Cybersecurity Responsibilities to Your Customers and Suppliers

by: Michael M. Ralph | Cybersecurity, Legal Services

Cybersecurity responsibilities to your customers and suppliers are critical to maintaining trust, protecting data, and ensuring business continuity. (Don't Forget Liability) Here’s a breakdown of key responsibilities in each area:

Cybersecurity Responsibilities to Customers

1. Protect Customer Data

• Encrypt sensitive data (e.g., personal, financial, health information).

• Use secure storage and transmission protocols (e.g., HTTPS, TLS).

• Limit data collection and retention to what is strictly necessary.

2. Ensure System Integrity

• Keep customer-facing platforms secure and free from vulnerabilities.

• Implement multi-factor authentication (MFA) and secure login practices.

• Regularly update and patch systems to reduce exploit risks.

3. Communicate Transparently

• Notify customers promptly in case of a data breach.

• Provide clear, honest explanations of:

* What data was affected

* What steps are being taken

* What they should do (e.g., change passwords, monitor accounts)

4. Maintain Compliance

• Adhere to data protection laws and standards like:

* GDPR (EU)

* CCPA (California)

* HIPAA (health data, US)

* PCI DSS (payment data)

• Provide customers with options to control their data (opt-in/opt-out, deletion requests, etc.)

5. Educate Customers

• Promote good security practices (e.g., avoiding phishing links).

• Provide guidance on account security (e.g., strong passwords, recognizing scams).

___________________________________________________________________________

Cybersecurity Responsibilities to Suppliers (Vendors, Partners)

1. Vet and Monitor Suppliers

• Conduct security risk assessments before onboarding.

• Review their security policies, certifications (e.g., ISO 27001), and incident history.

• Use security questionnaires or audits.

2. Set Clear Expectations

• Include cybersecurity clauses in contracts or SLAs:

* Data protection standards

* Notification timelines for breaches

* Access controls and audit rights

3. Limit Access

• Follow the principle of least privilege:

* Only grant access to systems/data that the supplier truly needs.

• Use network segmentation and access controls.

4. Monitor Activity

• Track and log vendor access to sensitive systems.

• Use alerts for unusual behavior or unauthorized data access.

5. Ensure Secure Data Sharing

• Encrypt all data in transit and at rest.

• Use secure file-sharing platforms.

• Avoid sharing sensitive data unless absolutely necessary.

6. Plan for Incident Response

• Have a joint incident response plan with critical suppliers.

• Test response plans periodically (e.g., tabletop exercises).

Remember, prevention as a priority is a two-way street. Are you confirming that your customers and suppliers are protecting your company’s pertinent data? Do you have a Cybersecurity attestation report form to review a company's cybersecurity risk management program and controls? This can be provided to customers or stakeholders to build trust?

Thank you for reading.