With the increasing use of teleworking as a result of the health crisis, the security of information systems, which was already a major issue, has become more than ever a question of strategy and even a vital matter for businesses. While most players have boosted the implementation of internal technical measures and their investments therein, it is also important to consider the risk arising from the ecosystem in which a business operates.
The risk in connection with third-party service providers
The Agence nationale de la sécurité des systèmes d’information (ANSSI) [French National Cybersecurity Agency] states that “the partner [must] by default be considered unsafe”. In the second edition of its guidebook L’essentiel de la sécurité numérique pour les dirigeantes et les dirigeants, [The basics of digital security for managers], the Conseil de l’Économie et de l’Information du Digital (CEIDIG) [French digital economy and information council] warns of the risk of a “stray bullet”:
“The ever-increasing interconnection between businesses, partners and service providers poses a serious domino effect problem in the event of one of them being compromised. It is possible for a business not to be targeted directly but still be affected through one of its partners victim of an attack, and thereby for its systems to be infected.”
A few figures to illustrate this issue in concrete terms:
- 60% of security breaches directly or indirectly involve a third-party supplier (“Threats and Major data breaches: Securing Third-Party Vendors ” in SSRN Electronic Journal).
- 58% of cyber-attacks are opportunistic (Benchmark CERT Wavestone September 2019 August 2020), that is to say, cyber attackers will exploit a vulnerability wherever they find one without necessarily aiming for a particular target.
- Since SMEs are generally less well protected, they may be targeted by cyber-attacks and constitute critical entry points: 43% of cyber-attacks target small businesses (Kaspersky survey, April 2020).
- More importantly, 60% of attacks are due to “human errors” (Accenture, “State of security report 2020”); As Alice Cherif, then the head of the cyber criminality department of the Public Prosecution Services in Paris, already emphasised in February 2020, “irrespective of the cyber security tools that you may implement, at the root of all these incidents, you will always find human error. There will always be somebody who clicks on the link or attachment when they ought not to, and then it’s already too late, the damage is done…”. The training and commitment of employees is therefore absolutely essential to tackle cyber threats.
Moreover, it should be remembered that more than just a matter of protecting businesses, security is also a regulatory requirement. Article 32 of the GDPR provides an obligation of security and French Data Protection Authority [Commission Nationale pour l’Informatique et les Libertés (CNIL)] has made cyber security one of its priority areas of control for 2021. The risk of incurring a sanction from the CNIL is therefore a further potential consequence of failure to implement the necessary security measures.
What is the solution?
The combination of these various factors means that “in order to avoid becoming a collateral victim, it is essential to focus on the security of the businesses in one’s ecosystem and demand guarantees as to their level of security.” (CEIDIG). Consequently, implementing an effective cyber security strategy necessarily includes measures relating to suppliers, service providers and partners.
In this respect, while cyber risk may be mitigated by internal technical measures, a contract is the only means by which it is possible to impose on a third-party service provider the implementation of technical and organisational measures. A global approach must be taken: technical guarantees must be required but it is also necessary to obtain commitments relating in particular to staff training to limit the risk of human error.
A “cyber security” dimension must therefore feature in all legal instruments. It is also essential to conduct inspections to verify that partners are complying with the contracts and with regulations.
With such approach it is possible not only to protect a business’s IT systems by increased vigilance exercised by the service provider and compliance with respect to sensitive aspects, but also to satisfy one’s statutory obligations in security matters and enable the establishment of the liability of third-party partners in case of failure on their part.
What action should be taken?
For an effective contractual strategy for the management of cyber risk, it is possible to identify three stages:
- Identification of the relevant third-party service providers: knowledge of the ecosystem is an essential preliminary step in defining the risk for each actor and applying any contemplated solutions in a standardised manner, or, if necessary, adapting them to the specific circumstances of service providers.
- Assessment of maturity level: utilisation of a security questionnaire enabling a detailed analysis of the characteristics of each services provider and hence a cyber security clause drafted with precision.
- Drafting the cyber security clause: clear commitments from the contracting party enabling its liability to be established with greater ease in the event of an incident. The clause should, in particular, include:
- undertakings relating to providing regular training to staff on IT system security;
- a list of technical requirements and an undertaking to maintain a precise level of security (e.g. compliance with standards, application of identified practices etc.); and
- incident management and notification rules (timeframes, cooperation).
For a more general approach to good practice in matters of security, please see our article entitled “A few measures not to be skipped in matters of personal data security!“ (in French).
AGIL’IT’s “IT Cyber Criminality & Data Protection” Department is available to assist you in preventing cyber risk, compliance with applicable regulations and recommendations for the prevention of malicious cyber activity as well as for the management of your cyber crises.
Sylvie JONAS, Partner