Hi Operators ⚙️

Not to be all doom and gloom, but there’s been some recent data breaches that’ve got me a bit worked up. They involved third-party vendors, the types of partners we probably all work with.

Shell was hit on May 29, Home Depot on April 8. Both from small vendors they work with.

It got me thinking that, no matter how prepared we are, we have to triple check the security of everyone we work with. So get out your notebook, because I’ve got some tips for ya.

⚙️ Here’s what we got going on today:

• Don’t Let Vendors Cost You Millions  → Ask the right questions to save your skin

• Compliance for COOs → Let’s avoid a $200k+ penalty

• Contracts for Newbies → We’re not lawyers, but we can read

Let’s dive in.

(P.S Anything you want us to cover in a future edition? Reply to this email or hit me up at [email protected]. )

^{Together With…Me!}
Looking for a better accountant?

A bad accountant can cost you a lot of time, a ton of money, and (if you’re really lucky) some special one-on-one time with the IRS.

Instead of finding a good accountant through trial-and-error, why not just use accountants that other Bottleneck readers love and vouch for?

We’re putting together a scorecard on:

• What firms other operators are using 🧑‍💻

• What firms have the highest rating among our readers ⭐

• How much they charge 💰

Want access? All you need to do is fill out the below survey about your own accountant (we’ll anonymize all responses 🤝).

We’ll compile all of the responses into a tight, easy-to-understand report and send it to your email next week.

5 Operator’s Library Links

• How AI tools can make a mind-bending contract comprehensible. 

• Compliance is a competitive advantage, if you have the right people and can adapt to changing regulations.

• Future-proof your business by avoiding potential compliance mistakes.

• The state of third-party vendor breaches. (Hint: they’re responsible for 29% of overall breaches.)

• Here are some GenAI tools to help you manage risk and compliance issues: from fraud detection and prevention to contract management and legal compliance.

I. Don’t Let Vendors Cost You Millions

Insight from Diana Ramos 

You can do all the due diligence in the world, but if your vendors aren‘t doing the same, you’re screwed.

American Express just had this happen in March when the security of one of their third-party vendors was breached. Between January and March this year, they reported 16 data breaches.

Failures like these don't just piss off customers and stakeholders, they’re expensive. The average data breach costs companies $4.4 million.

The best way to prevent this from happening? Vendor-risk assessments, the process of identifying and evaluating potential risks a vendor might pose to your business.

These assessments aren’t sexy, but they’re necessary (like that zinc sunscreen that Zuck rolls up to the lake wearing👇)

If you need a place to start, here are three key questions to ask the vendors you’re planning on working with:

1. “What is your data security policy?” Do they have certifications that comply with your industry and geographical regulations (e.g. PCI DSS, ISO, HIPAA, GDPR)? How is their data access controlled?
   

2. “Do you have incident security breach management practices in place?” What happens if something goes wrong? Do these systems identify issues as soon as they arise? Are they performing third-party security auditing regularly? 
   

3. “Do you have liability insurance?” Can they cover damages if everything goes to hell? Review their certificate – is it current? It pays to get a legal review of this.    

Third-party partner infrastructure breaches increased 68% over the past year. 

Don’t be like T-Mobile and lose $350 million in customer payouts (and then have another two breaches a year later). Ask the right questions, and cover your you-know-what.

Learn more: A Guide for Startups on Evaluating Vendors

II.  Compliance 101 for COOs

Insight from Gareth Foulkes

When a data breach happens because of non-compliance issues, it costs companies $220,000 more (on average) than if it was for any other reason.

As COO, you’re responsible for the business maintaining compliance.

It’s a lot of responsibility (and so much fun 🥲), but there are three simple ways you can stay up to date:

1. Consult with regulators: Know which associations govern your industry and sign up for their updates (newsletters, press releases, reports). Identify a contact at the regulator and ensure a direct line of communication with them.
   

2. Utilize your network: Find out what other COO’s are doing in your industry and keep each other abreast of changes. Join an association or group (like Cornerstone 👀) and meet regularly to share ideas on how to adapt to changing regulations. Maybe even create a subgroup specifically for compliance-related issues. Bring that knowledge back to your team. 
   

3. Prioritize the critical: Know what the most critical compliance issues are for your organization, and rank them based on importance and potential penalty. Create guidelines that outline the compliance issues from most to least critical, and what your employees should do when they encounter them. Include who they should report to in each instance.   

Learn more: How to Optimize Your Regulatory Monitoring Process

III. Learn the Basics of Contract Review

Insight from Steve Thienel 

You’ve got a new contract in front of you, but the thousands of words are starting to blur together.

You’re not alone. 90% of professionals find contracts either difficult or downright impossible to understand.

Who among us hasn’t fallen asleep at their desk reading a contract at 1AM, fingers covered in dust after powering through a family-size bag of Flamin' Hot Cheetos? Just me? Okay great.

The reality is your legal team is too busy to teach you the basics. Heck, you’re probably the entire legal team at your startup.

Below are some simple areas that you can review before asking for help. 

Here’s your basic checklist:

• Agreement Term: Make sure the duration is correct, as are all key dates for deliverables.
  

• Payment Terms: Who pays who? How much do they pay? When do they need to pay by? Don’t forget to check late payment penalties, default terms, and remedies for default. 
  

• Termination: How do you terminate the agreement? How much notice do you have to give? If you’d like to renew the agreement, what steps need to be taken?

• Data Rights: Who owns what data? Who owns the work that’s being completed? Make sure that the terms align with your goals and with your industry’s compliance regulations.
  

• Regulatory Compliance: If you have a compliance framework, make sure it matches this section. You may need to make additions to ensure compliance.

Those are just the basics. If you have a legal team, now would be the time to pass it to them.

They’ll probably have very few notes and say everything looks great. That’s how that usually goes, right? 😉

Learn more: 10-Step Checklist for an Effective Contract Management Process

Something Fun

Spread The Word

Refer one friend to receive an inside look into what 238 executives are prioritizing in Q3.