Third-party service providers are critical for startups’ growth. Independent developers, designers, marketing firms, and data analysts (among others) provide valuable services, but they also present difficult and unique privacy and cybersecurity challenges. Vendor management is important throughout the life of your relationship with your vendors. Vendor diligence starts during the vendor selection process, continues through contract negotiation, and ends when the parties terminate their relationship. The goal is to effectively improve the service your vendors provide to your company and allow your customers to realize the benefits of the arrangement, while mitigating the risk inherent in the vendor relationship. The following provides a snapshot of information concerning third-party vendor security challenges:
- 62% – The percentage of companies that evaluate the security risks of their third-party vendors.1
- 32% – The percentage of companies that require their partners and vendors to comply with their security practices.2
- 28% – The percentage of breaches attributable to a partner or vendor.3
What to consider when evaluating a vendor agreement:
- What data and information will you be sharing with your vendor?
- Does your vendor agreement require that the vendor use your data only to provide services to your company?
- Under what terms is your vendor required to keep your data confidential?
- Is your vendor required to comply with government requests to produce your data?
- Is your vendor required to keep your data in a logically distinct manner?
- What are the laws and industry regulations that apply to your company with which your vendor will be required to comply?
- Under what terms is your vendor required to notify you if your vendor is breached?
- Is your vendor subject to your privacy, cybersecurity, and data retention policies?
- After the termination or expiration of the vendor agreement, under what terms is your vendor required to return your data?
- What right does your vendor have to withhold access to your data or terminate your service?
- What rights do you have to audit your vendor’s operational practices?
- Is your vendor required to self-audit?
- Have your vendor’s past audits exposed any vulnerabilities, or has your vendor been breached in the past year?
- Will your vendor be required to maintain certain levels of insurance during the term of the vendor agreement?
1. PricewaterhouseCoopers, US cybersecurity: Progress stalled Key findings from the 2015 US State of Cybercrime Survey, (July 2015), http://www.pwc.com/us/en/increasing-it-effectiveness/publications/assets/2015-us-cybercrime-survey.pdf.
2. PricewaterhouseCoopers, PwC Viewpoint on Third Party Risk Management, (November 2013), https://www.pwc.com/us/en/risk-assurance-services/assets/pwc-viewpoint-vendor-risk-management.pdf.