Protecting Your Data When it’s in the Hands of a Third-party

Auto-maker Nissan sent out a breach notification letter to approximately 18,000 people, notifying them that personal information had been leaked through a third-party vendor. The company learned that names, birth dates, and account numbers for a lender that finances Nissan automobiles were compromised. Social security numbers and credit card information was not included in the breach.

In the breach notification letter, Nissan described the incident as follows:

The impacted third-party service provider provides software development services to Nissan. Nissan provided certain information to this service provider for processing during the testing of the software.

On June 21, 2022, Nissan received notice that certain data it provided for software testing had inadvertently been exposed by the third-party service provider. During our investigation, on September 26, 2022, we determined that this incident likely resulted in unauthorized access or acquisition of our data, including some personal information belonging to Nissan customers. Specifically, the data embedded within the code during software testing was unintentionally and temporarily stored in a cloud-based public repository.

After learning about the breach Nissan says it worked with the vendor, whom it hasn’t publicly named, to secure the data by disabling all unauthorized access. The company says there isn’t evidence that the data has been misused. Nissan is providing a complimentary one-year membership of credit monitoring to those impacted by the breach,

This story is another example of why it is so important for organizations to require rigid cybersecurity policies and procedures for third-party vendors that have access to their data.

What is Third-party Risk?

Third-party risk is the possibility of a third-party organization that has access to your privileged information being the target of a cyber incident (data breach, ransomware attack, phishing, etc.), that results in your data being compromised.

Managing Third-party Risk

To get a handle on your company’s third-party risk, you must assess the risk of each third party in your supply chain and develop a cybersecurity strategy around mitigating that risk. Whether you’re building your cybersecurity strategy for the first time or addressing a cyber breach, the process for vendor risk management remains relatively the same.

At CompliancePoint we help organizations design and implement effective cybersecurity practices every day. We can also ensure their vendors are not putting them at risk through security standards that are not up to par.

To better your third-party data security, here are some suggestions or even requirements organizations should have for any vendor that will have access to its sensitive data:

Information Security Certifications

To have the utmost confidence in a potential vendor, look for a partner that holds a certification or attestation for one of the cybersecurity industry’s most recognized frameworks, such as SOC 2, NIST, or ISO 27001. If a company has one of these certifications, they have shown they have implemented policies and procedures to effectively protect data.

Complete a Breach Readiness Assessment or Cyber Risk Assessment

An effective way to test your vendor’s security and identify any weaknesses is with a Breach Readiness Assessment and/or Cyber Risk Assessment. These assessments will help an organization better prepare for and mitigate the impact of a cyber incident. They will identify gaps in existing security and incident response programs and provide recommendations for better responses to threats, ultimately creating a more resilient cybersecurity program.

It is also a good practice to have your vendors perform vulnerability testing (internal and external) and penetration testing.

A Culture of Security

Be sure your vendors have dedicated the appropriate amount of staff and resources to operate an effective cybersecurity program. Require that the vendor has a qualified employee responsible for overseeing that your data is safe.

The majority of breaches involve human error. Ideally, your vendors will have a thorough cybersecurity training program for their employees, so they can better identify ransomware, phishing attacks, and other cyber threats that could put your data at risk.

Expect your vendors to conduct regular reviews of users and permissions to ensure that only employees that need access to your data have it. Limiting the number of people with data access can make recognizing when unauthorized access has occurred easier.

Monitor Your Vendors’ Risk

CompliancePoint has partnered with a “best of breed” partner to assist our customers in the implementation of a robust third-party monitoring solution. The intelligence-gathering platform we utilize identifies critical vulnerabilities, pinpoints compliance gaps, quantifies cyber risk in financial terms, and can detect the likelihood of a ransomware attack with high-fidelity data on each of your critical vendors.

Obtain a Technical Cyber Rating of your company’s third parties. This rating provides a letter grade based on a company’s current software weaknesses. At CompliancePoint, we have the partnerships and technology to help you get your Technical Cyber Rating.

Breach Notification Policy

If an incident occurs, you need to know as soon as possible to take action and minimize the damage and meet any legal obligations. The contract with the vendor should detail the steps your organization requires it to take to notify you about a breach.

CompliancePoint has helped organizations of all sizes design and implement an effective cybersecurity program. Our suite of services includes Third-party Risk Management monitoring. Contact us at connect@compliancepoint.com to learn more.