[co-author: Nathan Simpson - Summer Associate]

What You Can Learn about Vendor Management from the DocuSign Breach

While some industries may get away with the “trust but verify” model, heavily regulated industries such as financial services have no such luxury. Trust no one—you can’t afford to.

Last week, DocuSign, one of the most frequently used electronic signing services, reported a data breach involving phishing emails being sent to its customers.  While inside the DocuSign system, criminals stole possibly more than 100 million emails to use as targets in a phishing email campaign.  Wrong-doers sent emails to customers with DocuSign branding and a subject line stating, “Completed: [domain name] – Wire transfer for recipient-name Document Ready for Signature,” to trick customers into opening an attached word document.  The Word document contained malware which, when opened, would install on their device.

Businesses rely on third-party vendors such as DocuSign to make their businesses more efficient but with this comes inherent risk. Regulatory agencies, such as the CFPB, have made clear that they will hold regulated businesses accountable for harm consumers experience as a result of the actions of a vendor, particularly if there is not a robust vendor management program in place.

If you are a regulated financial services business, you can bet that the next round of audits will include increased scrutiny of your vendor contracts. Every contract that involves a vendor that has access to personal information about consumers, however limited, should, at a minimum, contain clauses about how that data is handled, that it is not transmitted overseas, the vendor’s plan in case of a data breach, and reserving your right to audit the business in person or remotely.  Having the option to audit is not enough; you have to actually do it; and even then it doesn’t count unless you document what you’ve done.

Annual vendor audits should be routine, not perfunctory. On-site audits for vendors that have wide access to financial or personal information about consumers should usually occur every 1-3 years. Questionnaire audits should occur annually for all vendors. The key here is follow up and remediation. If you can demonstrate to a regulator that when you found a problem with a vendor, you oversaw the remediation and they fixed it, you are far less likely to trigger all the warning bells that make auditors nervous.

 Let the Experts be Experts. Do you know how to choose the safest and highest quality electronic signature vendor?  DocuSign advertises itself as more secure than paper, and it may be in many cases, but how do you know, Mr. Banker, Ms. Lawyer, or Ms. Compliance Officer? Do you know the right questions to ask and how to identify the red flags? How about your cloud services vendor? Mail and document services? What if your customers’ email addresses were among the millions stolen because you used DocuSign to exchange documents with them? What if it were their financial data or social security numbers? You don’t have to be an expert on these things, but you do need to recognize when you aren’t and ensure that you have support from people who are.  You must be able to face your customers and explain that your vendor choices were based on sound analysis and that you did all you could to protect them. “My golf buddy recommended them and we wanted his business, so we retroactively boarded them upon my directive” is not going to go over well.

Invest in your experts and then use them. Financial Services Technology is a specialized area within IT and just because your team can keep the network running and the software up to date, doesn’t mean they know how to be ACH compliant or how to safely transmit data to the GSE’s for a portfolio purchase.  You need your IT team to be educated on the latest in FinTech development and compliance. Send them to seminars regularly. The return on investment can be exponential. Not only will they help your compliance team, they will be in a better position to evaluate and recommend vendors.

Lunchtime deals should end in intention, not retention.  This is an important part of business relationships, but it must evolve. In case of a data breach you must be able to face your customers and explain that your vendor choices were based on sound analysis and that you did all you could to protect them. “My golf buddy recommended the vendor and we wanted his business, so we retroactively boarded them upon my directive” is not going to go over well with your regulators or your customers.

Executives and Partners of small and medium sized businesses are used to being able to onboard vendors at their discretion based on relationships. Often, the compliance team is doing retroactive onboarding and contract negotiation which you can see in an audit if you know what to look for. This puts your business in a weak position, provides the vendor access to your secure information before vetting, and is indefensible in the event of an audit. Executives and Partners of these businesses should understand the reason behind the on-boarding procedure so that it doesn’t appear to be an arbitrary rule meant solely to inconvenience them and diminish their authority. Adherence to a robust onboarding procedure will minimize risk of both legal liability and reputational risk for both the executives and the business.

[View source.]