Giving TPSPs The Third Degree

Cybers attacks that gain access through a vendor or supply chain partner have become increasingly common. The SolarWinds hack is the best known and likely the most successful, but there have been many others. One recent survey found 80 percent of respondent organizations had experienced a breach that came through what’s known generically as a Third-Party Service Provider (TPSP).

A post from law firm Wilson Elser looks at the problem of the TPSP breach and suggests measures to reduce the risk. Among them are periodic requests for detailed information, including who heads the provider’s cybersecurity program, what steps the provider takes to secure sensitive data, and its history of breach incidents and how it responded to them. The suggested list gets quite specific, to include questions regarding encryption or the lack of it, access controls and backups, training, and even includes a request for a copy of the vendor’s latest risk assessment.

The results of this inquiry should be the beginning of a discussion, not the end of a process, say the writers. Also recommended: the establishment of security-related contract provisions that make expectations clear to both parties, and the requirement for the vendor to have some minimum of cybersecurity insurance coverage.