The Evolution of Vendor Risk in the Retail Industry
Last week, Walmart Canada, Rite-Aid, CVS, and Sam’s Club were among the retailers to suspend their online photo operations due to a possible data breach of third-party photo service provider PNI Digital (a Staples subsidiary). This is the latest cyber incident to affect the retail industry, which has witnessed a number of high-profile breaches involving third-party vendors in recent years.
Like most businesses, major retailers have long relied on third parties to provide key business services. In fact, years before cyber attacks against third parties became prevalent, the retail industry began developing sophisticated third-party risk management programs to protect their data. One landmark case that changed retailer perspectives on third-party risk management was the settlement between CVS Caremark and the Federal Trade Commission in 2009.
From Physical Security to Cybersecurity
In 2009, the FTC filed a complaint against CVS Caremark following reports that some of its pharmacies were throwing trash into open dumpsters. This trash allegedly contained pill bottles with patient information, addresses, physician names, and medical information. It may have also contained computer order information, employment applications, payroll information, and other personally identifiable information (PII). The FTC alleged that CVS “failed to implement reasonable and appropriate procedures for handling personal information about customers and employees.”
CVS settled the case with the FTC, which said that it that failed to take proper measures to protect medical and financial data for both its customers and employees, and paid a fine to the Department of Health and Human Services to address allegations that it violated the Health Insurance Portability and Accountability Act (HIPAA).
One of the major issues at hand in the case was the lack of visibility and oversight that CVS had into the third parties that were responsible for handling its sensitive data. The FTC settlement specifically called for CVS to address third-party risk through “the development and use of reasonable steps to select and retain service providers capable of appropriately safeguarding personal information they receive from respondent, and requiring service providers by contract to implement and maintain appropriate safeguards.”
At the time, the company had 6,300 retail locations; information on tens of millions of employees and customers could have been mishandled. Developing a plan to secure that sensitive data would present one of the great challenges in vendor risk management. Recognizing the imperative, CVS created a strong vendor risk management program to review “vendors who collect, use, store, process, transmit or destroy Confidential Information on behalf of CVS Caremark.”
This program adopted some of the initiatives that had been developed for the financial services industry under the Shared Assessments program, which aimed to standardize the vendor risk assessment process. Tom Garrubba, now Senior Director at Shared Assessments, was an employee of CVS at the time and one of those responsible for creating and implementing the vendor risk management program. Tom not only realized that there was a physical risk to data from third parties, but that third parties posed a cyber risk to the organization too. Talking with Tom recently about his efforts in those early days, I realized just how important it was for CVS to have taken on this incredible challenge.
Where We Stand Today
third-party risk has evolved significantly since 2009. Yesterday’s concerns about physical security remain, but today’s greatest challenges involve managing third-party cyber risk. Despite highly publicized breaches stemming from third parties, many businesses still lack formal third-party cyber risk management programs. Gartner estimates that roughly 10% of businesses have formalized IT Vendor Risk Management programs in place. As businesses have outsourced key business functions, supply chains have grown and risk has increased in the process. For retailers, these large supply chains can pose significant risk. Moreover, retailers often lag in detecting suspicious activity: a recent study found that retailers take an average of 197 days to identify advanced threats on their networks.
But retailers don’t have to start from scratch. As a result of some of the attention that the 2009 case received, many retailers have developed third-party risk management programs. The time is ripe for organizations to evolve these programs to address the modern cyber threat landscape. The time to start is now!