Cyber Risks: Vendor Compromise
You rely on vendors to help you operate efficiently, but they can also expose you to data theft, ransomware, or intrusion into your system. You can minimise this risk with the right IT security and risk management procedures.
We provide guidance and resources to help you manage vendor system compromise risks.
Types of vendor cyber incidents
Data breach
The safety of your data held with vendors is reliant on how good their IT security and risk management is. If a cybercriminal steals data, you may have legal obligations as the data owner to notify affected individuals, even though there was no access to your own systems. Vendor-caused data breach incidents can occur in any industry, but they are particularly prevalent in healthcare and financial services, where vendors often store or process data about patients or payments.
Network intrusion
Organizations often give vendor partners access to their computer systems. If a cybercriminal compromises a partner system, they may be able to access your system via their login. This type of incident is particularly common with IT managed service providers (MSPs), if access keys are not securely managed. More importantly, this behaviour is hard to detect because the cybercriminal will be using valid login information and coming from a trusted source.
Technology supply chain attack
Cybercriminals are increasingly targeting software companies to hide malware in legitimate software. When a company pushes out updates to their software, malware can spread to their customers’ systems and may avoid detection because it the source is inherently trusted. These attacks are expected to increase, and the damage they cause can be widespread.
Fourth-party incidents
Your vendors have vendors of their own, and a cyber incident at one of their vendors can create a ripple effect back to your organization.
How to protect against vendor cyber incidents
Manage access to your systems
Identify which vendors have access to your network. Enforce strong MFA and limit access based on the principle of least privilege. Log, monitor, and audit vendor access to your systems. Using endpoint detection and response (EDR) tools in enforcement mode can help detect unusual behaviour resulting from a compromised vendor
Include security and notification requirements in your vendor contracts
Assess your vendors’ security practices and ensure vendor contracts require adequate security based on the services they are providing. Require that a vendor notify you of an actual or suspected data security incident within an agreed timeframe that will allow you to evaluate your notification obligations. Assign responsibility for notification to regulators or individuals and the costs of these notifications in the contract.
Understand your software
Software products often contains code from a variety of sources. New tools make it easy to generate a software bill of materials (SBOM) to help you identify parts of your software that may have known vulnerabilities.
Build your supply chain risk management
Developing robust supply chain risk management is the best way to reduce vendor risks. It can be a challenge for smaller organizations, but you can start by identifying and classifying your vendors and suppliers based on risk. Focus on those who present the greatest risks first, and then proceed from there.
How to respond to a vendor or supplier cyber incident
We encourage policyholders who experience an actual or suspected cyber incident to notify us immediately.
Vendor or supplier incidents pose special challenges.
All of the usual issues involved in a response - conducting a forensic investigation, determining notification obligations, and notifying in a way that helps preserve customer relationships - can become much more complicated in a vendor incident. With experience helping our clients through thousands of vendor incidents, we can help you to understand the issues that commonly arise and to navigate through the process of managing the incident.
"Vendor cyber incidents pose unique challenges, from data breaches to network intrusions. Our proactive approach, including access management and contract scrutiny, empowers organizations to fortify their defenses against evolving threats from vendor systems."
"Navigating vendor cyber risks requires a comprehensive strategy. From managing access to vetting software components, our guidance helps organizations strengthen their supply chain risk management, ensuring resilience against the ripple effects of vendor incidents."