RFP TEMPLATE: Speed and simplify TPRM solution selection with this customizable RFP template and comparison calculator!

Incident Response and Third-Party Risk

by Jonathan Dambrot

December 7th, 2015


Today, the Shared Assessments Program released a briefing paper titled “Building Best Practices for Effective Monitoring of a Third Party’s Incident Event Management Program”.  The paper was developed out of great necessity, as it became clear that Program members needed additional guidance when managing incidents at the service provider level.

The goal of the paper is to offer a guide on effective third-party incident management across three distinct stages:

  1. Pre-incident
  2. During the incident
  3. Post-incident

Incident response has become a hot topic for organizations of all sizes as the level and sophistication of cyber-attacks continues to increase.  Additional requirements around the protection of data, as well as notification requirements, seem to be dominating the conversations with regulators and at the board of directors’ level.  Although there is a significant trove of information available on incident management, the topic of incident management and response in relationship to a third party outsourcing agreement has been notably missing.

Born as a project within the Shared Assessments Program’s Standardized Information Gathering (SIG) Development Committee, a group of industry thought leaders and contributors to the Shared Assessments Program who have experience in incident management at third parties, came together to develop the briefing paper.  It represents a great effort by those involved and I expect the final product will help companies of all sizes better prepare for and manage monitoring their third parties’ incident event management programs.  I would like to thank everyone who participated in the Third-Party Incident Response Subcommittee in support of the paper.

The next step is to determine the applicability of the information presented within the briefing paper to be included in the SIG itself or potentially as a separate Shared Assessments Program Tool.  If you find the briefing paper interesting and choose to incorporate it into your organization’s best practices, I would love to hear about whether it was helpful, led to changes in your organization’s approach and/or if you believe improvements should be made to the paper.