Expanding regulations and stakeholder expectations could require organizations to report cybersecurity incidents more quickly — even incidents at a third-party vendor or supplier.
That poses two challenges for organizations:
- There are potential regulatory liabilities in the event of a third-party breach, and traditional third-party due diligence may not sufficiently address these.
- Incident management processes must extend out to vendors and suppliers, so the organization can understand the scope of any breach (including the systems, customers, and other factors affected) and complete the required reporting and disclosure procedures.
To meet the first challenge, many organizations still assess their liabilities with a list of yes-or-no questions that has not evolved much since the early days of cyber liability insurance underwriting. However, growing premium payouts have convinced insurers that high-level questionnaires are not enough to manage cybersecurity exposure. The same is true for third-party risk exposure.
Checking a box rarely provides enough context to understand whether a risk is mitigated. The real questions you need to answer are more like these:
- How is the control properly configured?
- How is it consistently applied?
- How can we get closer to real-time detection, investigation and containment for third-party incidents?
Related resources
ARTICLE
Growing reliance on third parties
The growing adoption of cloud-based solutions has many advantages, but it has also coincided with a rise in the number and impact of data breaches caused by third parties.
To better manage cloud and vendor risk, some third-party due diligence questionnaires have become more customized and detailed. However, this depth of detail comes at a cost. Organizations must manage the collection of the responses, ensure their relevance, and confirm that each provider’s scope of services aligns with its contract. Providers often send pre-completed “standardized information gathering” forms, or a SOC2 report, and point to an exchange from a system like OneTrust, KY3P, Venminder or ISS. That information is useful to some extent, but it is limited to a single point in time.
A CISO cannot manage an organization’s cyber risks through point-in-time questionnaires alone. As more capabilities shift to external service providers, the CISO’s prerogative must be to harden continuous monitoring programs. The attack surface has not only extended to the cloud, but to the extended ecosystem — vendors, business partners, service providers and customers.
Organizations need to integrate cyberrisk intelligence platforms with third-party incident prevention and detection that gets closer to real-time protection. Indicators like downward-trending security scores can help spot weaknesses in advance, but your resources and security measures must ultimately protect your most critical assets and confidential information.
Growing attention from regulators
News about security breaches has become a common occurrence, and attacks have become more complex. Malicious code, compromised third-party login credentials and other issues can go months before being detected.
Regulations that once applied to only the banking or healthcare industries have now expanded to the retail, insurance, critical infrastructure, and all publicly traded entities. While regulatory changes were relatively quiet in the decade before 2020, 2021 and 2022 saw banking regulators, the White House and the SEC publish more specific cybersecurity controls and minimum requirements, formally tightening breach and incident reporting requirements including:
- The President’s Executive Order (EO) – In early 2021, EO 14028 charged multiple agencies with enhancing cybersecurity through various initiatives related to the security and integrity of the software supply chain.
- Federal Deposit Insurance Corporation (FDIC), the Board of Governors of the FRB, and OCC – In August 2021, the regulators jointly developed additional guidance on a risk management framework to help banking organizations manage third-party relationships. In June 2023, interagency guidance reinforced various third-party risk management activities and oversight. The guidance also clarified other areas, including the use of subcontractors (fourth parties), incident management procedures, contracting better practices, and what constitutes “critical” relationships. Lastly, the guidance reiterated a 36-hour incident notification requirement (12 CFR part 53).
- New York Department of Financial Services – On Nov. 9, 2022, the proposed second amendment to 23 NYCRR Part 500 (DFS Cybersecurity Regulation) was published in the New York State Register.
- SEC – In March 2022, the SEC proposed amendments that would require, among other things, customer disclosures around material cybersecurity breaches, stronger infrastructure controls, and periodic updates to any previously reported cybersecurity incidents. Boards of public companies recognize these risks and are stepping up to improve cyber defenses and response plans. On March 15, 2023, the SEC announced it would plan to extend similar requirements to the broader securities market participants.
Your incident impact assessments and reporting must consider the latest guidance, following consistent processes that comply with your unique regulatory requirements to report the type and amount of data lost or compromised.
Effective response and reporting
The increased risk of cybersecurity incidents, and the increase in regulatory action, make it essential to have an effective cyber incident resilience and reporting program with these key elements:
- Organizational playbooks: When cyber incidents are treated as a component of enterprise risk, rather than IT phenomena, multi-disciplinary teams practice critical incident response protocols. You need expertise from legal, finance, IT, security, compliance and customer relations and other disciplines on integrated teams to ensure that these protocols cohere into action in the event of a breach.
Ensure all phases of the incident lifecycle are addressed, with defined roles, responsibilities, and disclosure requirements and timelines. The phases typically include Discovery, Investigation, Response, Reporting, Closure, and Lessons Learned. - Zero Trust and Vendor Privileged Access Management (VPAM): There is a growing need to verify authentication requests for context, not just at the point of entry. Active monitoring of sessions for appropriate behavior is critical, even if access is connected via a trusted network segment or originating from an untrusted environment. Ensure multi-factor authentication, with access restricted to the least amount needed for third party or vendor users to perform their roles. Ideally, all vendor access should adhere to a just-in-time access model, meaning it is provisioned only when certain contextual parameters are met, and promptly deprovisioned when the work is complete.
- Contract requirements for disclosure: Based on the engagement-specific inherent risks and data being exchanged, consider the contract requirements for indemnity, breach reporting disclosures, and associated timelines. You need processes to ensure there is consistency across all similar outsourced arrangements.
- Reporting processes: Once your organization and teams are properly aligned, prevention and detection controls and tools are in place, and contracts are updated, what’s next?
You should ensure vendors are reporting events, instead of just waiting to hear from them. Periodic, proactive reach-outs can be automated, checking whether vendors have had any recent incidents and the potential impacts.
Another proactive approach is to turn alerts and critical notifications from external risk intelligence tools into a ticket or follow-up that can be forwarded to the vendor for response as needed. This type of real-time notification can get ahead of incidents and determine impact and remediation, even before the vendor raises the issue. - Niche specialists: Risk and security professionals can help retool incident management processes that are typically internally facing. To handle a breach, it’s likely that an organization will need niche expertise from specialists such as outside counsel and forensic security experts. These specialists will have more experience with breaches than internal personnel, and they need to be incorporated into planning and practice exercises to ensure that the knowledge of systems and company practices is shared over time.
These elements can help you form a more data-driven approach and automate decisions, moving you closer to real-time risk identification and mitigation.
Effective planning
You need a third-party risk team and a Cybersecurity Event Response Team (CERT), both involved in creating and executing a third-party breach incident response plan. The third-party risk team can provide insight into the specific third-party relationships and the potential risks associated with those relationships, while the CERT can provide technical expertise and manage the technical aspects of the response effort.
The third-party risk team can take the lead in the discovery and investigation stages of the response plan, while the CERT can take the lead in the response stage. Below is a summary of activities throughout the key phases, which can be used a template for your own third-party breach process:
Discovery
- Identify the third-party vendor(s) involved in the breach.
- Gather information about the nature and scope of the breach, including what data was impacted and how the breach occurred.
- Assess the potential impact on your organization's systems and data.
Investigation
- Work with the third-party vendor(s) to conduct a thorough investigation of the breach.
- Identify the root cause of the breach and any vulnerabilities or weaknesses in the vendor's systems or processes.
- Determine the extent of the damage and the potential risks to your organization and your customers.
Response
- Isolate the impacted systems or devices to prevent the malware or attacker from spreading.
- Identify and disconnect the source of the breach, if possible.
- Change passwords and access credentials for all potentially compromised accounts.
- Review system logs and network traffic to identify additional indicators of compromise (IOCs) and assess the extent of the breach.
- Implement enhanced monitoring and analysis of system logs and network traffic to detect and respond to further attacks.
- Conduct a vulnerability assessment and penetration testing to identify any vulnerabilities in your own systems that may have been exposed by the breach.
- Consider engaging an incident response service provider to assist with the response effort, particularly if the breach is especially complex or large-scale.
- Coordinate with the third-party vendor to address any vulnerabilities or weaknesses in their systems or processes.
Reporting
- Report the breach to relevant authorities, such as regulatory agencies or law enforcement, as required by law.
- Keep all stakeholders informed of the status of the breach and the response effort.
- Notify any affected customers or stakeholders and provide guidance on how to protect themselves.
Closing and Lessons Learned
- Once the breach has been contained and the response effort is complete, conduct a post-mortem review to identify what worked well and what could be improved for future incidents.
- Document the lessons learned, and update policies as needed.
- Evaluate the effectiveness of vendor risk management practices and adjust as needed.
- Conduct regular training and awareness activities for employees and third-party vendors, to reinforce best practices for cybersecurity and incident response.
- Review and update your incident response plan to address any lessons learned from the breach.
As regulators move to seek faster incident reporting and disclosure timelines, you need to consider your current capabilities and your best path to compliance. Specific details of your incident response playbook will depend on the unique characteristics of your organization and its risk profile, but this simple framework should provide a good starting point for developing a comprehensive and effective third-party breach incident response plan.
Make sure you have programs and processes ready to ensure that your plan meets the latest regulations and expectations.
Our third party risk insights
No Results Found. Please search again using different keywords and/or filters.