Next Steps After Your Vendor Experiences a Ransomware Attack

Ransomware has become so prevalent over recent years that the Cybersecurity & Infrastructure Security Agency (CISA) has launched an entire initiative to prevent and respond to this type of malware. The #StopRansomware Guide was jointly published by CISA, the National Security Agency (NSA), and Federal Bureau of Investigation (FBI) to help organizations understand how to prevent ransomware and how to respond if they’re a victim.

Maybe you feel confident that your organization has effective cybersecurity practices and knows how to respond to an incident, but what about your third-party vendors? Do you have a plan in place if your vendor announces it’s suffered a ransomware attack?

According to Black Kite’s Third-Party Breach Report, 27% of third-party data breaches in 2022 were ransomware attacks. So, it’s important to know how to respond if your vendor is a victim.

Immediate Steps to Take After a Vendor Experiences a Ransomware Attack

You’ll need to act quickly if your vendor discloses a ransomware attack. A data breach notification clause in your vendor contract should help ensure that you’re notified within a certain timeframe. It also ensures that the vendor provides a dedicated point of contact for all your questions. 

Although you may not immediately know all the details of the attack, there are still steps you can take to mitigate the risk:

• Assess the impact: Make sure your vendor provides details on the extent of the attack and who it affected. Find out as many details as you can about which systems were affected, the type of data that was stolen, and to whom it belongs. If the attack involved your customers’ data, you’ll need to notify them according to your own internal processes. Keep in mind that customer notification requirements also vary by industry and state. For example, credit unions have 72 hours to notify, but covered entities under HIPAA have up to 60 days. States such as Arizona, California, and Florida have 10-day notification periods, while states like Oregon, Tennessee, Vermont, and Washington have up to 45-day notification periods. 
• Verify your vendor’s response: Review your vendor’s incident response plan (IRP) to ensure that it’s followed correctly. This can also help verify that the vendor hasn’t paid the ransom. Both CISA and the FBI recommend against paying ransom and even state that doing so can pose sanctions risk. 
• Report and notify: Depending on your organization’s IRP and regulatory requirements, you may need to report the incident to authorities such as law enforcement or the state attorney general. Plus, you’ll need to communicate directly with any impacted customers. You may want to consider offering credit monitoring services to further protect your customers. 

Aftermath Responses to Recover From a Third-Party Ransomware Attack

Ransomware attacks are often complex and won’t be resolved overnight, but it’s possible to begin recovery process soon after they occur. 

Here are some recommended actions that can help your organization recover from a third-party ransomware attack:

• Re-assess your information security processes: This can help prevent another incident by revealing any weaknesses or flaws that may have been overlooked. 
• Re-evaluate your IRP: This is typically done during a formal meeting known as a postmortem. During this time, your organization can review any lessons learned and consider areas of improvement. 
• Make updates as needed: Use the information you learn from your re-assessments and re-evaluations to update any security policies or procedures. This may also include strengthening controls with other vendors who have similar attack surfaces as the one who suffered the attack. For example, if a vendor uses a common software component and is breached due to that, you should ask your other vendors whether they’re also using that same software component. 
• Consider vendor repercussions: Review your vendor contract to determine whether the ransomware attack should prompt any further action such as additional controls, temporary suspension, or even the end of the relationship. Offboarding the vendor may be necessary if there were significant issues with the vendor’s communication or response. At a minimum, the incident should increase your oversight of that vendor.

It’s understandably a stressful situation when discover your vendor was the victim of ransomware. There’s a lot of unknowns and thoughts of worst-case scenarios, so it’s helpful to implement some of these responses within your third-party risk management program. Third-party ransomware attacks might not be 100% preventable, but there are ways you can reduce the impact on your organization.