Cyberattacks and breaches have plagued industries worldwide mercilessly over the last year or more. With many of the headline-grabbing attacks attributed to the trend of third-party breaches, questions around liability and remedy require further discussion.
Evaluating third-party breach scenarios
It helps to start analyzing a few recent attack types leveraging third parties. First, there’s the scenario where a zero-day lives in third-party software installed on a client’s system, making them vulnerable to direct attack, such as Sunburst in the SolarWinds case. While expectations around a secure software development lifecycle are reasonable, in this scenario, customers are responsible for maintaining an organizational security posture capable of preventing, detecting, and responding to these attacks. While the organization isn’t at fault for damage, and the third party will likely face scrutiny at the hands of a congressional investigation, organizations impacted shouldn’t expect any remedy from the third party.
Consider another circumstance, such as with Accellion and Morgan Stanley. The third party knew about the vulnerability and disclosed it wasn’t patched, transferring the risk to customer organizations. If an attacker exploits a vulnerability, the organization is held accountable for damage caused by the unmitigated risk. Tweaking this scenario slightly, if the third party knew about the vulnerability, but did not disclose or patch, there’s potential grounds for a suit against them.
On to the more difficult “Kaseya” case in which a third party was breached and used to breach other organizations, which were then used to breach more organizations. The attack spanned beyond just Kaseya’s software. Attackers exploited the entire company and used it to propagate breaches everywhere. Here’s where the claim that we should hold third parties liable to cover all cascading effects comes into play, as both their software and organizational security were directly responsible for the damage. While this attack was unique, it’s representative of something we anticipate more of in the future – hacking third-party companies with the ultimate goal of attacking their customers through them. Mortgage companies and law firms are just two examples of organizations at high risk here, as they offer direct connections to hundreds of third parties.
Transferring risk
Whether future breaches fall into one of these scenarios or involve entirely unique circumstances, it’s critical that industry leaders create a standard for where third-party liability starts and ends. When picking up the pieces, simply paying for cleanup can put a company out of business. That’s why companies need cyber insurance, a product that may undergo some dramatic changes because of all the recent breaches. Cyber insurance companies will likely start putting in clauses saying that they won’t accept any breach from a third party under certain conditions, and impose a security posture-based premium. Organizations will need to carefully review policies for any inclusions or exclusions around third-party risk. This also creates a market for explicit third-party coverages, both being the victim of a third-party breach, or the third party used by the attacker.
Let’s talk ransomware
Breach costs can incur for years -- ransoms are often cut-and-dry because it's usually a single payment. Businesses victimized by a third-party attack are still dependent upon that third party to return to business as usual. Companies can resolve the situation in one of two ways – pay the ransom, which comes with backlash, or make the third party responsible for compensating revenues and bringing the business back up. Third-party manufacturers with known vulnerabilities that cause harm should be held accountable. These third-party companies should either pay the ransom or make good on the financial impact. Where does this end? In an interconnected world of supply chain, we’ll have to carefully limit the degrees of liability. So are third parties responsible for all downstream impacts?
Practice due diligence
How should organizations concerned about third-party risks start tackling these issues? Start by creating an inventory of all third parties. Once there’s a list, business unit owners should quantify these relationships and the potential impact an incident could have on their organization. Capturing information like potential revenue impact, IT systems connections, and supply chain versus subcontractor will help establish an order of criticality for the next step: building out business requirements to audit third parties against. By setting requirements, companies can purpose-build products for this use case. Hopefully, a good risk assessment “grade” will become a differentiator worn by third parties like a badge of honor, adding trust into partnerships early on. Until then, it's wise for the company to conduct its own evaluations with any third parties.
Randy Watkins, chief technology officer, Critical Start