We are continuing to learn more about the breach at Larson Studios which resulted in the release of 10 episodes of Orange Is The New Black (OITNB) as well as other titles from Netflix, ABC, CBS, and Disney. While the analysis of the event in Variety provides insight into the devastating effects of a ransomware event, it fails to provide insight into how this could have been prevented.
Until most recently only banks really focused on third party risk issues due to regulatory requirements. They were then joined by healthcare providers as their regulators began to require robust third party practices as well. Most recently insurance companies have joined the ranks of the third party risk conscious along with other firms whose boards and senior management recognize the risks that third party service providers create from the unauthorized access to customer data and company networks. However, the Larson Studios incident reinforces the fact that assessing data protection and IT security controls at vendors isn’t just for industries whose regulators require such programs.
It is still unclear how many titles have been stolen from Larson, but the costs to the studios will undoubtedly run into the millions of dollars. Should Larson have had better IT security? Absolutely. Should the studios who trusted Larson with such valuable intellectual property have assessed Larson’s IT security? Absolutely.
This is not to say that it is the studios are at fault for trusting Larson to protect their property. However, as the banking industry learned long ago vendors, particularly small vendors, generally do not maintain robust IT security controls. This is why the financial services regulators began requiring banks to conduct assessments of the vendors who had access to high risk data and systems – to ensure that they could adequately protect that data and those systems. Contractual requirements are not enough, banks must validate that the vendors can discharge their responsibilities for data security required in the contracts. The fact that an action for breach of contract can be maintained is small compensation compared to the losses which, in most instances, cannot be replaced or reputational damage than cannot easily be repaired.
The bottom line is that every company who chooses to outsource services must take a hard look at what they are putting at risk by using a third party. The range of information that needs to be protected runs from customer data, to proprietary company information, to intellectual property. If the third party has access to company systems and networks then an analysis must be done to determine the damage that could occur from the unauthorized access to these systems. When the value of the data is high, and access to systems needs to be protected, then companies should assess those third parties to ensure that substantive IT security and data protection controls are in place.
Larson’s clients are auditing them today to determine the extent of the damage and what security controls need to be in place. One has to wonder if this incident would have even occurred if the work being done by the studios today had been done as an assessment of Larson’s security controls before they were ever given access to the studios valuable titles.