High-profile compromises of third-party service providers including SolarWinds, Blackbaud, finastra, and Shopify as well as compromises due to exploiting vulnerabilities in vendor software (Accellion in 2020 and Microsoft Exchange in 2021) have put C-SCRM front and center. Incident responders continue to work through the impact of those incidents, while using lessons learned to help organizations improve (e.g., defense in depth). Like collaborations between drug manufacturers on COVID-19 vaccines, the efforts and information shared by firms that have investigated third-party incidents (e.g., information provided by FireEye regarding SolarWinds) benefited many and showed a path for more effective responses.
C-SCRM and vendor compromises will only become more challenging as organizations rely more on third parties and threat actors see how effective these attacks can be. Below is a list of vendor-caused incident challenges and lessons learned.
of total incidents involved vendor-causes
of vendor-caused incidents had notice requirements
of notices had regulatory inquiries
Vendor-Caused Incident Challenges and Lessons Learned
Timeline from Discovery to Client Notification
It often takes longer for individuals to be notified when a vendor discovers an incident than when the principal organization does. The difference starts with the amount of time it takes vendors to notify their customers of an incident. In addition, the vendor’s initial notice may be incomplete or inaccurate.
Only the Vendor Can Investigate
Because the incident occurred in the vendor’s network, the vendor has to conduct the investigation, leaving the client waiting for results. These investigations are often frustrating for customers, as vendors may be reluctant to share full details or are overwhelmed by inquiries from multiple customers.
Vendor Vetting Is More Important than Ever (But Read the Section on Zero-Trust)
Before engaging a new vendor that will receive access to their environment or data, companies must vet the vendor to make sure it has the proper safeguards in place.
Contractual Terms and Conditions Matter
Before engaging a new vendor that will receive access to their environment or data, companies must vet the When a vendor experiences an incident involving thousands of clients, the customers’ rights and remedies start with the language of the vendor contract. The efficacy and appropriateness of terms vary significantly in different scenarios.
Understand and Limit What You Provide to a Vendor
It is not uncommon for clients to be surprised by what data the vendor had.
Oversight After Engagement Is Critical
Easy to say, hard to do.
Beware of Fourth-Party Risk
Vendors have vendors too.