a Vendor’s Cybersecurity Practices

How can asset owners, plan sponsors and plan advisers scope out the bona fides of cybersecurity vendors, whose expertise is key to protecting networks and other digital assets from breaches?

A panel at the “Vetting Providers’ Cybersecurity Processes” session of PLANADVISER’s livestream on October 12 offered tips to allocators, investment managers and others who want to protect themselves from the legions of hackers. It was moderated by Glenn Davis, deputy director of the Council of Institutional Investors.

One vital tool, according to the panelists: audits of third-party providers done under the auspices of the Service Organization Control Type 2 (known as SOC 2) compliance framework, established by the American Institute of Certified Public Accountants, designed to ensure the security of client data handled by third-party service providers.

The framework specifies how organizations should manage customer data. Further, speakers discussed the use of the SOC 2 Type 2 report, which outlines a company’s internal controls and details how well it safeguards customer data, specifically for cloud service providers. Specifically, a third-party audit can show if security protocols are safe and effective.

“This drives confidence and removes speculation” in the screening procedures of providers, advised Jon Atchison, senior lead of governance, risk and compliance at investment adviser firm CAPTRUST, .

As an example of what can go wrong, Atchison, one of the speakers on the livestream, pointed to one of the most recent large cybersecurity failures: the breach of MOVEit file transfer software, which affected sensitive personal data from governments and businesses and involved 3.4 million people. “MOVEit wasn’t the first and won’t be the last,” he said.

One task for providers is to guard against threats from employees and other insiders, said panelist Allison Itami, a principal in the Groom Law Group, whose ERISA practice focuses on data privacy and data security. These in-house folks can pose a risk of theft or fraud, she added. “As long as humans are involved,” cyber vulnerabilities will be around, Itami warned, and a lot is at stake. “If you lose money or have a data breach, trust is eroded.”

What’s vexing is that there is no absolute shield against cyber mischief. “No one can be 100% safe,” said panelist Mario Paez, national cyber risk leader at Marsh McLennan Agency, which sells insurance to organizations to protect against breach liabilities.

Some think that other business insurance, not tailored to digital crime, will be sufficient—and they are wrong, Paez said. Certainly, specialized cybersecurity policies are complex, “and the devil is in the details,” he admonished. For that reason, Paez continued, it pays to get a cybersecurity-savvy insurance broker to advise on what is best for a company’s particular needs.

Insurance must cover a range of necessities that can be created by a breach, he said, including extortion coverage in the case of a ransomware attack; business losses; the costs of notification to people affected by a breach; and forensic probes of how and why an incident occurred.