A vulnerability that all firms face but don’t always consider is third-party service providers. There are back office systems, middle ware, front-end platform providers and many others that may have access to your network. You can outsource your critical functions to third parties but you can’t outsource your liability. You remain primarily responsible for the actions and failures of the agents that you engage.

You should take a risk-based approach to manage the information security risk posed by third-party service providers. A firm should demand information about the security practices of its third-party providers and incorporate into their contracts, requirements regarding their practices as well as a notification requirement in the event that they incur a security breach.

In addition to committing the cyber security program to writing, it is imperative that the firm document every action or non action taken. Full and complete records of inventories, risk assessments, breaches detected and responses made must be documented and preserved. All due diligence on third-party service providers must be maintained. The annual review should be thorough and the training of all appropriate staff should be timely and complete. It’s not enough that you did what was required; you must be able to prove it.