If your organization hasn’t yet been affected by a third-party data breach, you’re probably feeling confident in how you’re managing third-party cybersecurity risk. However, it’s important to realize that third-party data breaches are not 100% preventable, regardless of the controls you and your vendors have in place. In fact, studies have shown that most organizations are working with at least one third-party vendor that has previously experienced a breach. This makes it essential to prepare for a third-party data breach, so your organization’s response and recovery efforts are intentional and efficient.
Preparing for a third-party data breach begins with having the right mindset and thinking in terms of when, not if. In other words, it’s best to assume that a third-party data breach is imminent and prepare accordingly. When your organization and third parties are prepared for a cybersecurity incident, you can respond more quickly and limit the impact. Let’s examine four steps to prepare for a third-party data breach and some questions to ask your third parties immediately after an incident.
Taking the time to prepare for a third-party data breach now will greatly benefit your organization when an incident eventually occurs. The following steps can help keep your organization prepared for a third-party incident, regardless of size or severity:
- Review your third party’s cybersecurity posture – Due diligence is an essential activity that will help determine the strength of your third party’s cybersecurity practices. This should include assessing a wide variety of documents related to security testing, data security, incident detection and response, and employee and vendor management. A qualified subject matter expert (SME) should be enlisted to review documents, such as penetration testing results, encryption standards, and proof of security training to determine whether the third party has effective controls in place to protect its system, and in turn, your organization’s data from a breach.
- Include data breach notifications in your third-party contract – It’s important to set clear expectations about how and when your third party should notify you after a data breach, so your organization is better prepared to respond quickly to an incident. Make sure you’re aware of any notification timeline requirements that have been set by your regulators, which typically ranges between 24-72 hours after an incident is discovered. As you’re negotiating the third-party contract, include data breach notification requirements that cover details such as a timeline, instructions for investigating the incident, and how to handle compromised information. Your contract should also detail the third party’s actions to prevent future breaches and any penalties that may result from the breach, such as a suspension or termination.
- Formalize and test an incident response plan – Both you and your third party should have documented and tested incident response plans (IRPs) to prepare for a data breach. Your organization’s IRP should describe how you will analyze, mitigate, and report a third-party data breach after discovery. Roles and responsibilities should be clearly outlined to ensure the response is timely and efficient. Test your IRP at least annually, and retest if there are significant changes within your organization or after an incident.
- Communicate frequently with your third party – Regular communication with your third party is important to share information about new cyber threats and vulnerabilities that can impact your organization. Stay informed of the current threat landscape and communicate with your third party to ensure they’re taking the proper precautions and recommended actions. For example, you may want to verify that your third party is following any new standards set by the National Institute of Standards and Technology (NIST) and document any vulnerabilities identified by the Common Vulnerabilities and Exposures (CVE) system.
Once you’re notified of a third-party data breach, it’s important to respond quickly and gather relevant information that can help mitigate the impact. Here are some immediate questions to ask your third party about the data breach:
- When did the data breach occur and when was it discovered? Your organization should understand this timeline, which can give you more insight into the severity of the incident. A large gap between the occurrence and discovery could indicate weaknesses in the third party’s security practices that need to be remediated.
- What data was impacted in the incident? Find out whether the data breach impacted your organization’s and/or customers’ information. Once you’ve confirmed the scope of the incident, you can begin the process of notifying your customers, if necessary.
- What, if any, services were disrupted? Some third-party data breaches can cause severe operational disruptions that can prevent a vendor from servicing your organization. Make sure you understand which of the third party’s services were impacted and how that may affect your organization.
- What remediation efforts are underway? Ask the third party how it’s responding to the event and investigating the incident to ensure they’re meeting the obligations in your contract. The third party may choose to bring in an outside forensics firm to investigate the breach, or they may choose to investigate it internally. Consider asking the third party to provide a post-incident report when it’s available. This can identify areas of improvement to prevent future incidents.
Third-party data breaches can be disruptive and challenging to navigate, especially when your organization is caught unprepared. Knowing and following the steps to prepare for a third-party data breach can simplify the process and help your organization respond more consistently and effectively every time. When an incident occurs, asking the right questions can help support better decisions about how to move forward.
Vendor data breaches can range in severity, from minor incidents to significant events that create operational failures and require public disclosure. Protect your organization by learning different categories and types of vendor data breaches in this infographic. Download your copy today.