Incident Response Planning for Third-Party Cybersecurity

With the rise of AI and organizations becoming increasingly dependent on third parties for critical services, third-party risk management has become a top priority for CISOs. 

Even though most organizations (98%) have integrations with at least one third-party vendor that has experienced a cyberattack during the past two years, these same organizations often don’t have the resources or technology to recognize that they are part of that 98%. 

But one of the best ways these organizations can mitigate the damage – sometimes even completely – is with a proper incident response plan. 

Understanding the Risk of Third-Party Cybersecurity Breaches

In addition to operational disruptions, reputational damage, and loss of customer trust, third-party data breaches are particularly harmful because the data exposed can lead to additional future data breaches and other security incidents – even in the span of a few months. 

Recent examples include: 

• Bank of America. High-profile cybergang LockBit successfully exposed the personally identifiable information (PII) of 57,028 customers from the Bank of America through deferred compensation plans managed by third-party provider Infosys McCamish. The data of 57,028 customer accounts were also exposed in 2023 as a result of the MOVEit digital supply chain attack. 
• Fidelity. A third-party breach compromised the personal information of over 77,000 customers in August. Although the company reported that accounts were not compromised, it was the fourth data breach reported in 2024.  
• AmEx. Card account numbers, card expiration dates, and customer names of over 50,000 customers were leaked by a third-party merchant in January and February of 2024. Although it took actions to mitigate damage by informing customers they were not responsible for fraudulent purchases made from their cards, it left that responsibility to the customers, who were at greater risk of these transactions occurring over the next 12 months. 

These data breaches are often also the first step of a more sophisticated attack, such as the MOVEit supply chain attack. First, the Russian-affiliated cybercriminal group Cl0p discovered a vulnerability in the MOVEit transfer file software, using it to expose data from high profile organizations all over the world. Cl0p then leveraged the data for successive ransomware attacks in 64 organizations, according to its own website.    

Even the most established organizations with robust cybersecurity practices and strategies for defense are susceptible to third-party data breaches. Attackers know that third parties often have fewer resources to dedicate to risk management, and succeed in targeting these larger institutions through their third parties. Common attack vectors for these third-party breaches include compromised credentials, software vulnerabilities, insider threats and social engineering. 

Key Components of Incident Response Planning for Third-Party Breaches

Regardless of the exact details of your incident response plan, it should include a number of key components: 

• Vendor risk assessments to build a risk profile of each of your vendors and develop a mitigation plan based on it. 
• Clear communication protocols for announcing the scope and details of the breach to both internal and external stakeholders.  
• Detection and monitoring through a variety of tools, real-time alerts with the goal of early threat detection and quicker response times. 
• Containment and mitigation that include both long and short-term strategies. 
• Adherence to regulatory compliance that includes meeting requirements for reporting the breach, communicating details of the breach to customers, and defining roles and responsibilities in your incident response plan. 

Evaluate the Level of Risk with Vendor Risk Assessments 

Vendor risk assessments assign risk scoring to each vendor, allowing you to prioritize vendor risk and account for it when building your incident response plan. Panorays lets security and IT teams assign a specific percentage of the risk score to various criteria such as compliance, data protection, and incident response, all according to your risk appetite. 

Based on the risk profile of each of your vendors, you’ll be able to formulate a proactive and detailed mitigation plan for high risk vendors that include actions such as enhancing security protocols, enforcing stricter access controls, requiring regular security audits, and ensuring compliance with industry standards and regulations. It also includes continuous monitoring and evaluation of whether or not the current security controls are effective or need to be improved.  

Establish Clear Communication Protocols 

Communication protocols should address both internal audiences, including various departments and stakeholders within your organization, and external audiences, such as third-party vendors. Additional external parties should include any customers affected, the media, partners, investors, and other external stakeholders. The protocols should include how the breach is communicated to your C-suite and management, employees, IT and compliance teams, the media, partners, and the data protection authorities or other regulators. Having clear communication protocols in place can mitigate reputational damage by informing the necessary parties of the scope of the breach, the damage ensued (if any), the mitigation strategies implemented, and its plan for improving defense in the future. 

How Detection and Monitoring Help Improve Future Response 

A proactive stance of continuous detection and monitoring is one of the best strategies for early detection of third-party threats and quicker response times. Continuous monitoring and detection is often implemented through various tools such as threat intelligence platforms, SIEM systems, Endpoint Detection and Response (EDR) tools, network traffic analysis, and third-party risk management platforms. Along with detecting anomalous and suspicious behavior, they are able to deliver alerts in real-time to the relevant roles in your organization and implement the incident response plan immediately, mitigating the risk. These tools also provide data such as logs, endpoint activity, and API monitoring data that can be leveraged to identify patterns of user behavior to improve future detection of threats. 

Containment and Mitigation Minimize Damage from the Breach

Both short-term and long-term containment strategies should be implemented. Steps towards short-term containment might include isolating the segment of the network under attack, revoking user access temporarily, and disabling systems to minimize the exposure of data and extent of the breach. Steps towards long-term containment might include adopting a zero-trust architecture, strengthening third-party service-level agreements (SLAs), and conducting regular audits of the security measures of both your organization and its third parties. 

Adherence to Regulatory Compliance

Many regulations (e.g., GDPR, HIPAA, CCPA) require an incident response plan that includes specific timelines of when a breach can be reported. First, the type of data handled needs to be classified along with its level of sensitivity. Next, the specific timeline needs to be identified, along with the roles and responsibilities of internal (e.g., legal and compliance teams) and external teams (e.g. media). At this point the organization can now develop vendor contracts that ensure compliance, maintain comprehensive incident logs to record action taken during incidents, and implement regular training and simulation to test compliance during these incidents.

Developing an Effective Third-Party Incident Response Plan

Any third-party incident response faces a number of challenges, including the lack of visibility into the supply chain, inaccurate risk scoring leading to poor risk management, and general remediation guidance as opposed to actionable steps a vendor can follow to mitigate future risks. As a result, organizations have focused on several steps for an effective third-party incident response plan. 

Step 1) Creating a Dedicated Response Team

When an incident occurs, it’s important that you have established dedicated roles within the organization that understand their responsibilities and have the specific skills to  mitigate and manage a third-party breach. For example, the IT team would be in charge of isolating systems while the marketing team would be responsible for communications with the media and notifying customers of the scope and size of the breach. Assigning these roles and responsibilities before an incident avoids confusion and helps contain the damage that ensues from the breach, and fosters more effective communication and adherence to compliance. It should also include details of the roles and responsibilities after the breach such as reviewing the actions taken during the incident for improved vendor management. 

Step 2) Vendor Collaboration and Agreements

SLAs should include details about how a vendor would collaborate and respond to an incident in addition to ensuring the vendor has its own incident response plan in place. It might include a shared incident response playbook, require threat intelligence sharing, and specify that the organization owns all data stored and processed by the vendor. It may also require vendors to log data so that it can be accessed by auditors or during a breach investigation. 

Step 3) Training and Simulations

Finally, many organizations prepare for incident response through various training and simulations of third-party scenarios. These simulations are often run continuously on your organization’s IT infrastructure and employees to identify vulnerabilities and weaknesses in advance and strengthen the security posture of the organization against third-party threats as needed. Through these training sessions they are able to test the effectiveness of response strategies and make adjustments to the incident response plan as needed.  

Post-Incident Steps and Lessons Learned

After a third-party data breach has occurred, it is imperative that the third party be notified at once. The overall scope and breadth of the attack must be determined in addition to the nature of the data that was exposed. The details of the breach must be documented and the response actions for mitigation and compliance should be reviewed. Vendor contracts should be reviewed to close any security gaps. Monitoring and detection tools should be upgraded based on the information gathered from past incidents to improve response time to future incidents. 

Third-Party Incident Response Plan Solutions 

It is a fact that in the modern digital era, organizations shouldn’t ask if a third-party data breach will occur, but when. Proactive measures such as incident response planning are one of the most cost-effective and efficient methods for mitigating third-party risks. Strong incident response strategies also encourage continuous collaboration with vendors, regular updates to response plans, evaluation and prioritization of the level of risk, and continuous monitoring and detection – all of which are critical for building a strong and effective third-party risk management strategy. 

Want to learn more about how Panorays can help you build a stronger third-party cyber risk management strategy? Get a demo today! 

Third-Party Incident Response Planning FAQs