< Back to Blog
Tips for Your Vendor Security: Complying With Regulations
Standards & Regulations

Tips for Your Vendor Security: Complying With Regulations

By Dov Goldman Oct 24, 20193 min read

Organizations have much more than just data to lose in a third-party breach. Besides losing consumer confidence and loyalty, companies can face costly penalties for violating data privacy regulations.

During National Cybersecurity Awareness Month (NCSAM), it’s appropriate for organizations to also be aware of the risks of non-compliance. Not complying with HIPAA can cost as much as $1.5 million per year for each violation category. The fines for not complying with the EU’s General Data Privacy Regulation (GDPR) could be up to €20 million or 4% of annual revenue—whichever is greater. And the California Consumer Privacy Act (CCPA)—which will go into effect on January 1, 2020—will fine $7,500 per violation.

Get the best third-party security content sent right to your inbox

Thanks for subscribing!

To get a sense of what it might cost a company that does not comply with regulations, one need look no further than this year’s $57 million GDPR penalty issued to Google. This is undoubtedly one of many exorbitant fines that non-compliant businesses will face.

It’s important to understand that if an organization is breached through a non-compliant third party, the organization will be held responsible and could face stiff penalties. For this reason, it’s important to be sure that vendors comply with regulations.

Here are some key points to consider:

GDPR and CCPA Right to Deletion

If your vendor is subject to GDPR, CCPA or any number of other privacy regulations, it must accept consumer requests to delete their data. This means that the vendor must have a way to know where every bit of each consumer’s data is located within its systems.

The vendor may have to work through a “data mapping” and “data flow” exercise just to understand where all these bits of data are before developing the new software functionality that will delete the data in question. In addition, if the vendor has implemented a professional backup regime, even the customer data in backups may have to be deleted.

GDPR and NYDFS Breach Notification

Will the vendor know if it is breached by a hacker? Companies are required to notify a supervisory government authority within 72 hours of determining that there has been a data breach. The vendor will have to implement intrusion detection systems to know when a breach has occurred.

NYDFS “Minimum Cybersecurity Standards”

This may be one of the toughest requirements. The vendor will need to implement an information security management system, with controls such as those comprising ISO 27002 or NIST standards.

Keep in mind that compliance does not guarantee security. The threat landscape is constantly changing, and often at a significantly quicker rate than the regulatory landscape. However, organizations can significantly reduce risk by effectively screening and continuously monitoring their vendors for security threats and compliance.

This is the third in a series in honor of National Cybersecurity Awareness Month (NCSAM) and is dedicated to helping organizations guide suppliers with their cybersecurity. Check out our last articles about building the right password policy and preventing phishing attacks.

Author Thumbnail
Dov Goldman

Dov Goldman is Director of Risk & Compliance at Panorays. He’s a serial entrepreneur who’s been involved with third-party programs of all sizes, and is the go-to person for explaining the difference between inherent and residual risk.

You may also like...
Aug 12, 2021 The Impact of EBA Guidelines on Third-Party Risk Management Dov Goldman
Securing Your Suppliers: Complying With Regulations
Oct 22, 2020 Securing Your Suppliers: Complying With Regulations Dov Goldman
7 Facts You Should Know About NYDFS
Sep 07, 2020 7 Facts You Should Know About NYDFS Dov Goldman
Get Started Free
We use cookies to ensure you get the best experience on our website. Visit our Cookie Policy for more information.
Get our latest posts straight to your inbox Subscribe