Q3 2019

Wealth & Finance International - Q3 2019 13 • Consider how to allocate liability through indemnification provisions or limitations on liability based on the nature of the relationship, the sensitivity of the data involved and the GDPR requirements. • Consider requiring the service provider to maintain cyber security-related insurance coverage. You should consider whether and to what extent data breaches stemming from third-party service providers fall within your own insurance coverage. There is also combined public liability and cyber-security insurance coverage for the best possible coverage. Know your GDPR rights Under GDPR, processors like controllers, are required to implement appropriate security measures. What is appropriate is assessed in terms of a variety of factors including the sensitivity of the data, the risks to individuals associated with any security breach, the state of the art, the costs of implementation and the nature of the processing. Regular testing of the effectiveness of any security measures is also required. Furthermore, your processors are required to notify their relevant controller of any breach without undue delay after becoming aware of it. The new data regulations also mean organisations have a right to audit clause within your processor contracts. Develop a Third-Party Cyber Risk and GDPR Compliance Assurance Program After reviewing existing contracts for these requirements, an organisation should consider whether such contracts can and should be renegotiated. This step should not be neglected given that often existing contracts do not meet the standards for GDPR. Additionally, an organisation should develop cyber security data protection guidelines for future contracts. Once these revised contracts have been renegotiated and put in place, organisations should implement a Continuous Compliance. Finally, businesses should look to a monitoring program that empowers it to monitor the cyber risk and GDPR compliance of its third-parties on demand. This program should have the ability to monitor not only third-party risk but also fourth- party and firth-party risk across your eco-system of service providers and partners. One of the threads that runs through the GDPR is the requirement to demonstrate compliance. In the event of a data breach or audit by the regulator, you will be required to demonstrate good third- party assurance. This can be easily achieved with an on-going Continuous Compliance Monitoring program. A Preventative Approach to Third-Party Risk The fact that Target’s breach originated from a third-party service provider did not prevent Target from incurring enormous losses in the form of litigation expenses and loss of customer confidence, among other things. For that reason, the primary goal is to prevent an incident. If an incident does occur, the robustness of an organisation’s procedures and practices with regard to third-party service providers could help to limit its liability in subsequent litigation. This could include a shareholder suit against directors and officers, a customer or employee data privacy suit, or regulatory scrutiny. Indeed, regulators have begun to place increasing scrutiny on third-party relationships in the context of cyber security and GDPR legislation. Checklist For Third Party Risk