Security Reviews conducted after contract termination
I have a challange from our 2nd line function that they believe our current supplier cyber security control is deficient as we do not continue to conduct reviewers of suppliers where those suppliers retain information gained during the supplier relationship (e.g. any records the supplier are themselves mandated to retain by regulation etc). This is coming specifically from our US team. I cannot find any example of any peer industry doing this, nor can I see how it would ever operate as a meaningful control as without contractual cover we have little chance of accessing the suppliers site or resources. I believe this is a rogue recommendation but happy to hear from any others with experience of similar
Full disclosure: We don't continue to audit suppliers after we are finished with their services because we require all our regulated data to be deleted from their systems.
That being said, I don't see it as a huge waste of time/money if you're asking for something simple like their SOC reports or another type of easily generated 3rd party report. If it's anything more detailed than that, I'd have to factor in the risk to the business and our customers if that data were exposed to help weigh the CBA.
What data could your suppliers be mandated to keep that would require this level of scrutiny?
I have a challange from our 2nd line function that they believe our current supplier cyber security control is deficient as we do not continue to conduct reviewers of suppliers where those suppliers retain information gained during the supplier relationship (e.g. any records the supplier are themselves mandated to retain by regulation etc).
I'm not sure I fully understand the scenario, but the time to address this is before you give them the information. For example, agreements covering non-disclosure, data retention, secure destruction, etc. should be part of the supplier agreement. I suppose part of that could also be that you as a former customer are entitled to review the supplier during and after termination of your relationship, but what recourse do you have if the supplier doesn't or can't cooperate?
I had a situation, maybe not quite on par with yours, where a vendor from several years prior had intellectual property belonging to a company. That vendor had been acquired by a larger company, and then eventually that company had been acquired by a global giant. It became impossible to figure out what they still had.
One way of addressing something like this would be through some digital rights utility where you can revoke the key necessary to access the data. That said, you'd still want all those other agreements to guard against screenshots, etc
For compliance to suggest an ongoing review of a former supplier seems really awkward. If anything it may increase liability because it says you're OK with them holding onto this information or at least that it is your job to confirm that it is gone.