Cyber Risks: Vendor Compromise

We provide guidance and resources to help you manage vendor system compromise risks.

Types of vendor cyber incidents

Data breach

The safety of your data held with vendors is reliant on how good their IT security and risk management is. If a cybercriminal steals data, you may have legal obligations as the data owner to notify affected individuals, even though there was no access to your own systems. Vendor-caused data breach incidents can occur in any industry, but they are particularly prevalent in healthcare and financial services, where vendors often store or process data about patients or payments.

Network intrusion

Organizations often give vendor partners access to their computer systems. If a cybercriminal compromises a partner system, they may be able to access your system via their login. This type of incident is particularly common with IT managed service providers (MSPs), if access keys are not securely managed. More importantly, this behaviour is hard to detect because the cybercriminal will be using valid login information and coming from a trusted source.

Technology supply chain attack

Cybercriminals are increasingly targeting software companies to hide malware in legitimate software. When a company pushes out updates to their software, malware can spread to their customers’ systems and may avoid detection because it the source is inherently trusted. These attacks are expected to increase, and the damage they cause can be widespread.

Fourth-party incidents

Your vendors have vendors of their own, and a cyber incident at one of their vendors can create a ripple effect back to your organization.

How to protect against vendor cyber incidents

Manage access to your systems

Identify which vendors have access to your network. Enforce strong MFA and limit access based on the principle of least privilege. Log, monitor, and audit vendor access to your systems. Using endpoint detection and response (EDR) tools in enforcement mode can help detect unusual behaviour resulting from a compromised vendor

Include security and notification requirements in your vendor contracts

Assess your vendors’ security practices and ensure vendor contracts require adequate security based on the services they are providing. Require that a vendor notify you of an actual or suspected data security incident within an agreed timeframe that will allow you to evaluate your notification obligations. Assign responsibility for notification to regulators or individuals and the costs of these notifications in the contract.

Understand your software

Software products often contains code from a variety of sources. New tools make it easy to generate a software bill of materials (SBOM) to help you identify parts of your software that may have known vulnerabilities.

Build your supply chain risk management

Developing robust supply chain risk management is the best way to reduce vendor risks. It can be a challenge for smaller organizations, but you can start by identifying and classifying your vendors and suppliers based on risk. Focus on those who present the greatest risks first, and then proceed from there.

How to respond to a vendor or supplier cyber incident

We encourage policyholders who experience an actual or suspected cyber incident to notify us immediately.

Vendor or supplier incidents pose special challenges.

All of the usual issues involved in a response - conducting a forensic investigation, determining notification obligations, and notifying in a way that helps preserve customer relationships - can become much more complicated in a vendor incident. With experience helping our clients through thousands of vendor incidents, we can help you to understand the issues that commonly arise and to navigate through the process of managing the incident.