Third-Party Risk Management and Vendor Notifications
Third-party vendor contracts can multiply the impacts of a data breach unlike any other and bring with them a veritable sea of risks. According to The Data Privacy and Data Breach Link, Osano reports that the average company shares data with 730 vendors and third parties. In our series, RadarFirst Investigates, we set sail to explore the challenges of vendor contract management for operations to discover how organizations can protect their data and their customers.
Using the MOVEit attack as a scenario to explore what this sort of breach could mean for businesses who exchange data with one another.
“We’re all a vendor to someone, whether it’s an end-user customer, a regulator reviewing us, or another business-to-business arrangement we have.” – Lauren Wallace, RadarFirst Chief Privacy Officer and General Counsel
In this session, Ron Whitworth, Chief Privacy Officer at Truist, and Andy Cavo, Global Head of Cyber Legal at Barclays joined Lauren Wallace, RadarFirst’s Chief Privacy Officer and General Counsel, in a panel discussion to assess the high-profile breach and explore best practices for managing third-party and vendor contracts within your organization to mitigate risk before a breach occurs.
Summary of the MOVEit Breach
The MOVEit attack began in May 2023 and exploited a flaw in the MOVEit managed file transfer service, affecting numerous organizations that use it for secure file transfer. The Cl0p ransomware group, believed to be responsible for the attack, is known for extorting money from victims.
Major, well-known organizations were impacted, along with US states and foreign countries. Individuals’ information compromised included insurance numbers and bank details. Progress Software, the vendor of MOVEit, released security updates and urged its customers to apply them promptly.
However, numerous affected firms have yet to install the patch, leaving potentially thousands of companies vulnerable. Businesses, both data controllers and data processors, very likely had to notify their upstream customers of this event. Read the full summary of the incident.
From a data privacy perspective, what makes this incident interesting is that even though data collectors were not at fault for the breach, this event could easily damage the trust of their customers and undermine business relationships. At the risk of reputational and financial harm for the involved parties, organizations must examine this incident from a third party as if it were the result of their own actions.
Assessing and Triaging Vendor Contracts
Third-party vendors are an essential part of modern business that brings both reward and risk. Whether your organization needs to leverage efficiency experts or augment strategy that you cannot own internally, third parties are often the most efficient and economical way to accomplish strategic goals.
“When you engage third parties, you essentially are extending your own risk to another organization in a way that does not alleviate any accountability for the primary institution.” – Ron Whitworth, Chief Privacy Officer at Truist
At the onset of a new vendor agreement, it’s important to assess what controls you have in place and that you have the right contractual provisions to protect your company. For large organizations, security teams often have a third-party risk management program to assess suppliers and seek to gain assurances that they’re taking the right steps to protect their environment and data. However, ongoing risk management is crucial to maintaining healthy contracts.
Watch the recording to learn what questions Ron and Andy say you should ask yourself in the event of an incident and for steps on how to ensure alignment between teams in the event of third-party vendor breaches.
Nth Party Vendors
The term “Nth Party” refers to the underlying services that store and transmit data between organizations and third parties. Across regulated industries, concerns around third-party vendors are gaining attention among regulators due to their concentration of risk.
The FDIC, the SEC, the OCC, and the European Central Bank, all have put out stringent guidance demonstrating that there’s no appetite for sourcing risk to third parties and sharing requirements organizations must take to assess risk from vendor incidents originating from third parties to fourth parties and beyond.
In the event of an incident originating from a third or fourth party, your incident response team needs to know:
- What does that mean for your business?
- How many hours do you have to recover?
- Which regulators do you need to notify and how quickly?
- Who is accountable for communicating these events and how will they communicate them?
A privacy incident response tabletop exercise can help you find answers to these questions before a crisis strikes.
For organizations that manage hundreds or thousands of third-party relationships, you can’t train each and every one of them on your tabletop approach. But to be proactive, you can provide a level of awareness to your third-party risk management program.
Third-Party Risk Management Programs and Notifications
One initial speed bump to incident response in these situations is team collaboration. For large organizations, each vendor contract may entail a dedicated third-party risk manager who spearheads activity for a risk management team. This vendor manager is a great source of incident information because they work in the day-to-day business of the vendor and should be a primary point of contact when communicating contractual agreements and even notification obligations (in the event of a breach).
“It’s all about the upfront work and knowing where suppliers are and what they do for you and which ones are the most important for that matter.” – Andy Cavo, Global Head of Cyber Legal at Barclays
With an established communication framework, following notification obligations to internal stakeholders and notifications to regulators and impacted individuals should be as simple as running a playbook.
But there’s another category of third-party notifications, notifications to affected individuals.
“Negotiating these provisions can be quite complicated. I’ve started to think more along the lines of the guidance that we are getting from the regulators, which requires notification once the determination of materiality has been made, not once you know or should know.” – Lauren Wallace, RadarFirst Chief Privacy Officer and General Counsel
Concerning the types of notifications that are regulated, contractual notifications to third parties also have obligations in the event of an incident that could bring harm that creates a sort of network of notifications with no clear direction. This web brings up questions of process and legality around who is notified when, and how your organization works to operationalize these processes within each agreement. Ideally, the relationship manager knows who to go to with that information once it’s determined internally.
From an incident response lens, the stipulations around time to notification can be semantics within a larger conversation about an incident. What’s important to both teams is to know the full extent of the incident so everyone has actionable information and a clear path to resolution.
Being prepared ahead of time can save you time, stress, and potential fallout of customer trust.
Want the full story? Watch the Webinar.