Third-party service providers present difficult and unique privacy and cybersecurity challenges.  Vendor management is important throughout the life of a relationship with your service provider.  Vendor diligence starts during the vendor selection process, continues through contract negotiation, and ends when the parties terminate their relationship.  The goal is to effectively improve the service your vendors provide and mitigate the risk inherent in the vendor relationship.

What to consider when evaluating a vendor agreement:

1. What data and information will you be sharing with your vendor?
2. Does your vendor agreement require that the vendor use your data only to provide services to your company?
3. Under what terms is your vendor required to keep your data confidential?
4. Is your vendor required to comply with government requests to produce your data?
5. Is your vendor required to keep your data in a logically distinct manner?
6. What are the laws and industry regulations that apply to your company with which your vendor will be required to comply?
7. Under what terms is your vendor required to notify you if your vendor is breached?
8. Is your vendor subject to your privacy, cybersecurity, and data retention policies?
9. Does your privacy policy allow your company to share your data with a vendor?
10. After the termination or expiration of the vendor agreement, under what terms is your vendor required to return your data?
11. What right does your vendor have to withhold access to your data or terminate your service?
12. What rights do you have to audit your vendor’s operational practices?
13. Is your vendor required to self-audit?
14. Have your vendor’s past audits exposed any vulnerabilities, or has your vendor been breached in the past?
15. Will your vendor be required to maintain certain levels of insurance during the term of the vendor agreement?

1. IHS Markit, The Cloud: Redefining the Information, Communication and Technology Industry, (February 2014), http://press.ihs.com/press-release/design-supply-chain/cloud-related-spending-businesses-triple-2011-2017.

2. PricewaterhouseCoopers, US cybersecurity: Progress stalled Key findings from the 2015 US State of Cybercrime Survey, (July 2015), http://www.pwc.com/us/en/increasing-it-effectiveness/publications/assets/2015-us-cybercrime-survey.pdf.

3. Beazley, Beazley Breach Insights – July 2017, (August 1, 2017), https://www.beazley.com/news/2017/beazley_breach_insights_july_2017.html.

[View source.]