Risk Assessments

 View Only
  • 1.  Assessing Breached Vendors

    Posted 06-21-2024 02:17 PM

    We are in the process of developing a questionnaire for vendors that have been a victim of a cybersecurity attack. After we're informed of the attack on the vendor we want to get a questionnaire to them, and then add that vendor to our risk register. Here are a few questions we've come up with so far:

    • When did the attack happen?
    • When did your company first notice the attack?
    • What was the scope of the attack?
    • Was any company and/or customer NPI data compromised?
    • What remediation efforts did your company take to mitigate/counter the attack?

    What other questions should we ask the vendor? Thank you in advance for any and all input.



  • 2.  RE: Assessing Breached Vendors

    Posted 06-21-2024 02:41 PM

    We also ask something to the effect of this:

    Is the scope of this project in the same environment as the cyber incident?

    We had a vendor a couple of weeks ago that had an incident in May of 2023, but the scope of the engagement with our company was in a completely separate environment without any connectivity with the impacted environment. It made the difference in our TPRA decision.

    Hope that is helpful.




  • 3.  RE: Assessing Breached Vendors

    Posted 06-21-2024 03:05 PM

    Hi David,

    Thanks for bringing this up. 

    Here are a few questions that come to mind.. Some are leading questions where we expect more details or even questions from the vendor, especially when it is indirect -- they were okay, and what did they do when they were notified by a different tenant who suffered a breach. That's a different set of questions. 

    As recent United Healthcare Group testimony to Congress showed, you need to know how they noticed the first time -- internal monitoring, external monitoring, ransomware attack to employee, outside party informed the company.  Also you need the dates to understand the duration -- as soon as possible -- because you need some indication of what retention point (DRaaS) or recovery point (Backups) you can "trust".

    I hope these offer some help:=

        •  Was 100% of your services offline for any time during recovery?
        •  Were your backups compromised?
        •  Did you failover to a validated DR environment at any point?  
        •  Was ransomware involved?  Did you pay the ransomware?
        •  What public agencies was this breach reported to?
        •  From UHG talks with Congress
            ••  What date was the breach discovered?
            ••  Did an outside party other than the attacker notify you?
            ••  Was a notice of ransomware the first indicator you were breached?
            ••  Was an outside forensics firm brought in to identify the point of breach?
            ••  What was the date of compromise before the breach discover date?
        •  Was a privileged user involved in the cause of the original breach?
        •  Was there a reoccurrence of the attack?  Same or different attacker? 
        •  What major mitigations or changes in policies resulted from your mitigation?
        •  What was total business disruption?  What percentage of your services were affected? What percentage of customers per services were disrupted?
        •  What was the percentage of data that was compromised (destroyed, encrypted, etc.) that was not recoverable?
        •  What percentage of clients lose any data during this disruption?  
        •  What was your customer retention trend since you mitigated the cause of the data breach
        •  Did you make any reparations or credits to your customers?


    Cheers, Larry




  • 4.  RE: Assessing Breached Vendors

    This message was posted by a user wishing to remain anonymous
    Posted 06-24-2024 08:10 AM
    This message was posted by a user wishing to remain anonymous

    Not sure if this is done as part of the relationship but generally forensic analysis is done.  I would recommend asking for a copy of the report when it's available.  Some will provide the whole report or an approved version for their partners.




  • 5.  RE: Assessing Breached Vendors

    This message was posted by a user wishing to remain anonymous
    Posted 06-24-2024 08:47 AM
    This message was posted by a user wishing to remain anonymous

    To avoid issues in getting information regarding a breach, your MSA should include a breach notification requirement as well as, post incident report. It will be up to you to define the content of the report.




  • 6.  RE: Assessing Breached Vendors

    Posted 06-24-2024 10:01 AM

    If you have a well-structured vendor agreement should outline the steps to be taken by both parties in the event of a data breach. This is crucial for ensuring both parties understand their responsibilities and can act swiftly and effectively to mitigate any damage. Here are the key components that should be included in such an agreement:

    1. Definition and Scope of the Breach
    2. Notification Requirements
    3. Investigation and Cooperation - this is where a forensic analysis (usually an independent third party) would come in.  This group will be able to tell you (as the vendor) how far to push the investigation and provide recommendations for the next step
    4. Remediation and Mitigation

    There are others that will outline the vendor's duties for response, but the section that is a must is indemnification and liability.



    ------------------------------
    Donna Wilson
    ------------------------------