It is easy enough to check to see if they have had a breach that required a SEC disclosure. Also, a google search will show if there has been a suspected breach.
I would expect an ISO 27001 for the operational procedures for their production environment for the services that the supplier is offering. This is just table stakes. I may ask for a SOC2 Type 2 depending on whether this is a critical supplier or a business-critical service. But my interest in reporting and certificates is dependent on the nature of the service I am buying and whether I am offering it to my paying customers.
These certifications are only as good as the auditors who performed the audits. I always put more weight on this factor than if they have it. Longevity will also play a factor. How long has this supplier been delivering this service or product and what is their track record?
Regardless of whether there has been a breach and regardless of whether they have these certifications, I am always going to have a contractual Limit of Liability that is commensurate with x10 of the amount of the value of the contract. There are also contractual obligations for the supplier to pony up to admit to the breach in 24 from confirmation there is a breach and to participate in the breach remediation of both the environment and the damage to clients. Having a breach is not a game ender but not being able to clean up the mess is.
My opinion alone and not my employer. Just my $.02
Original Message:
Sent: 08-31-2021 09:32 AM
From: Anonymous Member
Subject: Disclosure of Vendor breaches
This message was posted by a user wishing to remain anonymous
Interested to know how others manage critical vendors that will not disclose if they have suffered a breach in the past 3 years (SIG Business Information section). We have a SaaS vendor with access to PII responding that "For security reasons, and the protection of their customers, the company does not share the presence or absence of security related events." Is this a common security practice? Has anyone encountered a similar situation?
There are no material claims, or judgments currently against the company, and they have a clean SOC1, SOC2 (Type II), PCI and ISO 27001.
Any feedback is greatly appreciated!