Companies face increasing risk to their operations resulting from a cyber breach of a critical vendor. We have recently written about creating a sensible cybersecurity and AI risk framework for critical vendors, and regulators have issued both formal and informal guidance addressing vendor cybersecurity risk management: The SEC, the New York’s Department of Financial Services, the FTC, FINRA, the CFTC/NFA and U.S. federal banking agencies have all issued guidance on vendor cybersecurity due diligence, oversight, auditing, and contractual provisions to reduce vendor risk before a data breach.

In this Debevoise Data Blog post, we provide the following 27 questions to ask when you’ve been informed that one of your vendors has experienced a data breach:

Internal Questions

  1. What categories of Company data does the vendor have? How sensitive is it?
  2. What is the volume of data that the vendor has?
  3. Is the Company providing the vendor with data on an ongoing basis?
  4. Does the vendor have direct access to the Company’s network?
  5. Should we stop any data flows and disable the vendor’s access to Company systems until we learn more?
  6. What are the business continuity risks if we cut off our relationship with this vendor?
  7. Do we have cyber insurance? Does it cover damage from vendor breaches? What is the deductible? Do we need to notify our insurer?
  8. If any of our data was involved, do we have regulatory, statutory or contractual notification obligations? If so, do we want to make those notifications or do we want the vendor to make them?
  9. Depending on what data was involved, are there steps the Company should be taking to reduce risk, such as alerting customers whose data may have been impacted or looking for attempted BECs and wire diversions schemes?
  10. What do the relevant contracts with the vendor say about its cybersecurity obligations, breach notification requirements, indemnity, cooperation, limitations of liability, termination rights, etc.?
  11. What cyber diligence was done on the vendor?

Questions for the Vendor about the Incident

  1. What is the impact of the incident on the vendor’s operations?
  2. Is there any reason to believe that the Company’s systems are at risk? If so, what indicators of compromise should we be looking for?
  3. If the vendor has direct access to the Company’s systems, what assurances can be provided as to why it is safe to allow that access to continue?
  4. Is any Company data held by the vendor at risk?
  5. Have you confirmed that any Company data was accessed or exfiltrated? If so, can we obtain a copy of the data?
  6. Do you know who the attackers are or the purpose of the attack?
  7. Do you have any reason to believe that Company data was targeted?
  8. Is there any reason to believe that that any of the data that was involved has been misused?
  9. Have you retained an outside law firm and cyber firm to assist?
  10. Are you conducting Dark Web monitoring? What are the results?
  11. When did the compromise of our Company data first occur?
  12. When did you discover the compromise?
  13. What steps have been taken to contain the breach?
  14. Do you know how the attacker got into the system, and if so, has that vulnerability been closed?
  15. Does the attacker still have access to your system? If not, when was the last time the attacker was observed in the system?
  16. Who else have you notified (law enforcement, regulators, customers, etc.)?

To subscribe to the Data Blog, please click here.

The authors would like to thank Debevoise summer associate Dylan Sanders for his contribution to this blog post.

Author

Avi Gesser is a Debevoise cybersecurity and litigation partner. He is a member of the Debevoise Data Strategy & Security Group, as well as the White Collar & Regulatory Defense Group. Avi has extensive experience advising on a wide range of cybersecurity matters, incident response issues, data strategy concerns and artificial intelligence risks. He can be reached at agesser@debevoise.com.

Author

Johanna Skrzypczyk (pronounced “Scrip-zik”) is a counsel in the Data Strategy and Security practice of Debevoise & Plimpton LLP. Her practice focuses on advising AI matters and privacy-oriented work, particularly related to the California Consumer Privacy Act. She can be reached at jnskrzypczyk@debevoise.com.