Apprameya Iyengar is a technology and securities attorney with Polsinelli PC. His work focuses on commercial technology needs, ranging from small and mid-cap emerging companies to Fortune 500 companies.
For technology startups, maintaining strong security controls remains vital to winning new business opportunities and strengthening existing relationships.
Despite the global spike in cybersecurity attacks — there were 42.8 million detected cybersecurity attacks in 2014 — big companies continue leveraging technology startup vendors to help perform critical business functions containing access to personally identifiable information (PII), protected health information (PHI), and personal financial information (PFI).
However, larger enterprises are conducting more due diligence than ever before at the outset of their procurement process, evaluating their technology vendor’s security policies and procedures and assessing the service provider’s ability to remain resilient and recover data in the event of a security breach.
Increasingly, sophisticated cybercriminals are infiltrating smaller technology providers as outlets to exploit PII, PHI, and PFI, and using such attacks to steal valuable intellectual property and disrupt critical business processes. Surprisingly, many technology startups lag behind their more mature counterparts in implementing and maintaining effective controls against common cybersecurity risks. In response, larger enterprises are prioritizing how they manage their global cybersecurity exposure, especially when engaging startup vendors.
Technology startups planning to target large businesses should invest the time and effort to create and maintain a documented and well-organized set of information security protocols.
What policies and procedures do big companies expect their technology startup vendors to implement and maintain?
Many large enterprises expect technology startup vendors to maintain a well-documented information security program, overseen by a designated company officer, which, at a minimum, directly addresses:
What security controls are in place to protect the customer’s data?
Has the vendor instituted encrypted perimeter and network security measures to keep out and/or detect intruders?
How often are security updates provided by the vendor?
How often are these procedures audited for effectiveness (e.g., SSAE-16)?
Where will the customer’s data be stored?
Depending on how the technology is being delivered (e.g., cloud, ASP, or on-premise), will customer data be stored on-site or offsite?
Will any customer data be stored or transferred abroad?
How quickly and by what means will the service provider detect unauthorized intrusions and, if there is a security incident or a data breach, what are the vendor’s response and notification protocols? Early incident detection, rapid security restoration, and a swift triage of the situation are critical. A large company will need to mobilize instantly when faced with a security incident or data breach, and a clearly articulated incident response plan will be viewed favorably.
Cybersecurity and privacy liability insurance, covering any unauthorized access to and use of the customer’s data, breach notification costs, and costs to defend regulatory actions involving a data breach are expected, with sufficient coverage amounts depending on the type of data involved.
Larger enterprises are evaluating their prospective technology startup vendors on their security capabilities more than ever before. Technology startups can distinguish themselves as responsible business partners and win more business opportunities by maintaining effective safeguards against cybersecurity risks that pose serious threats to businesses of all types.