Regulatory Oversight of Third-Party Arrangements: Who's Writing the Contract?

March 6, 2017 Published Work
New York Law Journal

Cybersecurity risk from third-party service providers, vendors, suppliers and contractors (collectively referred to in this article as third-party providers) is a significant source of risk to businesses and professions. According to a recent study of information security practices, 74 percent of companies do not have a list of third-party providers who handle their employee and customer data.1 Another survey revealed that only 42 percent of businesses even consider vendor risk in their work.2 Not surprisingly, this lack of attention to third-party providers has consequences. In a 2013 Global Security Report by Trustwave, the authors discovered that out of 450 investigations of data breaches, 63 percent of them were directly linked to a third party providing IT services.3

To read the full article, please click the PDF link below.


1. PricewaterhouseCoopers, PwC Viewpoint on Third Party Risk Management 5 (2013).

2. PricewaterhouseCoopers, US Cybersecurity: Progress Stalled 12 (2015).

3. New York University, Center for Cybersecurity, Third-Party Cyber Risk and Corporate Responsibility 9 (2017).