Due Diligence and Ongoing Monitoring

This message was posted by a user wishing to remain anonymous

Interested to know how others manage critical vendors that will not disclose if they have suffered a breach in the past 3 years (SIG Business Information section). We have a SaaS vendor with access to PII responding that "For security reasons, and the protection of their customers, the company does not share the presence or absence of security related events."   Is this a common security practice? Has anyone encountered a similar situation?

There are no material claims, or judgments currently against the company, and they have a clean SOC1, SOC2  (Type II), PCI and ISO 27001.

Any feedback is greatly appreciated!

It is easy enough to check to see if they have had a breach that required a SEC disclosure. Also, a google search will show if there has been a suspected breach. 

I would expect an ISO 27001 for the operational procedures for their production environment for the services that the supplier is offering. This is just table stakes. I may ask for a SOC2 Type 2 depending on whether this is a critical supplier or a business-critical service. But my interest in reporting and certificates is dependent on the nature of the service I am buying and whether I am offering it to my paying customers. 

These certifications are only as good as the auditors who performed the audits. I always put more weight on this factor than if they have it. Longevity will also play a factor. How long has this supplier been delivering this service or product and what is their track record?

Regardless of whether there has been a breach and regardless of whether they have these certifications, I am always going to have a contractual Limit of Liability that is commensurate with x10 of the amount of the value of the contract. There are also contractual obligations for the supplier to pony up to admit to the breach in 24 from confirmation there is a breach and to participate in the breach remediation of both the environment and the damage to clients. Having a breach is not a game ender but not being able to clean up the mess is. 

My opinion alone and not my employer. Just my $.02
Original Message:
Sent: 08-31-2021 09:32 AM
From: Anonymous Member
Subject: Disclosure of Vendor breaches

This message was posted by a user wishing to remain anonymous

Interested to know how others manage critical vendors that will not disclose if they have suffered a breach in the past 3 years (SIG Business Information section). We have a SaaS vendor with access to PII responding that "For security reasons, and the protection of their customers, the company does not share the presence or absence of security related events."   Is this a common security practice? Has anyone encountered a similar situation?

There are no material claims, or judgments currently against the company, and they have a clean SOC1, SOC2  (Type II), PCI and ISO 27001.

Any feedback is greatly appreciated!

Hi Mark, agree with all your comments.  

Wondering what method you use to double check SEC breach notifications.  We check for SEC actions but interested in how to check if a breach has been disclosed versus an SEC action taken (for example for not filing a breach notification timely).

My experience has been that its unlikely a third party will share any breach history other than that which may be relevant to your contractual relationships and associated NPPI. 

Shelly


------------------------------
Shelly Chase
Senior Risk Analyst Officer
------------------------------

Original Message:
Sent: 08-31-2021 01:32 PM
From: Mark Eden
Subject: Disclosure of Vendor breaches

It is easy enough to check to see if they have had a breach that required a SEC disclosure. Also, a google search will show if there has been a suspected breach. 

I would expect an ISO 27001 for the operational procedures for their production environment for the services that the supplier is offering. This is just table stakes. I may ask for a SOC2 Type 2 depending on whether this is a critical supplier or a business-critical service. But my interest in reporting and certificates is dependent on the nature of the service I am buying and whether I am offering it to my paying customers. 

These certifications are only as good as the auditors who performed the audits. I always put more weight on this factor than if they have it. Longevity will also play a factor. How long has this supplier been delivering this service or product and what is their track record?

Regardless of whether there has been a breach and regardless of whether they have these certifications, I am always going to have a contractual Limit of Liability that is commensurate with x10 of the amount of the value of the contract. There are also contractual obligations for the supplier to pony up to admit to the breach in 24 from confirmation there is a breach and to participate in the breach remediation of both the environment and the damage to clients. Having a breach is not a game ender but not being able to clean up the mess is. 

My opinion alone and not my employer. Just my $.02
Original Message:
Sent: 08-31-2021 09:32 AM
From: Anonymous Member
Subject: Disclosure of Vendor breaches

This message was posted by a user wishing to remain anonymous

Interested to know how others manage critical vendors that will not disclose if they have suffered a breach in the past 3 years (SIG Business Information section). We have a SaaS vendor with access to PII responding that "For security reasons, and the protection of their customers, the company does not share the presence or absence of security related events."   Is this a common security practice? Has anyone encountered a similar situation?

There are no material claims, or judgments currently against the company, and they have a clean SOC1, SOC2  (Type II), PCI and ISO 27001.

Any feedback is greatly appreciated!

Hi Shelly,

I am trying to locate the list on the sec.gov site but now having any luck. I am fairly sure I have seen it there. I hope they haven't stopped this. I will look for this and post it here if I can find it but until then I suck for getting your hopes up. I too am very much a trust but verify believer. 

I get this list among others from our Compliance Team, so I cheat. I also cheat because of my proximity to our Red and Purple Teams. I know when there is a whiff of panic on the 'Net. 

As TPRM owners, we need access to an impartial third part who can provide us with this information. Duh!

When my company is the Third Party, we will not hide from telling the truth when asked about breaches. Then again, if I can't provide some proof then what is the value? We are lucky in that <knocks on wood> we are not aware of any breaches that have resulted in the leaking of Company Confidential Intellectual Property or any Personal Information that would require us to file with the SEC. Well, any that might be relevant to any of our customers. Which I don't mind hearing this from my Suppliers (especially Sub-processors) but I like to be able to verify.  

Original Message:
Sent: 09-01-2021 02:16 PM
From: Michelle Chase
Subject: Disclosure of Vendor breaches

Hi Mark, agree with all your comments.  

Wondering what method you use to double check SEC breach notifications.  We check for SEC actions but interested in how to check if a breach has been disclosed versus an SEC action taken (for example for not filing a breach notification timely).

My experience has been that its unlikely a third party will share any breach history other than that which may be relevant to your contractual relationships and associated NPPI. 

Shelly


------------------------------
Shelly Chase
Senior Risk Analyst Officer

Original Message:
Sent: 08-31-2021 01:32 PM
From: Mark Eden
Subject: Disclosure of Vendor breaches

It is easy enough to check to see if they have had a breach that required a SEC disclosure. Also, a google search will show if there has been a suspected breach. 

I would expect an ISO 27001 for the operational procedures for their production environment for the services that the supplier is offering. This is just table stakes. I may ask for a SOC2 Type 2 depending on whether this is a critical supplier or a business-critical service. But my interest in reporting and certificates is dependent on the nature of the service I am buying and whether I am offering it to my paying customers. 

These certifications are only as good as the auditors who performed the audits. I always put more weight on this factor than if they have it. Longevity will also play a factor. How long has this supplier been delivering this service or product and what is their track record?

Regardless of whether there has been a breach and regardless of whether they have these certifications, I am always going to have a contractual Limit of Liability that is commensurate with x10 of the amount of the value of the contract. There are also contractual obligations for the supplier to pony up to admit to the breach in 24 from confirmation there is a breach and to participate in the breach remediation of both the environment and the damage to clients. Having a breach is not a game ender but not being able to clean up the mess is. 

My opinion alone and not my employer. Just my $.02
Original Message:
Sent: 08-31-2021 09:32 AM
From: Anonymous Member
Subject: Disclosure of Vendor breaches

This message was posted by a user wishing to remain anonymous

Interested to know how others manage critical vendors that will not disclose if they have suffered a breach in the past 3 years (SIG Business Information section). We have a SaaS vendor with access to PII responding that "For security reasons, and the protection of their customers, the company does not share the presence or absence of security related events."   Is this a common security practice? Has anyone encountered a similar situation?

There are no material claims, or judgments currently against the company, and they have a clean SOC1, SOC2  (Type II), PCI and ISO 27001.

Any feedback is greatly appreciated!

Thanks Mark- my dreams for an "easy" button for SEC breach filings are dashed.  If you do find the link and can post, that would be fabulous.

In the meantime if anyone else has a process or tool that you have found successful to obtain breach information from a third party that you can share, that would be much appreciated.  

Thanks,
Shelly

------------------------------
Shelly Chase
Senior Risk Analyst Officer
------------------------------

Original Message:
Sent: 09-02-2021 04:31 PM
From: Mark Eden
Subject: Disclosure of Vendor breaches

Hi Shelly,

I am trying to locate the list on the sec.gov site but now having any luck. I am fairly sure I have seen it there. I hope they haven't stopped this. I will look for this and post it here if I can find it but until then I suck for getting your hopes up. I too am very much a trust but verify believer. 

I get this list among others from our Compliance Team, so I cheat. I also cheat because of my proximity to our Red and Purple Teams. I know when there is a whiff of panic on the 'Net. 

As TPRM owners, we need access to an impartial third part who can provide us with this information. Duh!

When my company is the Third Party, we will not hide from telling the truth when asked about breaches. Then again, if I can't provide some proof then what is the value? We are lucky in that <knocks on wood> we are not aware of any breaches that have resulted in the leaking of Company Confidential Intellectual Property or any Personal Information that would require us to file with the SEC. Well, any that might be relevant to any of our customers. Which I don't mind hearing this from my Suppliers (especially Sub-processors) but I like to be able to verify.  

Original Message:
Sent: 09-01-2021 02:16 PM
From: Michelle Chase
Subject: Disclosure of Vendor breaches

Hi Mark, agree with all your comments.  

Wondering what method you use to double check SEC breach notifications.  We check for SEC actions but interested in how to check if a breach has been disclosed versus an SEC action taken (for example for not filing a breach notification timely).

My experience has been that its unlikely a third party will share any breach history other than that which may be relevant to your contractual relationships and associated NPPI. 

Shelly


------------------------------
Shelly Chase
Senior Risk Analyst Officer

Original Message:
Sent: 08-31-2021 01:32 PM
From: Mark Eden
Subject: Disclosure of Vendor breaches

It is easy enough to check to see if they have had a breach that required a SEC disclosure. Also, a google search will show if there has been a suspected breach. 

I would expect an ISO 27001 for the operational procedures for their production environment for the services that the supplier is offering. This is just table stakes. I may ask for a SOC2 Type 2 depending on whether this is a critical supplier or a business-critical service. But my interest in reporting and certificates is dependent on the nature of the service I am buying and whether I am offering it to my paying customers. 

These certifications are only as good as the auditors who performed the audits. I always put more weight on this factor than if they have it. Longevity will also play a factor. How long has this supplier been delivering this service or product and what is their track record?

Regardless of whether there has been a breach and regardless of whether they have these certifications, I am always going to have a contractual Limit of Liability that is commensurate with x10 of the amount of the value of the contract. There are also contractual obligations for the supplier to pony up to admit to the breach in 24 from confirmation there is a breach and to participate in the breach remediation of both the environment and the damage to clients. Having a breach is not a game ender but not being able to clean up the mess is. 

My opinion alone and not my employer. Just my $.02
Original Message:
Sent: 08-31-2021 09:32 AM
From: Anonymous Member
Subject: Disclosure of Vendor breaches

This message was posted by a user wishing to remain anonymous

Interested to know how others manage critical vendors that will not disclose if they have suffered a breach in the past 3 years (SIG Business Information section). We have a SaaS vendor with access to PII responding that "For security reasons, and the protection of their customers, the company does not share the presence or absence of security related events."   Is this a common security practice? Has anyone encountered a similar situation?

There are no material claims, or judgments currently against the company, and they have a clean SOC1, SOC2  (Type II), PCI and ISO 27001.

Any feedback is greatly appreciated!

EDGAR - Electronic Data Gathering, Analysis and Retrieval tool provided by SEC has a boolean search feature. You can enter 'breach' or 'cyber' and narrow search to just 8k filings. You can also filter by company name and read more about what T-Mobile shared in their filing. 

https://www.sec.gov/edgar/search/

Original Message:
Sent: 09-03-2021 11:36 AM
From: Michelle Chase
Subject: Disclosure of Vendor breaches

Thanks Mark- my dreams for an "easy" button for SEC breach filings are dashed.  If you do find the link and can post, that would be fabulous.

In the meantime if anyone else has a process or tool that you have found successful to obtain breach information from a third party that you can share, that would be much appreciated.  

Thanks,
Shelly

------------------------------
Shelly Chase
Senior Risk Analyst Officer

Original Message:
Sent: 09-02-2021 04:31 PM
From: Mark Eden
Subject: Disclosure of Vendor breaches

Hi Shelly,

I am trying to locate the list on the sec.gov site but now having any luck. I am fairly sure I have seen it there. I hope they haven't stopped this. I will look for this and post it here if I can find it but until then I suck for getting your hopes up. I too am very much a trust but verify believer. 

I get this list among others from our Compliance Team, so I cheat. I also cheat because of my proximity to our Red and Purple Teams. I know when there is a whiff of panic on the 'Net. 

As TPRM owners, we need access to an impartial third part who can provide us with this information. Duh!

When my company is the Third Party, we will not hide from telling the truth when asked about breaches. Then again, if I can't provide some proof then what is the value? We are lucky in that <knocks on wood> we are not aware of any breaches that have resulted in the leaking of Company Confidential Intellectual Property or any Personal Information that would require us to file with the SEC. Well, any that might be relevant to any of our customers. Which I don't mind hearing this from my Suppliers (especially Sub-processors) but I like to be able to verify.  

Original Message:
Sent: 09-01-2021 02:16 PM
From: Michelle Chase
Subject: Disclosure of Vendor breaches

Hi Mark, agree with all your comments.  

Wondering what method you use to double check SEC breach notifications.  We check for SEC actions but interested in how to check if a breach has been disclosed versus an SEC action taken (for example for not filing a breach notification timely).

My experience has been that its unlikely a third party will share any breach history other than that which may be relevant to your contractual relationships and associated NPPI. 

Shelly


------------------------------
Shelly Chase
Senior Risk Analyst Officer

Original Message:
Sent: 08-31-2021 01:32 PM
From: Mark Eden
Subject: Disclosure of Vendor breaches

It is easy enough to check to see if they have had a breach that required a SEC disclosure. Also, a google search will show if there has been a suspected breach. 

I would expect an ISO 27001 for the operational procedures for their production environment for the services that the supplier is offering. This is just table stakes. I may ask for a SOC2 Type 2 depending on whether this is a critical supplier or a business-critical service. But my interest in reporting and certificates is dependent on the nature of the service I am buying and whether I am offering it to my paying customers. 

These certifications are only as good as the auditors who performed the audits. I always put more weight on this factor than if they have it. Longevity will also play a factor. How long has this supplier been delivering this service or product and what is their track record?

Regardless of whether there has been a breach and regardless of whether they have these certifications, I am always going to have a contractual Limit of Liability that is commensurate with x10 of the amount of the value of the contract. There are also contractual obligations for the supplier to pony up to admit to the breach in 24 from confirmation there is a breach and to participate in the breach remediation of both the environment and the damage to clients. Having a breach is not a game ender but not being able to clean up the mess is. 

My opinion alone and not my employer. Just my $.02
Original Message:
Sent: 08-31-2021 09:32 AM
From: Anonymous Member
Subject: Disclosure of Vendor breaches

This message was posted by a user wishing to remain anonymous

Interested to know how others manage critical vendors that will not disclose if they have suffered a breach in the past 3 years (SIG Business Information section). We have a SaaS vendor with access to PII responding that "For security reasons, and the protection of their customers, the company does not share the presence or absence of security related events."   Is this a common security practice? Has anyone encountered a similar situation?

There are no material claims, or judgments currently against the company, and they have a clean SOC1, SOC2  (Type II), PCI and ISO 27001.

Any feedback is greatly appreciated!

Thanks Zack and Anon!

Shelly

------------------------------
Shelly Chase
Senior Risk Analyst Officer
------------------------------

Original Message:
Sent: 09-03-2021 12:15 PM
From: Zach Meyer
Subject: Disclosure of Vendor breaches

EDGAR - Electronic Data Gathering, Analysis and Retrieval tool provided by SEC has a boolean search feature. You can enter 'breach' or 'cyber' and narrow search to just 8k filings. You can also filter by company name and read more about what T-Mobile shared in their filing. 

https://www.sec.gov/edgar/search/

Original Message:
Sent: 09-03-2021 11:36 AM
From: Michelle Chase
Subject: Disclosure of Vendor breaches

Thanks Mark- my dreams for an "easy" button for SEC breach filings are dashed.  If you do find the link and can post, that would be fabulous.

In the meantime if anyone else has a process or tool that you have found successful to obtain breach information from a third party that you can share, that would be much appreciated.  

Thanks,
Shelly

------------------------------
Shelly Chase
Senior Risk Analyst Officer

Original Message:
Sent: 09-02-2021 04:31 PM
From: Mark Eden
Subject: Disclosure of Vendor breaches

Hi Shelly,

I am trying to locate the list on the sec.gov site but now having any luck. I am fairly sure I have seen it there. I hope they haven't stopped this. I will look for this and post it here if I can find it but until then I suck for getting your hopes up. I too am very much a trust but verify believer. 

I get this list among others from our Compliance Team, so I cheat. I also cheat because of my proximity to our Red and Purple Teams. I know when there is a whiff of panic on the 'Net. 

As TPRM owners, we need access to an impartial third part who can provide us with this information. Duh!

When my company is the Third Party, we will not hide from telling the truth when asked about breaches. Then again, if I can't provide some proof then what is the value? We are lucky in that <knocks on wood> we are not aware of any breaches that have resulted in the leaking of Company Confidential Intellectual Property or any Personal Information that would require us to file with the SEC. Well, any that might be relevant to any of our customers. Which I don't mind hearing this from my Suppliers (especially Sub-processors) but I like to be able to verify.  

Original Message:
Sent: 09-01-2021 02:16 PM
From: Michelle Chase
Subject: Disclosure of Vendor breaches

Hi Mark, agree with all your comments.  

Wondering what method you use to double check SEC breach notifications.  We check for SEC actions but interested in how to check if a breach has been disclosed versus an SEC action taken (for example for not filing a breach notification timely).

My experience has been that its unlikely a third party will share any breach history other than that which may be relevant to your contractual relationships and associated NPPI. 

Shelly


------------------------------
Shelly Chase
Senior Risk Analyst Officer

Original Message:
Sent: 08-31-2021 01:32 PM
From: Mark Eden
Subject: Disclosure of Vendor breaches

It is easy enough to check to see if they have had a breach that required a SEC disclosure. Also, a google search will show if there has been a suspected breach. 

I would expect an ISO 27001 for the operational procedures for their production environment for the services that the supplier is offering. This is just table stakes. I may ask for a SOC2 Type 2 depending on whether this is a critical supplier or a business-critical service. But my interest in reporting and certificates is dependent on the nature of the service I am buying and whether I am offering it to my paying customers. 

These certifications are only as good as the auditors who performed the audits. I always put more weight on this factor than if they have it. Longevity will also play a factor. How long has this supplier been delivering this service or product and what is their track record?

Regardless of whether there has been a breach and regardless of whether they have these certifications, I am always going to have a contractual Limit of Liability that is commensurate with x10 of the amount of the value of the contract. There are also contractual obligations for the supplier to pony up to admit to the breach in 24 from confirmation there is a breach and to participate in the breach remediation of both the environment and the damage to clients. Having a breach is not a game ender but not being able to clean up the mess is. 

My opinion alone and not my employer. Just my $.02
Original Message:
Sent: 08-31-2021 09:32 AM
From: Anonymous Member
Subject: Disclosure of Vendor breaches

This message was posted by a user wishing to remain anonymous

Interested to know how others manage critical vendors that will not disclose if they have suffered a breach in the past 3 years (SIG Business Information section). We have a SaaS vendor with access to PII responding that "For security reasons, and the protection of their customers, the company does not share the presence or absence of security related events."   Is this a common security practice? Has anyone encountered a similar situation?

There are no material claims, or judgments currently against the company, and they have a clean SOC1, SOC2  (Type II), PCI and ISO 27001.

Any feedback is greatly appreciated!

This message was posted by a user wishing to remain anonymous

The SEC website has a boolean search tool for the EDGAR database. Cyber attacks and data breaches are captured in 8k filings. SEC.gov | EDGAR Full Text Search 


Original Message:
Sent: 09-03-2021 11:36 AM
From: Michelle Chase
Subject: Disclosure of Vendor breaches

Thanks Mark- my dreams for an "easy" button for SEC breach filings are dashed.  If you do find the link and can post, that would be fabulous.

In the meantime if anyone else has a process or tool that you have found successful to obtain breach information from a third party that you can share, that would be much appreciated.  

Thanks,
Shelly

------------------------------
Shelly Chase
Senior Risk Analyst Officer

Original Message:
Sent: 09-02-2021 04:31 PM
From: Mark Eden
Subject: Disclosure of Vendor breaches

Hi Shelly,

I am trying to locate the list on the sec.gov site but now having any luck. I am fairly sure I have seen it there. I hope they haven't stopped this. I will look for this and post it here if I can find it but until then I suck for getting your hopes up. I too am very much a trust but verify believer. 

I get this list among others from our Compliance Team, so I cheat. I also cheat because of my proximity to our Red and Purple Teams. I know when there is a whiff of panic on the 'Net. 

As TPRM owners, we need access to an impartial third part who can provide us with this information. Duh!

When my company is the Third Party, we will not hide from telling the truth when asked about breaches. Then again, if I can't provide some proof then what is the value? We are lucky in that <knocks on wood> we are not aware of any breaches that have resulted in the leaking of Company Confidential Intellectual Property or any Personal Information that would require us to file with the SEC. Well, any that might be relevant to any of our customers. Which I don't mind hearing this from my Suppliers (especially Sub-processors) but I like to be able to verify.  

Original Message:
Sent: 09-01-2021 02:16 PM
From: Michelle Chase
Subject: Disclosure of Vendor breaches

Hi Mark, agree with all your comments.  

Wondering what method you use to double check SEC breach notifications.  We check for SEC actions but interested in how to check if a breach has been disclosed versus an SEC action taken (for example for not filing a breach notification timely).

My experience has been that its unlikely a third party will share any breach history other than that which may be relevant to your contractual relationships and associated NPPI. 

Shelly


------------------------------
Shelly Chase
Senior Risk Analyst Officer

Original Message:
Sent: 08-31-2021 01:32 PM
From: Mark Eden
Subject: Disclosure of Vendor breaches

It is easy enough to check to see if they have had a breach that required a SEC disclosure. Also, a google search will show if there has been a suspected breach. 

I would expect an ISO 27001 for the operational procedures for their production environment for the services that the supplier is offering. This is just table stakes. I may ask for a SOC2 Type 2 depending on whether this is a critical supplier or a business-critical service. But my interest in reporting and certificates is dependent on the nature of the service I am buying and whether I am offering it to my paying customers. 

These certifications are only as good as the auditors who performed the audits. I always put more weight on this factor than if they have it. Longevity will also play a factor. How long has this supplier been delivering this service or product and what is their track record?

Regardless of whether there has been a breach and regardless of whether they have these certifications, I am always going to have a contractual Limit of Liability that is commensurate with x10 of the amount of the value of the contract. There are also contractual obligations for the supplier to pony up to admit to the breach in 24 from confirmation there is a breach and to participate in the breach remediation of both the environment and the damage to clients. Having a breach is not a game ender but not being able to clean up the mess is. 

My opinion alone and not my employer. Just my $.02
Original Message:
Sent: 08-31-2021 09:32 AM
From: Anonymous Member
Subject: Disclosure of Vendor breaches

This message was posted by a user wishing to remain anonymous

Interested to know how others manage critical vendors that will not disclose if they have suffered a breach in the past 3 years (SIG Business Information section). We have a SaaS vendor with access to PII responding that "For security reasons, and the protection of their customers, the company does not share the presence or absence of security related events."   Is this a common security practice? Has anyone encountered a similar situation?

There are no material claims, or judgments currently against the company, and they have a clean SOC1, SOC2  (Type II), PCI and ISO 27001.

Any feedback is greatly appreciated!

Thanks anon for the bailout!
Original Message:
Sent: 09-03-2021 12:08 PM
From: Anonymous Member
Subject: Disclosure of Vendor breaches

This message was posted by a user wishing to remain anonymous

The SEC website has a boolean search tool for the EDGAR database. Cyber attacks and data breaches are captured in 8k filings. SEC.gov | EDGAR Full Text Search 


Original Message:
Sent: 09-03-2021 11:36 AM
From: Michelle Chase
Subject: Disclosure of Vendor breaches

Thanks Mark- my dreams for an "easy" button for SEC breach filings are dashed.  If you do find the link and can post, that would be fabulous.

In the meantime if anyone else has a process or tool that you have found successful to obtain breach information from a third party that you can share, that would be much appreciated.  

Thanks,
Shelly

------------------------------
Shelly Chase
Senior Risk Analyst Officer

Original Message:
Sent: 09-02-2021 04:31 PM
From: Mark Eden
Subject: Disclosure of Vendor breaches

Hi Shelly,

I am trying to locate the list on the sec.gov site but now having any luck. I am fairly sure I have seen it there. I hope they haven't stopped this. I will look for this and post it here if I can find it but until then I suck for getting your hopes up. I too am very much a trust but verify believer. 

I get this list among others from our Compliance Team, so I cheat. I also cheat because of my proximity to our Red and Purple Teams. I know when there is a whiff of panic on the 'Net. 

As TPRM owners, we need access to an impartial third part who can provide us with this information. Duh!

When my company is the Third Party, we will not hide from telling the truth when asked about breaches. Then again, if I can't provide some proof then what is the value? We are lucky in that <knocks on wood> we are not aware of any breaches that have resulted in the leaking of Company Confidential Intellectual Property or any Personal Information that would require us to file with the SEC. Well, any that might be relevant to any of our customers. Which I don't mind hearing this from my Suppliers (especially Sub-processors) but I like to be able to verify.  

Original Message:
Sent: 09-01-2021 02:16 PM
From: Michelle Chase
Subject: Disclosure of Vendor breaches

Hi Mark, agree with all your comments.  

Wondering what method you use to double check SEC breach notifications.  We check for SEC actions but interested in how to check if a breach has been disclosed versus an SEC action taken (for example for not filing a breach notification timely).

My experience has been that its unlikely a third party will share any breach history other than that which may be relevant to your contractual relationships and associated NPPI. 

Shelly


------------------------------
Shelly Chase
Senior Risk Analyst Officer

Original Message:
Sent: 08-31-2021 01:32 PM
From: Mark Eden
Subject: Disclosure of Vendor breaches

It is easy enough to check to see if they have had a breach that required a SEC disclosure. Also, a google search will show if there has been a suspected breach. 

I would expect an ISO 27001 for the operational procedures for their production environment for the services that the supplier is offering. This is just table stakes. I may ask for a SOC2 Type 2 depending on whether this is a critical supplier or a business-critical service. But my interest in reporting and certificates is dependent on the nature of the service I am buying and whether I am offering it to my paying customers. 

These certifications are only as good as the auditors who performed the audits. I always put more weight on this factor than if they have it. Longevity will also play a factor. How long has this supplier been delivering this service or product and what is their track record?

Regardless of whether there has been a breach and regardless of whether they have these certifications, I am always going to have a contractual Limit of Liability that is commensurate with x10 of the amount of the value of the contract. There are also contractual obligations for the supplier to pony up to admit to the breach in 24 from confirmation there is a breach and to participate in the breach remediation of both the environment and the damage to clients. Having a breach is not a game ender but not being able to clean up the mess is. 

My opinion alone and not my employer. Just my $.02
Original Message:
Sent: 08-31-2021 09:32 AM
From: Anonymous Member
Subject: Disclosure of Vendor breaches

This message was posted by a user wishing to remain anonymous

Interested to know how others manage critical vendors that will not disclose if they have suffered a breach in the past 3 years (SIG Business Information section). We have a SaaS vendor with access to PII responding that "For security reasons, and the protection of their customers, the company does not share the presence or absence of security related events."   Is this a common security practice? Has anyone encountered a similar situation?

There are no material claims, or judgments currently against the company, and they have a clean SOC1, SOC2  (Type II), PCI and ISO 27001.

Any feedback is greatly appreciated!