Recent cyberattacks on Colonial Pipeline, NEW Cooperative, Oldsmar, and other critical infrastructure companies have highlighted the harm of downstream liability for organizations, and the importance of its proper assessment.
Assigning responsibility for downstream liability is a challenge, especially given the lack of clear regulations that identify who is responsible for downstream liability among companies, distributors, suppliers, and customers.
For this reason, correctly identifying these factors and establishing clear legal liability over those third-party risks is a priority for companies of any size.
Downstream Liability Defined
When a security failure happens at your business, that can cause a cascade of potential damage for your suppliers and customers. The potential liability for these damages is downstream liability.
For example, a data breach at your company might result in the destruction of customer data, and those customers then lose money because they can’t put their data to good use. Who makes the customer whole for that harm? What if the breach happened because of a security failure at a third party you use? Should that vendor then pay the damages for your harmed customers? Those are the questions that downstream liability attempts to answer.
This concept also includes what is known as vicarious liability, focused on damages (bodily injury, property damage, or any other) caused by a third party when there is a supervisory relationship. This “duty of care” over your service providers’ information security leaves your company exposed to legal action if the providers suffer a cyberattack due to their poor practices; you should have supervised them more closely.
The risks of downstream liability are widespread in today’s digital age. To improve supply chain visibility, many companies have built connections between their computer systems. This enables a cyber attack to spread quickly, causing much more information destruction and operational disruptions across your supply chain.
Supplier Risk and Downstream Liability
The concept of vicarious liability plays a crucial role in managing supplier risks. When you share client data with your third-party partner, you have a supervisory responsibility for assuring that the partner follows various data protection laws. So determining the cybersecurity maturity level of your suppliers is a fundamental part of your risk management program.
Regulatory standards are not the only reason to be concerned about downstream liability. Operational and financial risks also arise from your third parties’ lack of cybersecurity policies. When a supplier falls victim to a cyberattack, that puts your IT infrastructure at risk of downstream attacks and becomes an attack vector for your company.
The Downstream Effect of Cyber Attacks
Just as third parties can be the attack vector for your company, you can be the entry point for your suppliers. This is the most immediate effect of cyber attacks on your environment. For example, the ransomware attack on Colonial Pipeline disrupted Colonial’s delivery of gas, which then disrupted gas stations’ ability to operate.
As a practical matter, this means the target’s resilience to an attack can influence the downstream impact on other community members. If those community members are not well prepared, the consequences will spread quickly.
How to Avoid Downstream Liability
Downstream liability is a risk that must be addressed when formulating an effective risk management plan. As such, some standard practices can help mitigate this kind of risk.
First, robust third-party risk management assures that your third parties comply with information security regulations similar to those of your company; that can minimize overall third-party risks. Communication with your third parties plays a crucial role in preventing downstream attacks to and from your company.
Maintaining a cyber security-aware culture within your company minimizes common cyber risks that generate downstream liability. Compliance with cybersecurity standards and regulations demonstrates a duty of care and reduces your overall risk landscape. Implementation of prevention and mitigation measures within your computer systems and across networks is essential.
In addition to traditional risk management techniques, your organization may consider insurance coverage. Some insurance companies offer downstream coverage, which is a liability policy specifically designed for the mitigation of downstream liability costs. As with most liability coverage, these policies are full of disclaimers, so do your research.
Mitigate the Risks of Downstream Liability with ZenGRC
Global disruptions can directly harm your procurement and sourcing capabilities, resulting in business continuity and financial risks. Cyber supply chain risk management is critical because the world is increasingly connected, and every company relies on outside enterprises for business continuity.
ZenGRC’s compliance, risk, and workflow management software is an intuitive, simple-to-use platform that not only maintains track of your process but also allows you to identify areas of high risk before they become an issue.
Using ZenGRC to manage your third-party partners reduces the efforts associated with a robust vendor risk management program. Its continuous monitoring tools keep you on top of your third-party compliance management. It will even send out vendor compliance questionnaires and keep track of the responses as they come in.
ZenGRC enables you to manage your cyber supply chain risk and compliance in a worry-free manner. Automated workflows reduce manual intervention and improve audit trails. Our system handles a lot of the work for you, so you don’t have to be on high alert 24 hours a day, seven days a week.
Schedule a demo today and see how ZenGRC can streamline your vendor risk assessments and regulatory compliance processes.
Why sign up for the Risk Insiders newsletter?
To stay in the know! Get new blogs, resources, CPE opportunities, industry research & more — direct to your inbox.
