Heading 1

You can edit text on your website by double clicking on a text box on your website. Alternatively, when you select a text box a settings menu will appear. Selecting 'Edit Text' from this menu will also allow you to edit the text within this text box. Remember to keep your wording friendly, approachable and easy to understand as if you were talking to your customer

TAG Cyber Law Journal

November 2019
Two companies are working together to help businesses protect themselves from a danger that has been linked to many large data breaches.
Imran Jaswal
Kelly White
When companies consider their cybersecurity risks, they often spend hours looking in the mirror,  and sometimes they forget to look out the window. Third-party risk doesn’t receive as much attention as it deserves. Some of the largest data breaches on record began when hackers penetrated the systems of vendors that led to the systems of their larger—and richer—customers.  
     Now there are vendors that want to help companies shore up this vulnerability. Imran Jaswal, a managing director at consultancy Duff & Phelps, runs a business that aims to help companies assess and reduce their third-party cybersecurity risks. It’s called CyberClarity360, and it grew out of work he began at a company that he co-founded (and was acquired by Duff & Phelps in 2016). He was working with a Southern California tech company that was worried some of its vendors might transfer its intellectual property to China. “They wanted us to help see how we could improve the process of understanding what controls those particular vendors had in place to protect that sensitive information,” he explains. So they developed a process that helped measure and “optimize” the cyber risk management lifecycle.
     Jaswal started his career as a commercial litigator in the United Kingdom, where he grew up. When he moved to the United States 13 years ago, he got involved in legal operations and working with law departments on the business side of law. As he worked to improve his vendor assessments, he wasn’t satisfied merely to ask vendors questions and give them security questionnaires to fill out. He wanted external validation of his findings. And that’s where Kelly White came in.   
     White is the founder and CEO of RiskRecon Inc. Previously he’d been chief information security officer (CISO) at financial services companies. But he had an entrepreneurial itch, and a home basement in which to scratch. In his spare time, he spent four years working on the technology that would eventually become the foundation of his company. Now Jaswal uses RiskRecon to assess some of the same vendors that his own team evaluates, only RiskRecon works “from the outside in”—accessing publicly available information. Jaswal and White are convinced that when combined, the complementary approaches the two companies take strengthen the work of each.

CyberInsecurity News: In the cybersecurity landscape, how large is this area of vendor risk?  
Kelly White: it’s immense. You look at a company, and on the surface, they’re very distinct. But when you dig down under the surface, there’s a vast interconnection of service providers that are the foundation on which they operate. In creating that ecosystem to fulfill the business services, there’s a shared root system of risk. Because the heart of making that ecosystem work is shared data: customer data, manufacturing data, IP data, legal information—so that those services can be fulfilled. And a vast amount are now fulfilled outside of organizations. It’s under the banner of outsourcing and digital transformation, which I’d say is the most powerful force in the economy over the past 20 years. Companies have focused so much of their risk management resources on what’s going on inside the walls of their own organizations, and very little on what’s going out on that digital supply chain. We’re just seeing the beginnings of that digital supply chain risk management that we so desperately need.
Imran Jaswal: If we talk about the numbers, to put some context around the risks, for the largest breaches that have occurred, we’re talking about hundreds of millions of dollars that organizations have been fined. The Marriott breach, which came through the Starwood guest database, led to a fine of around $125 million. If you look at some of the recent statistics from the Ponemon Institute, the average cost to remediate a third-party breach is $7.5 million. These are significant numbers for organizations to have to deal with. And every month there is a large household brand that gets reported as suffering a breach. In some surveys, around 60 percent are related to third parties. Some of the smaller vendors that these organizations are leveraging don’t have the same amount of resources as the Fortune 500 companies when it comes to implementing security controls. Hackers are in tune to the fact that it’s easier to attack a small vendor than it is to get into a larger corporation.

CIN: How long have you two been working together?
IJ: We’ve been working together for a few months now. What led us to RiskRecon was their risk-based approach to solving challenges similar to the ones we do. We had built a best-of-breed risk assessment platform that helps organizations collect information directly from the third parties. RiskRecon allows us to integrate their best-of-breed data collected from public sources. Together they give a more holistic picture of the cyber risk and posture of those third-party vendors.

CIN: Kelly, you’ve worked with lawyers before as the CISO at financial services companies. What were relations like in those days between your department and the in-house lawyers? It’s no secret that technologists and lawyers don’t always speak the same language.
KW: The short answer is that they’ve been good, and I’ve consistently seen constructive collaboration between information security technologists and legal practitioners. There are two reasons. We’re both in the business of managing risk. And in a lot of ways, though the language may be different, the objectives and the mindset are very similar. Our common points of integration that brought together information security and the legal profession over time are twofold. One is incident response and data privacy. Those can have legal implications. And also, for managing third-party cybersecurity risk, your ability to manage risk with your third party starts with the contractual language that you’re able to put in place that governs the relationship with your vendors. It gives you the ability to establish critical rules like minimum performance requirements, the right to audit, notification of data loss events and so forth. Across those two fronts—incident response and third-party risk management—legal and information security practitioners have a long-standing, constructive relationship.

CIN: Imran, when you’re working with companies, how involved are their in-house lawyers in the process?
IJ: If we look at organizations’ increasing concerns about third-party risk, given the number of breaches that tie back to third parties, what we are finding is that our client’s general counsel is really where the buck stops. The office of the general counsel is playing a quarterback role when an incident occurs. Given that background, in-house counsel not only need to be able to have a full understanding of where the data lies that’s potentially at risk, and the relationships with those third parties and the type of data that’s being shared with them, they also need to understand and evaluate the preparedness of those organizations, and how they will work together when a breach occurs. And the in-house counsel need to understand the business resiliency of those vendors—how quickly they will be able to detect the breach and be able to get their systems back up and running. Particularly if we think about ransomware attacks, which will necessitate their having in place a crisis management strategy and a public relations strategy—to be able to mitigate the reputational fallout.
     Historically, in-house counsel have sometimes shied away from this particular area because of its technical nature. But increasingly they are becoming more accustomed to relying on cyber experts to assist them, similarly to how they have historically dealt with personal injury cases, where they rely on medical experts. And this includes working much more closely with their companies’ CISOs—to Kelly’s earlier point. But considering the new data privacy regulations that are coming into place, their ability to understand the legal obligations of the California Consumer Privacy Act [CCPA], which is coming into effect next year, makes them crucial. One of their core skills is asking the right questions. In the situation where a breach occurs, they do a great job when they ask the right questions, while leveraging the other experts to help them through that process.

CIN: Let’s take as an example a third party that CyberClarity360 has already looked at in great detail in a paper you published on outside counsel. Outside law firms are vendors that certainly have “risk” written in all caps, highlighted in yellow, with lots of exclamation points. Is this a particularly challenging area for your clients?
IJ: Most certainly. Many of our clients struggle with that. Questions about whether their outside counsel have adequate security are seen as overly intrusive, and perhaps questioning the trust between them. So what we’ve tried to help them do is shift that discussion to focus on how extra transparency will help improve that relationship and increase the trust, given the risks that are out there, and the targets that outside counsel have become to cyber hackers. And ultimately that will likely lead to more work.

CIN: Kelly, what are key sources of information that RiskRecon accesses when you’re assessing the cybersecurity of an outside law firm?
KW: For us, the best sources are the systems themselves that the organization operates on the internet. Each of these systems is really a micro instantiation of their security risk management system. It’s in that system where all of the work of the CISO, translated into security standards, or into policies that drive configuration requirements and vulnerability management and penetration testing, all come to bear. They’re manifest in the systems of the company. And we are taking a look at the ones they operate on the internet—and examining the security risk configuration of those systems. I’ll give you a couple of simple examples. A common security control is that sensitive data is encrypted in transit across untrusted networks. RiskRecon, by discovering and analyzing the internet-facing systems of companies, can tell which systems are collecting sensitive data, or transmitting it. And is that system encrypting the data, and doing so in a secure manner? Another common security requirement is that software vulnerabilities are properly managed to ensure that all software is up-to-date and free of known security issues. Well, through our passive analytics of the internet safety systems of companies, we can observe. What’s their software? What’s the version? Is it patched? Our best source of information for automatically verifying security control performance are the systems themselves. And we can correlate those measurements that we’re taking directly to things that CyberClarity360 is assessing.

CIN: How much of the job that your company does is automated?
KW: There’s a massive amount of automation that’s occurring, to find the systems that companies operate on the internet and then to continuously monitor the public information on those systems. I’d say 99 percent automation.

CIN: Imran, do you expect vendors to “ ' fess up” and tell you about breaches and even intrusions that were never reported and didn’t seem to do any damage or cause any loss of data? How much information do you expect them to provide?
IJ: We certainly do ask whether an organization knows of a breach they have suffered. In the context of the legal industry, and particularly law firms, there is sometimes an open question at this point whether some firms believe that they only need to report a breach if their clients’ data has been breached. I think that’s something that will likely be litigated at some point. In addition to some of the data that we receive from RiskRecon, we also monitor some of those breach notifications externally, and through some other outside data feeds, so that we can understand what breach credentials may be floating around in the dark web and are being  traded by hackers.

CIN: Do you sometimes feel that you’re operating kind of like a regulator in dealing with some of these law firms, or is it more like an educator?
IJ: I would say that it’s more the latter. Many of our corporate clients who are looking to assess their third-party vendors don’t have the capacity and resources to help remediate or educate them. Many of the law firms that our corporate clients leverage are small, niche boutique firms that may not even have information security professionals on staff. And so they look to us to help fill some of that gap by providing guidance to those organizations to help them understand why certain things are important, what they should be doing, and specific steps they can take to self-help and self-remediate.

CIN: How do you measure cybersecurity and resilience? In a sense, you’re trying to help these clients figure out whether their vendors are secure and resilient. But how do you measure that?
KW: These things start with a security control framework. And the framework is intended to achieve specific outcomes: in this case, cybersecurity risk outcomes. It could be any number of frameworks, but they all are aimed at: What is the strength and resilience of that program? You could take a very common one, the NIST Cybersecurity Framework, and that has five domains: identify, protect, detect, respond, recover. And each of those has a set of activities and controls that they’re built on. The assessment, then, is intended to measure whether the organization being evaluated meets those requirements, and what’s the evidence? There’s a balance. Identify and protect are proactive controls to defend the organization from getting compromised in the first place. But then you have detect, respond and recover, which are really about, given that breaches will happen, how quickly can I discover that incident and recover?—meaning, minimize the impact of it through effective response and recovery techniques. I’ll defer to Imran on that.
IJ: The way we go about testing against NIST is asking questions about what organizations have done to implement controls. In terms of the recovery, we also attempt to validate the things that organizations tell us. Some of that may be based on information we receive from RiskRecon. Validation may include checking for inconsistent responses. It may also include us getting on a Webex or a remote conference call with them to understand more about the way that they’ve implemented some of the controls.

CIN: How do you know when you’ve done a good job for your clients? And if there’s a huge data breach at the vendor of a company that hired you, does that make you feel regret, or do you second-guess your own performance?
IJ: That is a difficult question. I think one of the areas that is challenging in this domain is insider threats. A lot of what we’ve been talking about is technical internal controls that are implemented by an organization—firewalls or other types of technology that defends systems. But a large part of the risk is insider threats. We could have all of the locks, alarms and cameras on our house, but the people inside of the house that live there can be part of the problem—they are the ones that potentially are leaking the information and walking out the door with it. That’s a really challenging problem to have to solve. So as much as we do try to assess the level of controls that organizations have, how effective they are is a challenging topic. We’re always regretful if one of our clients suffers a breach through a third-party incident, but nonetheless, what we try to do is take a more macro view of the portfolio as a whole, and we can show clients how their vendors as a whole have improved or remediated risk by implementing more and more controls to reduce the risk. Elimination of the risk is always going to be very difficult, particularly in this area.
KW: Companies are going to get compromised, and they’re going to have breaches—even ones that are assessed as having good cybersecurity risk programs. It’s going to happen. But what we’re talking about is risk management, and a core to that is gathering evidence. And we’re looking for evidence of good practices and programs being in place. The reality is that there is a very strong correlation between companies that have poor security practices, based on our analytics, and higher rates of data losses and security compromises. And companies that have higher ratings have lower rates of those events. That’s not saying that companies that operate stellar programs aren’t going to have a loss. It happens. But the frequency and the scope of those events is smaller.

CIN: A company can be held liable for a breach that occurs in one of its vendors, but where does it stop? Suppose that a company hires Vendor A. And Vendor A uses Vendor B. If Vendor B is the source of the initial breach, is the original company potentially also on the hook? Where does it stop?
KW: The originating company is responsible for that, and it’s an increasing focus area, particularly of federal regulators, where they’re talking about fourth-party risk, on Nth-party risk. And we’re seeing incidents of that at an increasing rate. One of the interesting recent events was American Medical Collection Agency, a provider of medical debt collection, that was breached in early June and had the data of its customers compromised. In response to that breach, Senator [Mark] Warner [D-Virginia] actually sent out letters to several customers of the vendor, reminding them of their responsibility to secure their digital supply chain, and asking them specifically what they were doing to ensure that this wouldn’t happen again. That’s a specific example of being held accountable, not only for your own cybersecurity risk management, but for the cybersecurity of wherever your data is present. Those are themes that are embedded in the very heart of the General Data Protection Regulation and the CCPA, related to privacy. Regardless of where your data is, whether it’s security or privacy, it’s your data. You’re responsible for it. It was your choice to send it to Vendor A, which sent it on to Vendor B. You’re still responsible for it.
IJ: That’s right.