Written by: Lisa Spampinato, Derek Morris, Michael Curcurito
Third-Party Incident Management
Third-party incident management (TPIM) involves establishing procedures and protocols to manage incidents that occur outside your organization. This may include incidents that occur at vendors, suppliers, or service providers that you rely on to conduct your business. For instance, it’s estimated that 60% of breaches are caused by third-party vendors. Additionally, according to the Cost of a Data Breach Report by IBM, the average cost of a breach is nearly $4.5 million. It is the organization’s responsibility to understand how to balance their incident response with the third party’s incident response plan (IRP).
Within an incident response program, TPIM can be one component of a broader incident response plan that outlines how your organization will identify, assess, and respond to incidents that may impact your business operations. By including TPIM in your incident response program, you will be able to limit the impact of an event/incident at the third-party organization. Here we break down several areas to start with to understand third-party incident management.
Who Are Your Vendors and Your Vendor’s Vendors?
An organization should understand who their service providers and vendors are and manage the relationships that they have with third parties. First, an organization should have a third-party risk management program or have a process for inventorying all third-party relationships. This can be done manually or by utilizing an intuitive tool. For example, our WolfPAC Integrated Risk Management team offers cutting-edge software solutions to efficiently track and inventory third-party relationships. When the relationship is inventoried, the next step is to implement a process to assess vendor risk. It is vital to determine the monitoring frequency of the vendor. This process could consist of checking their website for updates, being included on their mailing lists, and/or using a service to monitor the organization’s third parties. On an annual basis the inventory should be reviewed to confirm that all third parties are accounted for.
In today’s interconnected world, organizations often rely on a complex web of third-party vendors and service providers to deliver products and services to their customers. While these third-party relationships can bring many benefits, they can also pose significant risks to an organization’s operations, reputation, and security posture.
It’s important to recognize that third-party vendors may rely on fourth-party vendors to deliver critical services or functions. Therefore, it’s crucial for organizations to maintain visibility into their entire supply chain and identify all the vendors that have access to their sensitive data or systems.
By conducting due diligence and requesting System and Organization Controls (SOC) reports from all critical third-party vendors, organizations can gain valuable insights into their vendors’ security and risk management practices. Additionally, asking about subcontractors and reviewing their SOC reports can provide further transparency into the security practices of the entire supply chain.
Ultimately, a comprehensive vendor management program that includes monitoring and oversight of all third-party vendors and subcontractors is crucial. This can help organizations mitigate the risks associated with these relationships and ensure the security and resilience of their operations.
Organizations should also be aware of fourth parties. It is not uncommon in the age of outsourcing that your critical third parties will outsource functions to other vendors. You should not be averse to asking your third parties who they subcontract critical functions to and if SOC reports are available for review by your vendor management group. It is important to understand your supply chain, especially when incidents occur.
What Are Their Responsibilities and What Are Your Responsibilities at the Organization?
Understanding the “what” of your third parties includes determining the risks that make you vulnerable because of the product and services they offer to the organization. In a third-party risk assessment, or where it fits within your organization, it is vital to determine the criticality of the vendor and what data they may have of yours.
Management can conduct a review and obtain several things to determine the responsibilities of the organization and the responsibilities of the third-party.
- Service Organization Controls (SOC) Report: A SOC report details the technical controls that surround the third-party products that an organization utilizes. Within the SOC report there are Complimentary User Entity Controls (CUEC) that detail controls the organization is responsible for and should implement to protect themselves. Based on the risk of the third-party, the organization should review and formally respond to the CUECs on a risk-based frequency (high risk – annually, moderate risk – biennially, and low risk – triennially). These will help identify controls that the organization should implement to reduce the risk of a malicious actor taking advantage of a third-party’s product or service vulnerability.
- Incident Response Plan (IRP): An incident response plan is a formal document that outlines the actions and responsibilities an organization will take when they encounter an event. It helps to accelerate decision-making and the response process when the organization is faced with an adverse event. An organization should review its third-party’s IRP to determine its communication paths, assess their responsibilities and determine their capabilities or resources to respond to an event.
- Service Level Agreements (SLAs): An SLA is a comprehensive outline of uptime/availability and the incident response time that a third-party will agree to with the organization. The SLA will help the organization manage their expectations and responsibilities of their third parties.
- Cyber Insurance: This is the documentation that we see organizations and third parties struggle with the most as they do not fully understand the cyber insurance they have. Our Business Continuity Professional Dan Poucher has written a comprehensive article on how to understand cyber insurance.
There are various organizations and services that provide near/real-time data about cybersecurity issues with third parties. These services can be highly beneficial for organizations that work with multiple third-party vendors and want to stay informed about any potential cybersecurity risks.
By subscribing to these services, organizations can receive alerts and notifications about any security incidents or vulnerabilities affecting their third-party vendors. This information can help organizations take proactive measures to mitigate any potential risks and ensure the security of their own systems and data.
It’s important to note that not all services are created equal and it’s crucial to choose a service that is reputable, reliable, and provides accurate information. Organizations should conduct thorough research and due diligence before selecting a cybersecurity service provider to ensure they are getting the best possible protection for their business. There are several organizations that provide near/real-time scoring and incident reporting on third parties. Subscribing to this service allows you to receive alerts from a credible and objective source sometimes before your third party reaches out to you.
When Should You Reach Out to Your Vendor?
Having a designated third-party relationship owner or group is an essential part of an effective TPIM program. The organization should have continuous contact and an individual or group that is responsible for maintaining regular communication with third-party relationships. This ensures that they are meeting their obligations and keeping up to date with any changes or events that may impact the relationship.
Implementing a designated point of contact for third-party relationships allows your organization to quickly identify any issues or concerns that may arise and take appropriate action to address them. Additionally, this can help accelerate the notification process when an incident occurs, since both parties will already have an established relationship and communication channels in place.
It’s also important to note that the third-party relationship owner or group should work closely with other stakeholders within your organization, such as your incident response team, to ensure that everyone is aware of their roles and responsibilities in the event of an incident. This can help ensure a coordinated and effective response to any incidents that may occur involving third-party relationships.
When an incident occurs at the third-party, organizations must enable their IRP and figure out the balance with the third-party IRP. While the organization is at a standstill waiting for the third-party response, they can anticipate the outlook of the response efforts.
How Will You Respond/Wrap Up the Incident?
To start, assessing the amount of data stored in third-party applications/software is an important step in understanding the potential impact on an organization. Depending on the type of data stored, the impact could vary greatly.
Internally, the impact could be on employees and consultants who have access to the third-party applications/software. If there is a large amount of sensitive data stored, such as financial information or personally identifiable information (PII) of employees or customers, there could be a risk of data breaches or unauthorized access. This could result in reputational damage for the organization, as well as legal and financial consequences.
Externally, the impact could be on customers and other third parties who interact with the organization. If their data is stored in the third-party applications/software, they could be at risk of identity theft or other forms of fraud if the data is compromised. This could lead to loss of trust and confidence in the organization, as well as potential legal and financial consequences.
Therefore, it’s important for organizations to regularly assess the amount and type of data stored in third-party applications/software and implement appropriate security measures to minimize the risk of data breaches or unauthorized access. This could include data encryption, access controls, regular security audits, and employee training on data security best practices.
While waiting for the third-party’s communication on an incident, the organization should establish a log of the third-party involved incident and should log the following components for an incident report:
Incident Description:
- Date and time of the incident
- Place of the incident
- Parties involved in the incident
- Type of incident (third-party, operations, systems, etc.)
- Cause of the incident
- Point of contact or group responsible for the third-party
Initial Risk Assessment:
- Define the nature and scope of an incident by identifying what customer information systems/types of customer information have been accessed or misused or what system/equipment has been compromised
- Number of individuals potentially affected
- Products and services with the third-party that could be potentially affected by the incident
- Risk to individuals (types and extent)
- Systems affected
- All third parties involved
- Data that resides on the systems or with the third party
Containment, Eradication & Recovery:
- Incident documentation
- Containment actions
- Communication efforts
- Eradication actions
- Recovery actions
- Items resolved/closed with dates
- Priorities and considerations for ongoing monitoring and investigations of third parties
Follow-up Actions:
- Lessons learned
- Revision of third-party controls
- Notification follow-ups
When the third-party has confirmed the occurrence of an incident, it’s important to note that before sending any notification to the affected parties, the organization should first determine the extent of the incident and the type of information that has been compromised. If it is determined that there is a risk of harm to individuals, the organization should notify the affected individuals as soon as possible.
It is also important to provide affected parties with advice on how to protect themselves, such as changing passwords or monitoring credit reports. The organization should also provide these parties with information on how to report any suspected instances of identity theft or fraud. It’s crucial to ensure that the notification is clear, concise, and easy to understand. The organization should also make sure that the notification is sent through a secure channel to prevent further compromise of the affected parties’ information.
In addition to notifying affected parties, the organization should also consider notifying any regulatory authorities or industry groups that may be relevant to the incident. These notifications should be made as soon as possible to minimize any potential legal or reputational risks to the organization.
Once the above is established you can add the third party to a watch list that will be reported to an oversight committee to give periodic updates. Depending on the criticality of the incident and the risk that the third party presents will determine the length of time that the party will need to be on the “watch list” and include further due diligence efforts.
Where Does the Incident Take Your Relationship and How Do You Handle It Moving Forward?
After the incident is over the organization is then faced with a question of whether they will keep doing business with the third-party or if they need to find a new relationship. If the service provider or third-party has followed through with communications and used their response plan effectively, discussions with that organization should be about their lessons learned. A determination of the impact to your organization and an analysis of the continued use of the service or application must be part of your management and risk conversations. If you choose to continue to use that third party or service, there must be more focus on their security programs. It is crucial to ask more questions, require further due diligence and proof, and look for some confidence in this issue being addressed from the top-down.
TPIM is an ongoing process that requires coordination and collaboration between the incident response (IR) and third-party risk management (TPRM) teams within an organization. As companies continue to rely on more third-party vendors for products and services, the need for effective TPIM practices becomes even more critical.
The TPIM process involves identifying and assessing risks associated with third-party vendors, establishing controls to mitigate those risks, monitoring and evaluating vendor performance, and responding to incidents that may arise. This requires close collaboration between the IR and TPRM teams, as they work together to identify potential threats and vulnerabilities, establish protocols for managing incidents, and ensure the organization has the necessary resources to respond quickly and effectively.
Effective TPIM practices are essential for limiting exposure and reducing the impact of third-party incidents on the organization. By establishing strong controls and protocols for managing third-party risks, companies can reduce the likelihood of incidents occurring, minimize the potential impacts, and maintain the trust and confidence of their customers and stakeholders.