Regulation & Compliance

Regulators Continue to Emphasize Third Party Cyber Risk Management

Jake Olcott | July 15, 2015

In recent months, we’ve seen a variety of regulators from Finance to Defense cite the importance of third party cyber risk management. You can now add the Federal Trade Commission to the list.

The FTC is the lead US government agency when it comes to enforcing consumer privacy laws. In recent years, the FTC has settled a number of privacy cases where companies have failed to adequately secure their networks, resulting in the loss or compromise of sensitive personal data.

To encourage organizations to be more proactive when it comes to cybersecurity, the FTC recently created a "Start With Security" campaign to educate businesses about essential practices that they should put in place to reduce the likelihood of a data security incident. The FTC also issued a "Top 10" guidance document for companies based on their 50+ law enforcement actions announced over the years.

Any organization possessing consumer data should immediately review the FTC's guidance, as it is both a list of best practices that will help make an organization more secure, but also a roadmap for future FTC litigation. In reviewing the FTC guidance, we noticed a number of third party and vendor risk management issues that the FTC emphasizes. Organizations should closely examine their third party programs to ensure that they are aligned with the FTC’s best practices.

The FTC recommends organizations take the following steps to manage third party risks:

  • The FTC recommends that before hiring service providers and outsourcing work, companies should implement security measures and monitor them to make sure their partners are meeting requirements. These security measures and expectations should be put in contracts before the two parties start working together. The FTC cites the Upromise case as an example of validating third party vendor security measures.
  • The FTC recommends placing restrictions on third party access to your organization’s network. In its case against Dave & Buster’s, the FTC alleged that the company failed to restrict third party access to its network after an intruder accessed personal information by exploiting a third party vulnerability. In this scenario, the FTC suggests that Dave & Buster’s could have placed limits on third-party access and blacklisted specific IP addresses from gaining access.

Regulators like the FTC have been increasingly focused on third party cyber risk issues for their regulated entities. Knowing the evolving legal requirements for third-party cyber risk management is crucial to developing a comprehensive cybersecurity program.

Read the white paper: Understanding Cybersecurity & Compliance Risk In A Complex Regulatory Worldunderstanding cybersecurity and compliance risk in a complex regulatory world

Suggested Posts

GDPR Shows Its Teeth, Goes After Breached Companies

In 2018, the European Union (EU) General Data Protection Regulation (GDPR) heralded in the most important change in data privacy regulation in 20 years.

Far reaching in its applicability, GDPR extends well beyond Europe and affects any...


NERC CIP-013-1: Effective Date, Preparation Strategies, & Impact

The North American Electric Reliability Corporation (NERC) has developed a new set of cybersecurity standards designed to help power and utility (P&U) companies limit their exposure to third-party cyber risks and preserve the reliability...


Is Your Risk Management Program Ready for the New European Banking Authority’s Guidelines?

In June 2018, the European Banking Authority (EBA) put forth guidelines on outsourcing arrangements that highlighted the importance of risk management within financial organizations. The notice of these guidelines was announced in June...


Subscribe to get security news and updates in your inbox.