Setting Third-Party Risk Management PrioritiesFormer Healthcare CISO Mark Johnson on Risks Posed by Smaller Vendors
Based on the cyber insurance claims they file, small and midsized vendors potentially pose substantial security risks, so their customers should make them a third-party risk management priority, says consultant Mark Johnson, a former healthcare CISO.
A recent study conducted by cyber risk management firm NetDiligence of more than 3,500 cyber insurance claims between 2015 and 2019 found that 98% were filed by small to midsized companies, says Johnson, who leads the healthcare security practice at consulting firm LBMC Information Security.
"What that study tells me is that they are not paying the price to build strong cybersecurity programs; they are relying on insurance."
Johnson advises healthcare organizations: "You have to look at not just what's in your four walls, but who you're working with, who you're communicating with and the data you're sharing, and how they are protecting that data."
In the interview (see audio link below photo), Johnson also discusses:
- Whether some organizations are relying too much on cyber insurance as a safety net;
- Evolving remote identity and access management challenges during the COVID-19 pandemic;
- Assessing security risks involving mergers and acquisitions.
Johnson, who leads the healthcare security practice at consulting firm LBMC Information Security, has over 27 years of information security experience. Previously, he led KPMG's national healthcare industry cybersecurity services and was CISO at Vanderbilt University and Medical Center.