Due Diligence and Ongoing Monitoring

This message was posted by a user wishing to remain anonymous

In regard to a data breach like Equifax - we had reviewed their SOC reports and info security policies and audits but found no concerns yet there was still a data breach...... what else is there to do if all of the due diligence shows satisfactory controls?

Regarding Equifax specifically, beyond what you did - reviewing their SOC reports and information security policies and audits yet found no concerns - there isn't anything anyone could have done.  Normally, you want to make certain you have a all of the information you all collected for Equifax and be sure you have a current SOC 2 report on any critical or high-risk vendors. 

You can get proactive and ask for a breach clause in your vendor contracts stipulating how you would like each vendor to reimburse you for any actual damages caused by a breach...now we're on a topic for a different forum.   

If all your due diligence comes back without any red flags, and a breach occurs, you will have done all you can do in these instances.

Original Message:
Sent: 09-11-2019 01:39 PM
From: Anonymous Member
Subject: Thoughts on breaches after you did your due diligence

This message was posted by a user wishing to remain anonymous

In regard to a data breach like Equifax - we had reviewed their SOC reports and info security policies and audits but found no concerns yet there was still a data breach...... what else is there to do if all of the due diligence shows satisfactory controls?

We are looking for ways to learn about data breaches, assuming vendors are not always as forthcoming as they should be.  For on-boarding, we check our state list [https://oag.ca.gov/privacy/databreach/list] and there's some free sites out there [e.g. https://privacyrights.org/categories/data-breaches]. Some subscriptions like RDC do not commit to providing breach alerts.  Is there a better way? Some like Equifax will be obvious. Others perhaps not. 
Original Message:
Sent: 09-11-2019 02:15 PM
From: Gordon Rudd
Subject: Thoughts on breaches after you did your due diligence

Regarding Equifax specifically, beyond what you did - reviewing their SOC reports and information security policies and audits yet found no concerns - there isn't anything anyone could have done.  Normally, you want to make certain you have a all of the information you all collected for Equifax and be sure you have a current SOC 2 report on any critical or high-risk vendors. 

You can get proactive and ask for a breach clause in your vendor contracts stipulating how you would like each vendor to reimburse you for any actual damages caused by a breach...now we're on a topic for a different forum.   

If all your due diligence comes back without any red flags, and a breach occurs, you will have done all you can do in these instances.

Original Message:
Sent: 09-11-2019 01:39 PM
From: Anonymous Member
Subject: Thoughts on breaches after you did your due diligence

This message was posted by a user wishing to remain anonymous

In regard to a data breach like Equifax - we had reviewed their SOC reports and info security policies and audits but found no concerns yet there was still a data breach...... what else is there to do if all of the due diligence shows satisfactory controls?