Hi David,
Thanks for bringing this up.
Here are a few questions that come to mind.. Some are leading questions where we expect more details or even questions from the vendor, especially when it is indirect -- they were okay, and what did they do when they were notified by a different tenant who suffered a breach. That's a different set of questions.
As recent United Healthcare Group testimony to Congress showed, you need to know how they noticed the first time -- internal monitoring, external monitoring, ransomware attack to employee, outside party informed the company. Also you need the dates to understand the duration -- as soon as possible -- because you need some indication of what retention point (DRaaS) or recovery point (Backups) you can "trust".
I hope these offer some help:=
• Was 100% of your services offline for any time during recovery?
• Were your backups compromised?
• Did you failover to a validated DR environment at any point?
• Was ransomware involved? Did you pay the ransomware?
• What public agencies was this breach reported to?
• From UHG talks with Congress
•• What date was the breach discovered?
•• Did an outside party other than the attacker notify you?
•• Was a notice of ransomware the first indicator you were breached?
•• Was an outside forensics firm brought in to identify the point of breach?
•• What was the date of compromise before the breach discover date?
• Was a privileged user involved in the cause of the original breach?
• Was there a reoccurrence of the attack? Same or different attacker?
• What major mitigations or changes in policies resulted from your mitigation?
• What was total business disruption? What percentage of your services were affected? What percentage of customers per services were disrupted?
• What was the percentage of data that was compromised (destroyed, encrypted, etc.) that was not recoverable?
• What percentage of clients lose any data during this disruption?
• What was your customer retention trend since you mitigated the cause of the data breach
• Did you make any reparations or credits to your customers?
Cheers, Larry
Original Message:
Sent: 06-21-2024 01:57 PM
From: David Medina
Subject: Assessing Breached Vendors
We are in the process of developing a questionnaire for vendors that have been a victim of a cybersecurity attack. After we're informed of the attack on the vendor we want to get a questionnaire to them, and then add that vendor to our risk register. Here are a few questions we've come up with so far:
- When did the attack happen?
- When did your company first notice the attack?
- What was the scope of the attack?
- Was any company and/or customer NPI data compromised?
- What remediation efforts did your company take to mitigate/counter the attack?
What other questions should we ask the vendor? Thank you in advance for any and all input.