Well, it finally happened. As a former trial attorney, I’ve been expecting this for some time: a large legal settlement for negligence claims for failing to properly protect customer information. In this particular case customer information was exposed when a Wendy’s third-party vendor failed to have proper security controls installed on their point of sale systems. Point of sale systems are key targets for criminals as they are often managed by third party vendors with limited resources and, accordingly, poor security controls. The result here was a $50 million payment to settle customer legal claims. The worst part is that – according to Wendy’s – $27.5 million of that payment came out of their own pocket after exhausting insurance coverage.
What is particularly notable here is that Wendy’s loss isn’t the result of regulatory action, compliance failure, loss of business from a data breach, or even lost revenue from reputation damage. This loss is from a lawsuit claiming that Wendy’s was negligent in how it managed its third-party vendor. A review of the suit itself suggests that this approach could be used in many other instances where a company may have failed to properly manage its vendors.
More third-party governance is needed in outsourcing – legal agreements aren’t enough
Outsourcing key business processes that involve access to customer information and critical business systems is common place today. For companies in regulated industries, like financial services and healthcare, vendor risk management is a long-standing requirement. However, companies in non-regulated industries have been slow to embrace the concept.
Why? Well, it’s costly and extremely time consuming when done manually. Risk management professionals end up spending upwards of 50% of their time in administrative and clerical activities, leaving little time for identifying and managing risk. Many companies attempt to address these issues by relying on contract clauses requiring a vendor to maintain adequate security controls. This is a dangerous approach as financial regulators determined long ago that relying on vendor contract language without taking steps to determine if the vendor is complying with those requirements is absolutely inadequate (and perhaps negligent?).
What companies can learn from Wendy’s
So, how could Wendy’s have avoided this $50 million problem? Their POS vendor should have been assessed on a regular basis (in this instance at least annually) to determine if it was maintaining sufficient security controls. Because of the critical nature of POS vendor services, they should have also engaged in continuous threat monitoring – looking to see if any other threats in the vendor’s environment could have impacted their services. Any deficiencies identified by Wendy’s should have been addressed and remediated by the vendor in a timely manner. Finally, Wendy’s would need auditable reporting that documented their actions to protect customer information they had turned over to a third party.
Now you have 50 million reasons to get serious about managing vendor risk. For more on how Prevalent’s integrated third-party risk management platform can help provide a comprehensive view of vendor risks, watch a demo or contact us today.