How to Respond When a Vendor Gets Hacked
A vendor data breach is a nightmare for any bank or credit union. From the financial cost to the bad press to the regulatory attention, data breaches pose a huge risk. Yet despite due diligence, they still occur.
That’s why it’s essential to have a plan in place for dealing with vendor data breaches before they happen. Breaches require immediate attention. Your institution can save valuable time by plotting out its response ahead of time, including inquiry, discovery, root cause analysis and notification. Here’s what your plan needs to include:
Questions to ask the vendor.
Collect as much information as you can from your vendor to understand the extent of the breach. Ask:
- When did the breach occur? Several states, including Massachusetts and California, have strict timelines for notifying consumers when data is accessed by unauthorized parties. This is especially true for sensitive data like account and Social Security numbers. Your institution needs to know about a breach as soon as possible so it can follow notification protocol. Remember, just because you don’t have bricks and mortar in another state doesn’t mean you’re exempt from its rules. You need to follow the notification laws where your customer resides.
- Which data was compromised?
- Where did it occur? This lets you know the extent of the problem and allows you to understand the implications, particularly if it occurred overseas.
- Why did it happen? You need to know why it happened and what the vendor is doing to prevent it from happening again.
Definition of a data breach.
Decide what types of incidents constitute a data breach. Part of this is knowing who owns the data. For example, agreements with Equifax give the company ownership rights to the data. From a contract law perspective, that means your institution doesn’t own the data and the vendor is responsible for notifying customers, though regulators may see things differently.
Just because data was compromised doesn’t mean a full-scale response is necessary. Sensitive data, including data protected by the privacy provisions of the Gramm-Leach-Bliley Act, requires immediate attention, but if all the information was public anyway or it was just a list of how much you paid your water supplier, less action is needed. The breach is still an incident that needs to be understood to prevent future problems, but it won’t warrant the same response as a breach of sensitive information.
Send a letter to the vendor requesting the root cause analysis. Make sure it’s addressed to whoever is cited in your contract as the person responsible for official correspondence, whether it’s the CEO, general counsel or chief financial officer. This letter shouldn’t be filled with threats warning that the vendor has breached its contract or that you’re terminating the relationship. It’s just an effort to find out the facts. You can’t always make a vendor respond, but the paper trail shows regulators you’ve made efforts to get a response. Keep a log of all communication.
Performance standards meriting a response.
Have performance standards in place for critical vendors and clearly define just how bad things have to be for your institution to take corrective action, which includes terminating the relationship. Make sure your contract will not limit your ability to find a new vendor if your vendor breaches your agreement.
Vendor response team.
There needs to be a vendor response team that can act quickly. Consider including representatives from senior management, legal, IT and marketing. This mix is necessary because a breach deals with both internal and external issues. The team needs to be able to decide on the messages to communicate to clients and members on a go-forward basis.
Plan both internal and external communications. Decide in advance whether meetings will be held online, in person or via conference call. Know how you will communicate information about the breach and response plan with employees, clients, and members.
Documentation is key. Just because a breach occurred does not mean regulators will be up in arms. It is how you respond that can lead to memorandums of understanding or other issues. Have a process that will ensure compliance while protecting your institution from a vendor that is falling short or having extreme difficulties. Document all communication and internal discussions to show what you have been doing.
Just like in crisis management, there should be a designated media contact. This person is most likely the CEO or another official spokesperson who has experience talking to the media. Don’t send out a rookie. Have scripts discussing what is being done and what customers or members should do. Understand that when the news breaks, you’ll probably have limited information. Repeat what you know and make it clear you’re working to discover more information.
Have a post mortem process a quarter after the vendor breach to analyze the vendor’s incident response. Just like a test of a business continuity plan, look at how the incident was handled, including what process improvements need to be made and what went well. You may decide that it was unnecessary to include the entire executive team on the response team or that text messaging was a smart way to communicate with clients or members. Examiners love to see that kind of documentation and thoroughness.
It’s a good idea to have a list of other vendors that can provide similar services if you need to exit a critical or significant relationship quickly. One good way to do this is to shop around at renewal time, even if you aren’t planning on switching, so you can be prepared if something catastrophic happens with your vendor.
Armed with these details, your institution can respond promptly and thoroughly to a vendor breach.