The Critical New CSR Challenge: Third-Party Cybersecurity Risk
The specter of cybersecurity-related incidents in the supply chain has risen from a marginal concern to a top issue for many companies. BCI’s most recent Supply Chain Resilience Report listed cyber attacks and data breaches as the second leading cause of supply chain disruptions — outdone only by unplanned IT or telecommunications outages. This year’s EcoVadis’ Global CSR Risk and Performance Index shows the only global average CSR theme score that improved in 2017 was Business Ethics, which includes among its criteria responsible information management. This was due in part to some major cyber-incidents as well as GDPR preparation. This attention reflects a larger shift in the way companies must think about their supply chains: The numerous third-party software solutions that are shared across the value chain constitute a digital ecosystem. This ecosystem requires the same attention to risks as do environmental and sociopolitical ecosystems.
Third-Party Cybersecurity Vulnerabilities on the Rise
When companies use third-party software vendors, they take on the cybersecurity risk and vulnerabilities associated with each vendor, expanding their overall risk profile and raising their chances of suffering a data breach. With companies depending on third-party vendors for a wide range of functions — everything from HR operations to air conditioning, payment processing to communications — third-party cybersecurity risk touches every part of an organization and can only grow as an organization expands.
A 2017 Ponemon survey found that the majority of the reported data breaches occurred via third-party vendors, crossing across industries and verticals. Delta Air Lines could be the target of a class-action lawsuit after the company’s third-party chat software was exploited to obtain an unknown amount of customer information. TCM Bank, which issues credit cards, said many of its customer accounts were hacked via third-party vendor site, resulting in the theft of the personal information (such as names, social security numbers and addresses) of about 10,000 people. Healthcare providers, which handle some of the most personal, intimate data about individuals, are at particular risk; the theft of about 800,000 records has been linked to third-party vendors or associates.
A Growing Regulatory Response
Accompanying this growing third-party cybersecurity risk is an increase in regulations affecting the processing of personal data, most of which hold companies equally responsible for data breaches whether they occur through the company itself or a third-party vendor.
GDPR, Europe’s answer to managing and protecting individuals’ information at an enterprise level, is only the tip of the iceberg. In the U.S., states are beginning to roll out their own protections that require compliance. New York’s Department of Financial Services has included, as part of its mandate, that financial services providers are responsible for performing their due diligence in regard to third parties (section 500.11). More recently, the California Consumer Privacy Act of 2018 brings strict new regulations to the processing of personal data by organizations and third-party vendors alike.
Managing Risk in the Digital Ecosystem
If CSR is intended to address the ways in which a corporation impacts people and the environment, then it is increasingly crucial to include cybersecurity under the umbrella of CSR. The handling of personal data is an act of growing social importance, as we increasingly place our finances, health, and personal communications into the hands of digital processors.
As Scott Shackelford of Indiana University put it, “by protecting privacy, free expression and the exchange of information, cybersecurity helps support people’s human rights, both online and offline.” Going beyond the bottom line, and beyond compliance, cybersecurity is an ethical issue affecting corporations as they expand their digital ecosystems. They must rise to face the challenges, risks, and moral imperatives that this entails.
By Greg Bouchard, Marketing Manager, CyberVadis
CyberVadis is a new sister company within the EcoVadis family. CyberVadis is the first scalable solution for covering the full third-party cybersecurity risk assessment process. Learn more at www.cybervadis.com
This text first appeared in Global CSR Risk and Performance Index 2018.