Next year, Europe will do the same, with its General Data Protection Regulation (GDPR), that applies to all companies that collect personal information from Europeans. GDPR fines are steep — up to 4 percent of total global revenues.
Third-party risk regulations are still in their early stages, and many companies don't have a good handle on these risks, says Peter Galvin, VP of strategy and marketing at Thales e-Security. "Financial firms are used to these, and are much more prepared," he added. "But many companies don't understand the risks, and you're going to see an increase in breaches, and you're going to see more legal action."
Experts expect that more regulators will start requiring companies to do more about third-party risk than they do today. "It's been a continued trend that we've seen," says Eric Dieterich, data privacy practice leader at Focal Point Data Risk, LLC.
Risks hiding in the hardware and software supply chain
Almost every company uses outside software and hardware. Nobody builds all their technology from scratch anymore. Each purchased device, each downloaded application needs to be vetted, and needs to be monitored for potential security risks, and all patches have to be up to date.
Not only is a company's own data at risk, but if the flawed software or hardware component is embedded into a product it may cause more security problems down the line. A computer chip infected with a security backdoor, a camera without strong authentication or a bad software component can do widespread damage. The Heartbleed bug, for example, affected millions of websites and mobile devices as well as software by many major vendors including Oracle, VMware and Cisco.
"We worry about manipulation, we worry about espionage, both nation state and industrial level, and we worry about disruption," says Edna Conway, chief security officer for the global value chain at Cisco Systems, Inc. For example, hardware or software products may have been deliberately tampered with somewhere up the supply chain or replaced with counterfeits.
Cisco is also worried about losing confidential information or sensitive intellectual property (IP) due to a third-party breach, Conway says. "We are committed to delivering solutions that operate in the way that they are intended to operate," she says. "If your customers are not satisfied, if your reputation is damaged, it impacts the bottom line. That trust element is absolutely essential, and reputation is the business venue where trust manifests itself."
Many companies have quality standards in place that suppliers must meet. Cisco is using the same approach for security. "The method I’ve been deploying allows us to establish tolerance levels to the members of the third-party ecosystem's adherence to our values and goals, customized for the unique nature of products and service that the third party provides to us," says Conway. "Once you have tolerance levels, you can start measuring if are you are at, above or below tolerance levels. If they’re out of tolerance, we sit down together, and say, 'How can we work together to address that?'"
Sign up for Computerworld eNewsletters.