Regulators are said to be discussing how to improve a critical area of cybersecurity: outside vendors, including law, accounting and marketing firms and even janitorial companies.