October 2017: The ripple effects of the Equifax breach are spreading far and oh so wide, all the way to possibly impacting the companies that your organization can do business with.
Due to increased cybersecurity concerns, enterprises are poised to require their vendors and partners meet the same cybersecurity requirements that they must meet themselves — they don’t want to risk their brands by working with risky companies. Here’s what you’ll likely see on the RFP front moving forward:
Cybersecurity requirements as part of RFPs
For years, it’s been a common practice for many large companies to require potential vendors and partners to complete cybersecurity questionnaires as part of third-party risk management via the RFP process. If potential vendors or partners can’t meet the RFP’s requirements, then they’re not in the running for the contract. If you recall the Target breach that resulted from an HVAC contractor falling for a phishing scheme, then it’s easy to understand why not.
Since the Equifax breach — and the stream of additional breaches since, including breaches of Deloitte, Sonic and Whole Foods — relying on an RFP questionnaire without any proof to back it up seems almost naive. Now the bar to meet is the audit level.
New trend: providing proof
If we can’t trust a company whose core business revolves around storing personal information securely, who can we trust? Because of Equifax, more potential vendors and partners will now need to prove they’re managing risk by providing audit-level documentation as part of an RFP. You may even be asked for your willingness to undergo penetration tests.
The goal is to identify and resolve the weak links in the cybersecurity chain wherever they may be.
The majority of all breaches can be traced to third-party vendors, which is why regulated companies are pushing their regulations down the entire supply chain. No matter which link breaks, the enterprise will be held responsible. So, when companies adopt strong standards to protect themselves from external and internal threats, they not only protect themselves but they position themselves to be more competitive. See How a Cybersecurity Risk Assessment Can Help You Win New Business for details on how your organization can get up to speed if it’s not already.
Secure by design
Additional ripple effects from the Equifax breach will likely include new government standards for credit bureaus and an examination of how standards are used across businesses and industries in general — risk management can no longer be an afterthought. It needs to be built in. During his testimony at the congressional hearings, the former Equifax CEO admitted the stolen data had been stored unencrypted and that Equifax has only been performing security reviews quarterly. Clearly, Equifax had not built in some of the most basic risk management policies that today’s RFPs require.
Leapfrog works with clients to help them identify what is an acceptable risk and what is not, and update their IT ecosystems accordingly. No company wants to be hacked, breached, or the victim of ransomware — or to be shut out from lucrative contracts because their policies and procedures aren’t up to par. For organizations that have not recently reviewed their IT security perspective, this is a good time to conduct a new risk assessment, look at your IT policies and procedures, and update your IT roadmap to ensure it aligns with your business goals. Equifax reminds us that it’s also a good time to review our business continuity plans! Please let us know if we can help.
If you liked this post, don’t forget to subscribe to FrogTalk, our monthly newsletter.