10/07/2024 | News release | Distributed by Public on 10/07/2024 11:03
In the aftermath of a vendor's hack that crippled an industry, ensure your business is up to date on best practices for mitigating the risks of third-party cyber incidents.
Many businesses struggle to adequately consider the risk to their operations if a third-party vendor experiences a cybersecurity incident. The sudden lockout or shutdown of a critical vendor can cripple business operations. The recent Change Healthcare breach nearly gridlocked the U.S. health care sector and should serve as a wake-up call for businesses to carefully consider their vulnerability to vendor cybersecurity incidents. Vendor risk mitigation, business continuity planning, and contractual protections are now critical considerations for companies, particularly those with a large suite of vendors.
Software as a Service (SaaS) applications are now used enterprise-wide, from operations to human resources to payment processing. The number of SaaS applications used by the average business has been growing steadily for the last decade. At the same time, the number of cybersecurity incidents and data breaches has grown exponentially. As AI tools enable more complex and convincing attacks by criminals, there is little reason to expect that trend to reverse. As the number of vendors and attacks grow concurrently, it seems inevitable that a critical vendor for most organizations will suffer a breach in the foreseeable future.
In the spring of 2024, Change Healthcare (a subsidiary of UnitedHealth Group) suffered a cyberattack that was "the most significant and consequential incident of its kind against the U.S. health care system in history," according to American Hospital Association President Rick Pollack. The ALPHV/BlackCat ransomware group claimed responsibility for the attack; they were able to steal up to four terabytes of personal information, records, and payment details. More significantly, this attack spurred devastating financial consequences for the health sector, as many physicians relied on Change Healthcare to process claims and claim payments. A survey from the American Medical Association (AMA) found that 80 percent of practices lost revenue from the attack and that small practices were particularly hard hit. Alongside general "tremendous financial strain," AMA President Jesse Ehrenfeld noted that "these survey data show, in stark terms, that practices will close because of this incident."
The Change Healthcare breach offers several lessons: (1) any vendor can fail unexpectedly, even those that are large, ubiquitous, or sophisticated; (2) while the concern over a vendor's breach is often that it will result in hacker's access to your systems, there are also significant operational risks to a vendor breach; and (3) failing to plan for those operational risks can have significant consequences.
It is, however, still a concern that a vendor's cyber incident will result in unauthorized access to their customers' systems. SolarWinds is still squaring off with the SEC over the 2020 breach that resulted in Russian hackers gaining access to the U.S. Department of Homeland Security, among others. A recent ruling found that SolarWinds grossly misstated its cybersecurity protections, allowing the SEC to take the company to trial on the issue. Other vendors may also overstate their own cybersecurity compliance.
Business continuity planning, vendor management, and strong contractual protections are imperative to keeping your business operations functioning through a vendor's breach. As a company incorporates vendor-procured software throughout its organization, it is critical to consider vendor cybersecurity risks holistically. The MOVEit breach of 2023 highlights how risk exists even for mundane software, like a file transfer service.
Undertaking Business Continuity Planning (BCP) on the front end is a good way to avoid the financial and reputational damage associated with vendor cybersecurity incidents. Some of the BCP best practices to ensure that your organization can navigate shutdowns and disruptions are to:
Similarly, managing vendors needs to be an ongoing process, beginning with the contract and continuing for the length of the relationship. Some best practices for vendor management are to:
Mitigating the operational risk from vendor relationships is a critical way to keep your business flexible and online when an incident inevitably occurs. If your organization needs assistance creating a vendor due diligence plan, drafting or reviewing contracts to ensure favorable protections, or undergoing business continuity planning, please contact the authors, Dan S. Parks, Layna Cook Rush, CIPP/US, CIPP/C, or a member of Baker Donelson's Data Protection, Privacy, and Cybersecurity team.