Third-party incident response is the process used to identify, investigate, and react to data breaches, natural disasters, or other external adverse events affecting an organization via its vendors or other business partners. The goal of third-party incident response is to maintain operations – or at least quickly recover – when business disruptions occur in a vendor ecosystem or supply chain; in other words, to maintain operational resilience.
The terms incident response and incident management are often confused or used interchangeably. Many authorities, like the UK National Cyber Security Centre, define incident response as a subset of incident management. In this view, incident response is more focused on the technical aspects of an event, including triage, analysis, mitigation, remediation and recovery. Incident management is a more holistic program that wraps incident response with broader preparations, communications, and reporting processes.
The incident management (IM) process can be broken down into the following steps, based on the National Institute of Standards and Technology (NIST) Computer Security Incident Handling Guide, SP 800-61:
When it comes to vendor breaches, protected data exposures, supply chain disruptions, or other events, most organizations focus on reactive activities like incident prioritization, root cause analysis, containment, and recovery (i.e., incident response). However, I’ve found that the areas of IM that focus on preparation, communication, and lessons learned are where organizations can improve their incident readiness the most.
To implement an effective incident management process, you have to first identify and assign responsibilities to the correct stakeholders – both within your organization and across your extended supply chain.
Performing tabletop exercises, where incidents are simulated to familiarize all stakeholders with the IM process and their roles and responsibilities, ensures that necessary resources and capabilities will be available when needed. This, along with periodic testing of your procedures and validation of your contact lists, gives you confidence in your ability to respond, when – not if – it is required.
Cyber intelligence helps your organization prevent incidents from occurring by continuously monitoring for actual events and signals of possible future events. Detection processes ensure you find and act upon potential incidents in a timely manner, limiting potential exposures and damage.
As part of this process, you need to inform key stakeholders, including based on incident severity, your senior management and Board of Directors, along with any regulatory bodies. Doing so is critical to operational resilience and avoidance of negative reputation, financial and regulatory impacts. Communication therefore plays a vital role in your IM process, both to remediate the effects of an incident and to keep key internal and external stakeholders informed, and results in quicker incident resolution.
Learning from what went right and wrong is another important aspect of the incident management process. By examining what led to an incident in your organization or supply chain, you can ensure that mistakes aren’t repeated, and reinforce risk management for any subsequent incidents that may occur. Follow-through is key to verifying that corrective actions and program enhancements are properly implemented.
8 Steps to a Third-Party Incident Response Plan
When one of your critical vendors is breached, being ready with a prescriptive incident response plan is essential to preventing your company from becoming the next victim.
Effective incident management and third-party risk management (TPRM) go hand-in-hand. Identifying your third, fourth and Nth parties enables effective incident management, given that as many as half of all incidents originate with vendors.
Third-party and subcontractor contracts need to include IM/breach notification requirements within a fixed (usually 24-hour, but as soon as practical) timeframe after a major incident is identified. Validation of your third-party IM processes and contacts, along with periodic testing, including phone call trees, ensures operational readiness to respond to and resolve incidents.
Third-party incidents can disrupt your ability to deliver products and services to your customers. While having an incident response plan is key to mitigating disruptions in the heat of the moment, improving your organization’s broader incident management systems and processes will help you be better prepared for when incidents do occur.
Here are some additional resources that you can use to benchmark and improve your incident management program: