In fact, regulators are discussing the need to bolster all third party security.
In the wake of the JP Morgan breach, the New York Times reported that regulators at the Treasury Department are talking about the need to improve the security of financial institutions by strengthening the security of outside vendors, specifically including law firms, accounting and marketing firms and even janitorial companies.
Under discussion is a requirement that banks put in place stronger safeguards to make sure that outside firms have at least basic security defenses. Being considered is a new rule that would require banks to “obtain representations and warranties” from vendors about the adequacy of their controls to thwart intruders. A letter has already been sent to dozens of banks requesting that they provide “any policies and procedures governing relationships with third-party service providers.” They must outline "the due diligence processes used to evaluate” the security procedures of all vendors.
All the vast monies that banks pour into security can be undone if vendors are not well protected.
There is no evidence at this time that the JP Morgan breach was caused by a third party compromise, but the breach gave impetus to closing this well-known but sometimes poorly addressed security vulnerability. Some companies are now contractually requiring, in the event of a breach, that vendors conduct an independent risk and security audit at the vendor’s own expense.
Another wake-up call for law firms.
Hat tip to Dave Ries.