Critical Steps in Managing Vendor Security RiskSecurity Expert at Cyber Insurer Describes Critical Considerations
In light of recent ransomware and other cyberattacks against vendors serving numerous healthcare organizations, it's critical to develop and deploy comprehensive vendor risk management programs, says John Farley managing director of the cyber practice at Arthur J. Gallagher & Co., a provider of cyber insurance and risk management consulting.
"It's very common that it's the vendor that gets hacked, and therefore you're going down. You're not the direct target of the cyberattack; it's your vendor," Farley says in an interview with Information Security Media Group.
Hackers are targeting vendors as a potential gateway to penetrating the networks of thousands of clients, he notes. "So with one attack, they can get millions upon millions of records."
In implementing a strong third-party security risk management program, "you're asking your vendors the same questions you ask of yourself in terms of data controls, data security - and requiring that in a contract," he says.
Those practices and controls range from penetration testing to incident response planning and having cyber insurance, he notes.
In the interview (see audio link below photo), Farley also discusses:
- Other suggestions for managing cyber risk;
- Cybersecurity trends for the year ahead;
- Cyber insurance issues involving nation-state cyberattacks.
Farley, who has more than 20 years in risk management, leads Arthur J. Gallagher & Co.'s cyber practice. In this role, he assists clients across all industries in navigating the cyber insurance markets while providing guidance on emerging regulatory risk, cyberattack techniques, cyber risk prevention and data breach cost mitigation strategies.