Improving Third-Party Incident Response Starts with a Solid Incident Management Foundation

Three Incident Management Processes to Improve

1. Process Preparation

To implement an effective incident management process, you have to first identify and assign responsibilities to the correct stakeholders – both within your organization and across your extended supply chain.

Performing tabletop exercises, where incidents are simulated to familiarize all stakeholders with the IM process and their roles and responsibilities, ensures that necessary resources and capabilities will be available when needed. This, along with periodic testing of your procedures and validation of your contact lists, gives you confidence in your ability to respond, when – not if – it is required.

2. Detection, Communication and Reporting Procedures

Cyber intelligence helps your organization prevent incidents from occurring by continuously monitoring for actual events and signals of possible future events. Detection processes ensure you find and act upon potential incidents in a timely manner, limiting potential exposures and damage.

As part of this process, you need to inform key stakeholders, including based on incident severity, your senior management and Board of Directors, along with any regulatory bodies. Doing so is critical to operational resilience and avoidance of negative reputation, financial and regulatory impacts. Communication therefore plays a vital role in your IM process, both to remediate the effects of an incident and to keep key internal and external stakeholders informed, and results in quicker incident resolution.

3. Post-Incident Follow-ups, Including Lessons Learned

Learning from what went right and wrong is another important aspect of the incident management process. By examining what led to an incident in your organization or supply chain, you can ensure that mistakes aren’t repeated, and reinforce risk management for any subsequent incidents that may occur. Follow-through is key to verifying that corrective actions and program enhancements are properly implemented.

Why Incident Management Is Important in Third-Party Risk Management

Effective incident management and third-party risk management (TPRM) go hand-in-hand. Identifying your third, fourth and Nth parties enables effective incident management, given that as many as half of all incidents originate with vendors.

Third-party and subcontractor contracts need to include IM/breach notification requirements within a fixed (usually 24-hour, but as soon as practical) timeframe after a major incident is identified. Validation of your third-party IM processes and contacts, along with periodic testing, including phone call trees, ensures operational readiness to respond to and resolve incidents.

Resources for Effective Incident Management

Third-party incidents can disrupt your ability to deliver products and services to your customers. While having an incident response plan is key to mitigating disruptions in the heat of the moment, improving your organization’s broader incident management systems and processes will help you be better prepared for when incidents do occur.

Here are some additional resources that you can use to benchmark and improve your incident management program:

• NIST 800-61R2: Computer Security Incident Handling Guide
• ISO/IEC 27035-1: Information Security Incident Management part 1: Principles of Incident Management
• ISO/IEC 27035-2: Information Security Incident Management Part 2: Guidelines to Plan and Prepare for Incident Management
• OCC 2021-55: Bank Incident Notification Final Rule, issued 11/23/2021
• OCC2022-8: Information technology Points of Contact for Bank’s Computer Security Incident Notifications, issued 3/29/2022