Occasionally in the middle of a conversation a strange “association” pops into my head. This is one of those cases.
During a business breakfast with a lawyer (litigator) client of Pivot Point Security, we were discussing a very interesting lawsuit that he is working on. His client provides a Software-as-a-Service (SaaS) solution that was leveraging a third-party cloud service provider for storage. As you are likely already guessing, during a SAN upgrade something went terribly wrong and all of their client data was lost – and the offsite backups they believed were part of their contracted service… weren’t. It’s not yet clear (as they are still in discovery) whether the backups were contracted to happen and didn’t happen, or were contracted and just didn’t work. It is clear that the data is gone, along with the bulk of their customers and likely the business.
So right away I’m thinking “horse meat.” Why?
Because last night I watched Ikea dragged though the “horse meat scandal” mud over their meatballs containing horse meat. Burger King recalled over 10 million hamburgers, and meat producers have reported that sales have fallen 43% since the scandal broke. While Ikea and Burger King were in one sense the “victim” in that their provider misrepresented what was in the meat they bought, ultimately they will each pay a steep price for their suppliers’ transgressions.
Is this fair? Unfortunately, whether it is fair or not doesn’t matter. What could/should they have done? Implement better vendor risk management practices. Just as with information security, they need to understand risks relating to their providers (e.g., contamination with bacteria, drugs, foreign materials), communicate the controls they require to prevent these risks from being realized, and put some form of monitoring in place to ensure that their requirements are being met and service level agreements kept. Trust – but verify.
Going back to our client the lawyer: arguably the SaaS provider is also a victim. They did “nothing wrong,” yet it looks like overnight they have likely lost what was once a thriving business. Sure they are suing the cloud service provider for millions. But winning that is a long shot (as is collecting) as the cloud service provider may well end up out of business also. So unless there is a deep-pocketed cyber insurance provider (who wasn’t smart enough to include negligence provisions) in the mix, all is likely lost anyway. Further, several of the SaaS provider’s clients have also filed suit, so the only ones likely to benefit from this are all the lawyers.
So much like Ikea and horse meat, the heart of the problem is a lack of vendor risk management. What did the contract say? What due diligence was performed? What ongoing monitoring was done? What residual risk was covered by a cyber insurance policy? Not enough. None. None. None.
Horse meat and cloud security are not just supply chain risks — they are very real business risks. If you’re not sure where to turn to manage information security related vendor risks, the Shared Assessments program has some very good guidance, including a new Vendor Risk Management Program Maturity Modeling tool. Highly information security literate attorneys are also a real asset. Finally, an insurance broker that can help you select the right cyber liability insurance policy.
Need help looking at it all holistically? Turn to Pivot Point to simplify the process.
MAR
A Best-Practices Guide to Information Security Attestation
Risky Business Blog
Techno Blog
In The News
RSS Feed
About the Author:
John Verry (CISA, 27001 Certified Lead Auditor, CCSE, CRISC) is Pivot Point's resident "Security Sherpa". He is lucky enough to spend most of his day helping clients develop a road map to address security, compliance, and attestation requirements.