Once the critical process of vetting and selecting vendors is complete, the third-party oversight work begins. Change is inevitable – whether it be in regulations, data sets, technology, products, or circumstances – and organizations need to follow up with the vendors and ensure the relationship is maintained properly. Following a webinar we hosted on this topic, the Cybersecurity Law Report delved further into these issues with the panelists – Karen Hornbeck, senior manager at Consilio; Kristina Bergman, founder and CEO of Integris Software, and Aaron Tantleff, partner at Foley & Lardner. Our first installment of this two-part article series discusses the legal and technical third-party risks and what regulators (domestic and international) expect in terms of vendor oversight. Part two
will provide advice on how to identify and address issues with third-party vendors, including when and how to revise contractual relationships and best practices for internal oversight structure. Vendor due diligence and oversight “doesn’t stop after you contract . . . you have to follow up on a regular basis to make sure they are complying with the terms,” Tantleff said. See also “Developing an Effective Third-Party Management Program
” (Mar. 14, 2018); and “How to Move Beyond a Checklist Approach to Third-Party Oversight
” (Dec. 6, 2017).