Kristy J. Greenberg
The “Target hack” was a bit of a misnomer.
During the 2013 holiday shopping season, a hacker known as “Profile 958” stole the credit and debit card information of more than 110 million of Target’s customers. But Target was not the entry point. Instead, Profile 958 attacked Fazio Mechanical Services (“Fazio”), a Pittsburgh-based HVAC company. Fazio had provided refrigeration services to Target and obtained access to Target’s systems for electronic billing.
That was Profile 958’s way into a major Fortune 50 corporation – through a privately-held heating company with about 125 employees.
Cybersecurity Risk for Third-Party Breaches
It has become common for hackers to target small vendors that tend to have less sophisticated safeguards in place as a way to infiltrate large companies. According to KPMG, 73% of businesses have experienced at least one significant disruption from a third-party cyber incident within the last three years.[1] It also takes large companies longer to detect and respond to attacks perpetrated against their vendors than against them directly, providing threat actors with extended access and more time to inflict damage. Healthcare, finance, and government are the most common victims of third-party attacks.[2]
But any company can be vulnerable. Over the past ten years, many companies have been the targets of massive data breaches as a result of cyberattacks on their vendors. In 2022, third-party data breaches affected Toyota, Uber, KeyBank, and OpenSea, to name a few. Technical services vendors providing infrastructure services were the top target of third-party breaches in 2022.[3] Data breaches involving technology vendors have led to notorious cyberattacks, such as Russian hackers’ weaponization of SolarWinds Orion business software updates to distribute malware to roughly 18,000 SolarWinds customers – including multiple government and private companies around the world – in December 2020.
Cyberattacks on third parties have exposed companies to significant data breach litigation from consumers and shareholders, as well as investigations from federal and state governments and regulators. A few high-profile examples are described below:
- In connection with Target’s 2013 data breach described above, consumers, banks, and shareholders filed class action lawsuits against Target. Target agreed to pay $10 million to consumers, $67 million to Visa, and $39.4 million to banks and financial institutions that issued the credit and debit cards that were compromised. In addition, Target agreed to pay a $18.5 million fine to settle a multi-state investigation led by attorneys general of 47 states and the District of Columbia. Target’s executives and directors and Board of Directors’ Special Litigation Committee successfully moved – after an investigation and unopposed by the Shareholder Plaintiffs – to dismiss the shareholder derivative claims after determining that pursuit of those claims was not in Target’s best interest.
- In 2019, in one of the largest data breaches in U.S. history, personal and financial information of roughly 100 million Capital One customers was stolen after cloud computer data storage accounts maintained by Capital One’s cloud provider, Amazon Web Services (“AWS”), were hacked. Paige Thompson – a former AWS employee – was found guilty after a jury trial of wire fraud and computer crimes for committing the data breach, and was sentenced to 5 years’ probation in October 2022. Although a data breach securities class action lawsuit against Capital One and certain of its directors and officers was dismissed, Capital One was ordered to pay an $80 million fine to the Office of the Comptroller of the Currency for its failure to adequately identify and manage risk and its Board’s failure to hold management accountable. After Capital One’s motion to dismiss the majority of the claims in the consumer class action lawsuit were denied, Capital One agreed to pay a $190 million settlement to consumers.
In addition to data breach litigation, companies also face heightened regulatory scrutiny as cybersecurity incidents involving third-party service provider vulnerabilities have become more frequent. In March 2022, the SEC proposed amendments to its rules governing disclosures regarding cybersecurity risk management, strategy, governance, and incident reporting by public companies. Of particular note is that the SEC’s proposed rules would require disclosure of whether the registrant has policies and procedures to oversee and identify the cybersecurity risks associated with its use of any third-party service provider, including whether and how cybersecurity considerations affect the selection and oversight of these providers and contractual and other mechanisms the company uses to mitigate cybersecurity risks related to these providers. This proposed rule demonstrates the SEC’s emphasis on imposing stringent disclosure requirements on public companies to better inform investors about the cybersecurity risks posed by third-party service providers.
Mitigating Third-Party Cybersecurity Risk
The effects of a third-party cybersecurity incident can be severe. Beyond financial losses, third-party breaches can also lead to operational damage and reputational harm. And supply chain risks don’t stop with third-party risk; threat actors can exploit security gaps at any point in the supply chain, making third, fourth, and even nth party risk a critical part of a mature enterprise risk management strategy. Companies should take the following steps to protect against the cybersecurity risks posed by third parties:
- Conduct Risk Assessments of Third Parties. Prior to executing a contract with a third party, a company should conduct due diligence regarding the third party’s cybersecurity protocols and testing to ensure that the third party has implemented an effective incident detection and response plan. The company should also confirm that the third party provides satisfactory training to their employees, contractors and vendors.
- Set Clear Contractual Requirements for Third Parties to Maintain Strong Cybersecurity Policies and Practices. A company’s contract with a third party should outline the third party’s cybersecurity policies and procedures, as well as the appropriate security measures in place to protect sensitive company data. In addition, the company should ensure that the third party’s own sub-contractors are bound by the same cybersecurity policies and procedures, and that the third party maintains an inventory of its sub-contractors. Contracts should include data retention and data breach notification requirements within specified timeframes to ensure a company’s legal and regulatory compliance in response to a third-party data breach. Companies also should pay close attention to any limitation of liability, indemnity and insurance clauses in a contract.
- Routinely Monitor and Audit Vendors for Compliance with Cybersecurity Protocols. Companies should regularly check to ensure that the vendor’s access is restricted to only the information required for the vendor to perform its duties and to only those individuals who need to know that information. Companies should prioritize monitoring and auditing third parties that support a company’s critical services. In addition, companies should require their vendors to conduct vendor risk assessment questionnaires and to promptly report any changes to their information security programs.
Footnotes
[1] See Third-Party Risk Management Outlook 2022 (2022), KPMG, available at https://assets.kpmg.com/content/dam/kpmg/xx/pdf/2022/01/third-party-risk-management-outlook-2022.pdf.
[2] See Third Party Breach Report: Trends, Shifts and Lessons Learned from 2022 (2023), Black Kite, available at https://blackkite.com/wp-content/uploads/2023/01/third-party-breach-report-2023.pdf.
[3] Id.
Kristy J. Greenberg is a Partner at Hogan Lovells US LLP and is a former Deputy Chief of the Criminal Division in the U.S. Attorney’s Office for the Southern District of New York. Melissa Giangrande, an Associate at the firm, also contributed to this article.
The views, opinions and positions expressed within all posts are those of the author(s) alone and do not represent those of the Program on Corporate Compliance and Enforcement (PCCE) or of the New York University School of Law. PCCE makes no representations as to the accuracy, completeness and validity or any statements made on this site and will not be liable any errors, omissions or representations. The copyright or this content belongs to the author(s) and any liability with regards to infringement of intellectual property rights remains with the author(s).