Third-Party Cybersecurity Risk Assessments and Negotiation

Outsourcing has emerged as an indispensable strategy for enterprises across diverse sectors seeking operational optimization. However, this strategic reliance also exposes organizations to cybersecurity vulnerabilities. To safeguard against associated risks, cybersecurity experts advocate for working closely to develop legal frameworks that allow companies to better determine the level of involvement with their suppliers.

Challenges to dealing with outsourcers relate to suppliers' inability to establish proper cybersecurity measures. Marco Antonio Castilla, CISO, AVIS Mexico, explains that over 30% of successful cyber attackers have entered through the supply chain via a provider or supplier.

Jenny Mercado, CISO, Odessa, emphasizes that it is more crucial than ever to pay attention to suppliers and providers, regardless of their size. She pointed out that it has become common for providers to also outsource some of their processes, which makes the main company more vulnerable to cyber threats. This makes it crucial for larger companies to understand to what extent their data is spread out.

In the face of these challenges, a comprehensive solution is proposed, including a thorough evaluation of suppliers and negotiation of robust contractual cybersecurity agreements.

Felipe Absalon, Information Security Officer, Bayer, suggests a close collaboration between the cybersecurity team and other departments, especially the legal team, as it can leverage insights from the cybersecurity team to formulate legal clauses in contracts with suppliers. “We classify our suppliers into strategic, local, and low categories. Through this classification, we determine the level of access to our information and place more emphasis on them through our support areas to negotiate contract clauses, to avoid breaches of critical information,” he adds.

Mercado also highlights the importance of supplier classification, as not all suppliers require cybersecurity clauses as their involvement in the company’s activities usually leans on selling materials or equipment.

Experts suggest close collaboration with suppliers to create awareness of the importance of cybersecurity measures. Due to the size of some of the suppliers, experts suggest speaking with the least level of technicisms, as this could lead to confusion. “We have campaigns to raise awareness among suppliers so that they become involved in cybersecurity issues. This is essential because often they have other clients who request this type of framework,” Mercado notes, emphasizing that these programs do not only benefit the company, but the entire business ecosystem.