Jenny Soubra, US head of cyber for Allianz Global Corporate & Specialty spoke with TechRepublic’s Dan Patterson about why there’s significant risk in bringing vendors into a business. Here’s their conversation:

Patterson: Vendors are an increasingly important part of almost every company’s business. Vendors also can represent tremendous risk. So as companies expand and add little cogs to their wheel in terms of vendors and their relationship, what is the associated risk with adding additional vendors?

Soubra: Well there’s significant risk, and there’s two sides that we look at when we’re looking at vendor risk. There are the vendors that you bring on to provide services for you. So when you’re doing that you really need to look at what is in the contract, what are the terms around limitations of liability if something goes wrong on the vendor side that causes a loss of information or some sort of a privacy incident for the organization itself. We’re looking at indemnification provisions. Okay, something goes wrong, who is liable, who’s paying for it? Right? So there’s that piece of the vendor risks, so really evaluating the contracts, especially contracts that may have been in place for a long time.

SEE: Vendor contract renewal planner (Tech Pro Research)

When we’re looking at cloud providers, especially when we’re looking at the very large cloud providers, small companies don’t have the ability to negotiate the terms and conditions of those contracts. It’s a click-through agreement, you can take it or leave it. The cloud provider will give you the box. They say, “Here’s your box. Whatever you put in the box is your own responsibility. Even if we lose what’s in the box, it’s still your responsibility and we will take no liability for that.” So companies really need to consider what they’re putting out in the cloud.

So highly sensitive data, healthcare information, social security numbers, financial data, those sorts of things should not be stored in the cloud. Especially when the terms and conditions cannot be negotiated.

The other side of vendor risk is when a smaller mid-size business is acting as a vendor for another organization. They need to be sure that their platform is not being used as the utility to spread ransomware, or to initiate some sort of a phishing campaign that may then have an access point into the company that they’re providing services for. So there’s two sides to it, but, of course, there’s risk everywhere, and companies do need to consider all of these different factors, when they’re looking at the vendor’s side.