December 05, 2019//Tony HowlettLast Updated: November 19, 2020
As data breaches within corporations and government continue to rise, the expenses to recover from them are escalating at an exponential pace. According to a study by the Ponemon Institute and IBM the average cost of a data breach is $3.92 million, up 6.4% compared to the previous year. And with third-party breaches, there can be additional costs beyond the usual financial, regulatory, and reputational damage that an internally caused data breach can bring. These damages can combine to make third-party breaches far more expensive than one where a third-party isn’t involved. Let’s examine these costs and some ways that they can be avoided.
Along with the growth of outsourcing, particularly as it has spread beyond the back office and into mission-critical functions, exposure to vendor downtime has increased dramatically. This is especially true for highly regulated industries such as healthcare and financial services. And while any kind of hack can take a company’s systems down, one involving a third-party can have additional complications and associated costs. As an organization relying on the vendor, you’re dependant on their disaster plan to bring the system back up. Even if they are up to the task, you have no control over it. Plus, if intrusion into their system is widespread, vendors are dealing with a host of internal systems diagnostics while at the same time being swamped by customers’ requests. In short, your issues may not be their first concern or you may have to wait in a very long queue.
“A solid vendor risk management program, backed up by technology, policies, and procedures is the best protection.”
Smaller third-party vendors are sometimes so overwhelmed by the strains and potential costs of having their customers hacked that they go out of business. This nightmare came to reality in the LabCorp/Quest Diagnostic breach just a few months ago. In a situation such as that, you may be forced to bring on new vendor immediately in order to restore those services, and that’s on top of dealing with the damages from the breach.
And when it comes to investigating the root cause of a vendor-related incident, it’s often more difficult and expensive since you won’t have direct access to the suspected systems. And vendors are likely to be more interested in protecting themselves – and not as much interest in not being fully transparent – when there is a legal liability at stake. If your vendor does not cooperate fully right away, your downtime costs will escalate, hour by hour, day by day. Even if they are all in on your investigation efforts, the forensic investigation will take longer due to the multiple entities, networks and software platforms involved.
Another legal consideration is raised if you want to recover losses or costs from a vendor that causes your company to be breached. In those cases, you better have good lawyers. As noted above, even when fault is clearly determined, vendors are hesitant or unable to write you a check. Relying on the courts may be your only recourse and that can take years of effort and considerable legal costs with no certain outcome, especially if you don’t have clear cut audit records available. In the end, there may be no entity left to recover from and that could leave you holding the bag for all related expenses, including your legal fees.
Your best bet to avoiding the potentially exorbitant costs of a vendor hack is to not have one in the first place. A solid vendor risk management program, backed up by technology, policies, and procedures is the best protection. Good review and audit processes can catch any vendor-related problems before they become data breaches.
And if a vendor breach does happen, granular audit records are vital to winning at court or forcing an early settlement before legal costs rise. Clear contracts that outline vendor liability can also speed up the legal route. Plus, vendor management technology solutions such as Vendor Privileged Access Management (VPAM), can make sure that you are well protected from the potentially massive costs of a third-party breach.