A few years ago, the New York Department of Financial Services (NYDFS) released survey results giving us more insight regarding many bank’s cybersecurity preparedness. The NYDFS surveyed 40 organizations and found, startingly, that nearly 1 in 3 of the banks surveyed don’t require their third-party vendors to notify them in the event of an information security breach or other cybersecurity breach. This is a huge problem for obvious reasons, but let’s take a closer look at the potential fallout and why it’s important to require vendor notification in data breach scenarios.
Reasons to Require Vendor Data Breach Notifications
- Increased regulatory scrutiny. If your organization suffers a breach, you should expect your regulators to show up looking for answers. You’re expected to be able to address an unauthorized access incident to customer information in systems maintained by your service providers. However, you can’t adequately address something you don’t know about.
- It helps to protect your reputation risk. Reputational risk is risk arising from negative public opinion. Security breaches resulting in the disclosure of customer information and violations of law and regulation could harm your organization’s reputation. It’s much better to notify your customers directly regarding a breach and your plan of action to resolve the issue instead of them finding out through the vendor or a public news source.
The implications of a data breach aren’t limited to the reputational fallout. Nearly all states now have a data breach notification law, and while each state has different requirements, it’s important for both the organization and the third-party vendor to be aware of each regulation.
How to Require Vendor Data Breach Notifications: Your Next Step
There’s no way to anticipate all breaches that may impact your vendor. The best you can do is take the proper steps to protect your own personal data.
The first way to accomplish this is to write the breach notification requirement directly into your vendor contract. Defining what that looks like is often harder than we think, so here’s a list of what a breach notification clause should include:
- A defined notification timeline
- A designated point of contact for all questions and status updates regarding the breach
- Public disclosure provisions
- Parameters for investigating, remedying and taking any other action deemed necessary regarding the breach and any dispute, inquiry or claim that concerns the breach
- Defined instructions relating to the handling of any confidential information affected or potentially affected by the breach
- Ability to define actions that need to be taken to prevent future breaches
- Defined contract repercussions in light of a breach (contract cancellation, suspension, etc.)
Incidents and breaches happen. It’s inevitable. The key to minimizing the impact is discovering them quickly and having a plan to address them quickly and effectively. Ensuring your vendors are able to demonstrate what they do if an incident occurs, how follow up and resolution is performed including notification steps, is crucial from the very start of your relationship.
Learn how to protect your organization from third-party cyber risk. Download the infographic.