2022 DSIR Deeper Dive: Supplier Incidents | BakerHostetler


Vendor-caused incidents continued to increase in 2021. Nearly 20 percent of all incidents we’ve handled in the last year were caused by vendors, with more than half requiring notification. As in previous years, incidents involving vendors consisted of phishing schemes and accidental disclosures, but mainly ransomware attacks on vendor systems. These ransomware attacks often involved stealing customer data from a vendor’s environment, or even spreading the ransomware from the vendor into the customer’s environment using the vendor’s own credentials.

Working with customers on both the provider and customer side of these incidents, we have seen the far-reaching and lasting impact of such incidents on everyone involved. Many providers play a critical role in their customers’ operations and pride themselves on their focus and commitment to security. But the wealth of sensitive data they manage and access to multiple customer environments make them valuable targets for threat actors. Threat actors can rely not only on their usual payment extortion tactics, but also leverage the additional pressure from customers who need their data or the vendor’s services to keep business running. Even in cases where the incident may not be obvious to a vendor’s customers, we have seen threat actors contact customers directly in an attempt to get the vendor to pay the ransom. The scale of incidents involving vendors often draws heightened public attention, which can further complicate a vendor’s payment decision.

On the customer side, vendor-caused incidents present unique challenges for responders who are at the mercy of vendor decisions, backup procedures, and the vendor’s willingness to share information. Often these providers are the only game in town, leaving customers with few alternatives. As sensitive data continues to flow to third parties, vendor risk management remains as important as ever. Here are some lessons learned and tips to strengthen defenses against vendor-related incidents.

  • Detection and notification deadlines vary widely – The time it takes for providers to notify their customers of an incident can vary widely depending on the nature and scope of the incident, the scope of the provider’s services, and the legal or regulatory obligations of the parties. In ransomware situations, vendors may rush to send an incomplete or inaccurate notification to customers, requiring customers to repeat or expand their notification analysis as the investigation progresses. Planning, preparing, and practicing a response to ransomware incidents can help bring organization and speed to a chaotic situation. The importance of creating a ransomware playbook and conducting tabletop exercises cannot be overstated, and it is important for organizations to include a vendor-originated incident scenario in their planning. Even after the initial response and containment of the incident, it can take several weeks or months for a vendor to determine the scope of the data involved and the customer to which it belongs. Vendors should ensure they conduct frequent inventories to determine where sensitive customer data is stored, and customers should be aware of the nature and amount of data being shared with third parties. This complexity often results in increased notification time for individuals.
  • The exchange of information is also different Since the incident occurred at the provider, the provider controls the investigation and what information is shared with customers and when. It can be difficult for providers to balance the need to provide customers with accurate and complete information with the desire for transparency. Even after the investigation is complete, vendors may not be able or willing to provide full details, even where there are contractual requirements to do so. On some of the issues we handle, providers only provide final results and refuse to disclose the details that led to those results or even the name of the forensic provider. This is often frustrating for clients who are struggling to complete their analysis and meet regulatory requirements. Vendors should consider having a version of their forensic report that can be shared with customers to help those customers determine their notification obligations.
  • Supplier verification (and re-verification) remains key Before engaging a new vendor to gain access to their environment or data, customers must exercise due diligence to ensure the vendor has adequate security safeguards in place and practices good data hygiene. Proper verification can not only help reduce the likelihood of a data security incident, but also protect an organization from regulatory and legal risks stemming from negligent selection or oversight of vendors. In some sectors, such as B. accounting, legal services and government agencies, providers can receive personal data without customers realizing the risk and ensuring that the provider has adequate safeguards in place. In particular, healthcare organizations must obtain satisfactory assurances that their suppliers who create, receive or maintain protected health information on their behalf (“Business Partners”) adequately protect the information. Assessing a vendor’s compliance with security requirements is done through vendor risk assessments, which are expected to be repeated on a regular basis, particularly in response to environmental or operational changes and when an incident occurs.
  • Understand and limit data sharing – On both the customer and provider side, minimizing the personal and/or sensitive information shared with or accessed by a provider can mitigate risks and exposures. In many of the supplier incidents we have handled, the supplier, the customer, or both were unaware of the nature and volume of data being exchanged between customer and supplier. This can lead to a great deal of initial uncertainty about the impact of the incident and possible reporting requirements. To avoid this, it is important that customers only provide information that is necessary for the provider’s services. Customers also need to understand what data is being collected, by whom and for what purposes; how and for how long this data is stored; and which providers have access to this data. Providers should also understand the data they receive or have access to and the associated obligations, and take steps to ensure that they do not receive sensitive data that is not necessary for the provision of their services. As mentioned above, conducting frequent inventories of customer data and its location can also help providers quickly identify affected customers when a data security incident occurs.
  • Make termination provisions reasonable In many cases, customers try to add certainty or urgency to the vendor’s breach notification. These determinations can include things like “immediately”, “within 24 hours”, “within 72 hours”, etc. and are triggered by the “detection” of an incident. However, as incident responders know, once an incident is discovered, little meaningful information is available and downstream contracts are often not front and center and may not even be accessible because of the incident. Rather than using standard breach notification clauses, the parties should consider the nature of the information shared, the scope of the services, and the legal and regulatory obligations of the parties. This is especially important for highly regulated organizations such as B. Healthcare providers and financial institutions, as incident notifications from vendors could “start” their own security breach reporting deadlines, which is problematic when the scope of the incident and the data affected are not yet known. Ideally, the parties will come to a clause that balances the customer’s desire for transparency and immediate action with the realities of incident response. Vendors should also be sure they are aware of these timing requirements and incorporate them into their incident response procedures.
  • Know your remedies In addition to negotiating breach notification clauses in supplier contracts, parties should understand the terms of the contract regarding notification requirements and remedies. In 2021, we’ve seen an increasing number of vendors refusing to issue notifications for their own violations because the contract didn’t specifically require them to do so. Customers should include contract language that explicitly states the provider’s obligations to notify individuals and/or regulators and customer’s request and consent. Provider agreements also vary greatly in terms of the compensation offered in the event of a provider-caused incident. When an incident affects thousands of customers, the wording in the supplier contract is critical in determining customer rights. Maintaining good business relationships with customers is often a top priority for suppliers, which may require them to go beyond their contractual obligations.
  • Customers also face regulatory scrutiny and class action lawsuits – Even when an incident occurs at a vendor, we have faced customers with regulatory inquiries or class action lawsuits. While regulators often focus primarily on the provider who witnessed the incident, they can and will also investigate a provider’s customers, most often with a view to notifying individuals, ensuring the customer has sufficient control over the provider’s security measures, and whether the parties have reached the appropriate agreements regarding their respective responsibilities. In 2021, we also saw an increase in the number of class action lawsuits filed against companies for a vendor-caused incident. In many cases, the plaintiffs do not recognize the seller or even know that their information was shared with the seller, making the company with which they have a direct relationship an easier target.

[View source.]


Comments are closed.