Why EVERYONE Needs To Be Concerned About
Vendor Security
We are continuing 
to learn more about the breach at Larson Studios which resulted in the release of 10 episodes of Orange Is The New Black (OITNB) as well as other titles from Netflix, ABC, CBS, and Disney. While the analysis of the event in Variety provides insight into the devastating effects of a ransomware event, it fails to provide insight into how this could have been prevented.
Until most recently only banks really focused on Third Party risk issues due to regulatory requirements. They were then joined by healthcare providers as their regulators began to require robust third party practices as well. Most recently insurance companies have joined the ranks of the third party risk conscious along with other firms whose boards and senior management recognise the risks that third party service providers create from the unauthorised access to customer data and company networks. However, the Larson Studios incident reinforces the fact that assessing data protection and IT security controls at vendors isn’t just for industries whose regulators require such programs.
It is still unclear how many titles have been stolen from Larson, but the costs to the studios will undoubtedly run into the millions of dollars. Should Larson have had better IT security? Absolutely. Should the studios who trusted Larson with such valuable intellectual property have assessed Larson’s IT security? Absolutely.
This is not to say that it is the studios are at fault for trusting Larson to protect their property. However, as the banking industry learned long ago vendors, particularly small vendors, generally do not maintain robust IT security controls. This is why the financial services regulators began requiring banks to conduct assessments of the vendors who had access to high risk data and systems – to ensure that they could adequately protect that data and those systems. Contractual requirements are not enough, banks must validate that the vendors can discharge their responsibilities for data security required in the contracts. The fact that an action for breach of contract can be maintained is small compensation compared to the losses which, in most instances, cannot be replaced or reputational damage than cannot easily be repaired.
The bottom line is that every company who chooses to outsource services must take a hard look at what they are putting at risk by using a third party. The range of information that needs to be protected runs from customer data, to proprietary company information, to intellectual property. If the third party has access to company systems and networks then an analysis must be done to determine the damage that could occur from the unauthorised access to these systems. When the value of the data is high, and access to systems needs to be protected, then companies should assess those third parties to ensure that substantive IT security and data protection controls are in place.
Larson’s clients are auditing them today to determine the extent of the damage and what security controls need to be in place. One has to wonder if this incident would have even occurred if the work being done by the studios today had been done as an assessment of Larson’s security controls before they were ever given access to the studios valuable titles.
Contact DVV Solutions
As the only UK-based Partner of Prevalent Inc. and a Shared Assessments program member and registered Assessment Firm we utilise industry-standard practices including Standardised Information Gathering (SIG) questionnaires and Agreed Upon Procedures (AUP) for onsite assessments.
To learn more about how our experience and expertise can help improve your Third Party Risk Management program and vendor security posture:
Call Us: On +44 (0) 161 476 8700, or
Contact Us: Complete our Contact Form
Source: Prevalent Inc.
About the Author: Brad Keller, Senior Director of Third-Party Strategy at Prevalent Inc., has been developing and leading risk management programs for more than 25 years. During this time Brad has developed and implemented vendor and business risk management programs at several financial institutions that have substantially improved risk management while also passing federal regulatory scrutiny. Prior to joining Prevalent, he was a Senior Vice President with The Santa Fe Group focusing on the management of the Shared Assessments Program. At Shared Assessments he led the development of Shared Assessments tools, training, and the risk management professional certification program.