On July 21st, 2020, The University of York published an article describing a recent data security incident involving one of its third-party service providers. They describe the attack as the loss of personal information from Community members, Staff, Alumni, Students and Others involved with the University. They also state that a number of other US and UK Healthcare and Educational Organisations are likely to be affected by the attack in May 2020. The vendor in question is one of the largest Customer Relations Platforms used by non-Profits and High Education Establishments.
This highlights several key risks for any Firm when working with their Outsourced Providers:
Large Service Providers are just as likely to fall victim to an attack as a small business.
When performing Vendor Due Diligence, it is critical to not be complacent with firms based on their size. Gaining an understanding of the team directly working with a firm is important, as is a truly in-depth analysis of the cybersecurity practises within the firm. Be sure to research if the scope of Security Certifications such as ISO27001, CSA STAR, or SOC Type audits include all the services you are using from the firm.
Understand your GDPR Obligations and ensure your Vendors understand theirs.
It is important for firms to understand their obligations under GDPR. When an event becomes a recognised incident “Processors shall notify the controller without undue delay after becoming aware of a personal breach”. It is critical for Vendors to meet your requirements and care should be taken to ensure those requirements are within your contracts.
GDPR extended beyond the borders of Europe
The territorial scope does not stop at the borders of the EU. International Firms processing “personal data of data subjects who are in the Union by a controller or processor not established in the Union” are also obligated to follow GDPR requirements.
Read the full article here.
DrawbridgeCONNECT, our centralized cybersecurity platform, brings together all aspects of your Cybersecurity program. Vendor Due Diligence, GDPR Gap Analysis and Risk Assessments are brought into one application for your Compliance and IT teams. With access to Training, Policies, and Vulnerability Management all in one place, it offers an efficient platform for your Cyber requirements.