Procurement’s Cyber Security Responsibility
Cyber Security Risks
Is it just us, or does is feel like every few weeks another company makes the headlines for a massive data security breach? While many companies continue to invest in improving their IT system security, data breaches are still frequent. Gemalto reports that in the first half of 2018, more than 4.5 billion data records were compromised, a 133% increase from 2017. Governments are reacting to the increasing frequency of data breaches, by to cracking down on companies that handle customer data irresponsibly. In the European Union, a new regulation, titled General Data Protection Regulation (GDPR), that became enforceable as of May 2018, allows for companies to be fined up to 4% of global revenue for the mismanagement of customer data. In addition to increasing financial penalties, companies that suffer a data breach face reputation damage, revenue loss, and must dedicate valuable resources to mitigating and recovering from the damage. While many people see data security and the resulting consequences as an IT problem and an afterthought for their department, procurement plays a crucial role in helping to keep a company’s data secure.
What do Hackers Want
Organizations are being hacked for a variety of reasons. Hackers generally want to steal personal information; employee and customer bank account numbers, credit card information, social security numbers, email addresses and passwords. Although, personal information is not always the target, intellectual property, contracts, and other confidential agreements can all be very valuable in the wrong hands. Ransomware attacks, where hackers steal data, encrypt it, and make companies pay to get it back, are also increasing. Most hackers are financially motivated, but hackers have also been caught infiltrating critical public infrastructure such as power grids, water treatment systems, and transportation systems.
How Procurement Can Improve Data Security
Although it is nearly impossible for companies to eliminate all risk of a data breach, there are several steps that procurement departments can take to ensure that their organization provides best in class data security.
- Build and maintain a strong relationship with your IT department. Procurement should meet regularly with IT to monitor the performance of existing systems and ensure they understand external regulations and internal policies.
- Map the flow of data throughout the supply chain. This will allow you to identify the recipients of your company’s data and understand how that data is processed.
- Once you understand who receives your data, review existing contracts that involve the processing of data and make sure the data protection provisions are compliant with government regulations and internal company policies. In addition to reviewing contract language, it is important to consistently monitor supplier performance to ensure they are compliant.
- As the fines and reputational risks faced by companies increase due to more scrutiny from regulators and the general public, teams will need to reevaluate risk profiles and look into a different liability approach for data processing contracts.
- For new suppliers, it is important to carry out the due diligence to ensure they are compliant with GDPR regulations and internal policies. In addition to initial due diligence, it is important that contract language includes a right to audit in order to ensure that companies remain compliant for the duration of the contract.
- Check to see if existing insurance policies will cover data breaches. If they do not, find insurance policies that will mitigate potential exposure.