When cybersecurity incidents result from your third- or fourth-party providers, who ends up taking liability?
Sort By:
Oldest
SVP in Finance (non-banking)2 years ago
Where the liability ends up when you’re dealing with third-party providers is a tough question that comes up a lot. The contracts can be written in a particular way to dictate that, but there's clearly a control gap in this situation. So how do you identify these risks that you have in a practical, operational way? SolarWinds and Kaseya are both examples of the same issue, it’s just in a different context. In both cases you have these third-party products that you're using, which are potentially using fourth parties or some number of internal contractors and developers, and you don't have control over that.
I'm not very knowledgeable about how those third-party assessment programs work. There are a lot of challenges with third parties because, how do you trust, but verify what a third party says to you about the security of their environment and the processes that they use? They can tell you that they patch, monitor and respond but there's a point where you can't verify that without being onsite, or on their network.