Effective Handling of Third-Party Supplier Incidents

Good morning everybody. Uh we are here at our first talk in theater 6. Our presenter is Casuri Puramar. Uh hopefully I did that justice. Thank you. Um and Cassudi's presentation will be effective handling of third party supplier incidents. Before we get started, um I hope many of you were here yesterday and you're all familiar already with Slido. We're using Slido to facilitate the Q&A. There will not be any live questions asked uh via the mic. So if you want to ask a question, which I'm sure you will, uh please use a QR code and activate Slido on your device. Some more housekeeping. So uh for those of you that love coffee, coffee stations will be available until

300 p.m. today. So remember that in your in your minds. Uh 3 p.m. will be the last time to get a coffee. We also have a raffle running upstairs. Thank you to our lovely sponsors. You can enter by getting your sponsor passport filled out uh and turning it into the Bides SF booth. Raffle draws are at 2:15 p.m. uh today. And please note to win, you must be present during the draw. The draw will be held at the stage near Lockpick Village in City View upstairs. Uh we also have head shot all day today sponsored by Opal. It's right outside of the talk tracks by the concessions. So go and get a headsh shot for your

LinkedIn. Um that is all from me and Casuri the stage is yours. Thank you so much. Um welcome everyone. Good morning and thank you so much for uh giving your time here today to me. uh before starting I would like to take one minute to uh convey my thanks to the entire besides team for organizing such a wonderful event and uh for sharing our learnings here right so for this one talk of like 45 minutes it took me hours to prepare and I can't imagine how much hours these volunteers and organizers must have put in to get this into a running and successful event right so thank you so much so the topic for today

is going to be effective handling of third party supplier incidents uh I'll still put the slido slide for 30 seconds here in case anyone missed it. All the question uh Q&A is going to be through the slider site. So moving into introduction so myself Kasuri Puramar I am currently um manager at Equinex. Uh I mainly work on incident response. So uh and and been in this industry for like seven and a half years now. Um luckily I got into this field. I was set to be a network engineer uh doing routers and firewalls full-time but one of my courses led me to an internship in cyber security at Equinex and been uh there since then and of course doing

operations instant response and all those good things right so um moving into our talk right um the agenda is going to be looking like this prep if anyone must have done IR they might know like the incident response cycle standards of preparation analysis is containment recovery and all that right like I have divided the whole talk in these phases and we'll be working through each of these phase to give and breakdown on how things can be done so what exactly a third party supply incident right so in today's business operations world like uh each organization is connected in some or other form to a third party uh maybe it via like software services hardware services

network 98% of organization are connected to each other, right? And with an increase in um increase in the cyber risk landscape that we are seeing these days, we are opening up our uh risk landscape to these new vendors or suppliers which we cannot even control like we cannot have an understanding of how that environment looks like right. So this creates or incluses like some integral risk into your environment. know how can you handle or how can you accomp um access this risk right so prevalent did a survey earlier this year and they said that like around 61% of organization there was an increase like they saw 61% of organizations going through some form of breach right and it

was like an 49% increase from last year and I I bet this survey like there is much more than like the reported surveys right so uh and while handling third party supplier incidents you also need to consider the ripple effects that are coming from fourth party suppliers. So suppose um an XYZ is in supplier like you are working with a supplier but there is an XYZ supplier they are working with and they got impacted by a breach. Now your supplier has some level of risk or potential impact that can come through via the fourth party to your organization. Right? So it's also important to understand or having an understanding of like who your supplier works with what

type of data are they processing any of your data why are these fourth party vendors right so um and knowledge is crucial in um whenever it comes to IR right if there are data points that's when you can do proper incident response so uh a little bit of problem statements right um I'm going to ask here like who do you think um in which bucket like should it be the only IR team who is responsible for doing incident uh third party incident handlings. You can raise your hand if you think that okay no nods here. Okay. Uh what if it is a combination of your third party risk management team and your IR team? Is that enough? Okay. I got some

hands. Okay. Um what if I propose it should be a combination of your supply chain management, your third party risk management program, your legal privacy office and your IR team. Like if all of them are working in partnership, how would that look like? Right? So this is something that we are going to look into today. Um these are the common problems which most of the organizations face is like they don't have a total uh third-party risk management program who can understand um how what type of suppliers you are engaging with and all that right and there is no uh risk based decision making process available right now it's just like a case to case uh the

decisions are taken on like case to case basis no formal risk acceptance when you have to put any containment controls or those type of things right so we're going to deep dive into these things as I said uh preparation like identifying who can be your crossf functional stakeholders uh we did mention couple of these teams like your IR team TPRM legal privacy office and customer notifications right so that is also an important like defining um or create templatizing your notifications and understanding how will you reach out to like internal audience or external audience it can be your customers um stakeholders and all that right in terms of like incident response in this case. So let's dive a little bit deep

into like what can be the role of the supply chain management team right uh this team is going to be a crucial piece who helps you tie or understand who are your suppliers like developing a centralized inventory having business point of contacts business relationship officers assigned to each of these suppliers who you engage with. So you have a direct entry point when when you have to handle an incident with suppliers. Right? So this this piece will help you defining those. This will help you understanding how the contracts look. What is the nature of the contract? Uh when do these contracts renew? Right? Like it's it's important to introduce security at the early stages in the

contract itself. So that you know um and providing language in the contracts like for timely notifications if an XYZ supplier was compromised you need to have some SLAs's inbuilt so that they can help you notify time on timely basis and also what type of data was impacted and all those type of things right so strengthening the supplier relationship is important it's always a two-way street you also need to have uh provide that comfort or provide that written communication to the suppliers that like if something happens on our side we are also going to be timely informing you right so building this relationship with your supply chain management team and introducing the cyber uh cyber cyber aspect at the early stages

are going to help us develop the program further. So next is going to be the third party risk management team right this team particularly sits under your infosc umbrella. So here you can partner at like more deeper levels have more rapo with this team and where can they help right identifying your critical vendors and partnerships. So uh we need to beforehand understand like if any of the critical services go down what is the backup plan that we have how is your company going to operate with the limited services if one of the software isn't just working any because of the supplier experienced in cyber breach right so understanding that the supplier risk assessments right uh we need to

perform risk assessments before onboarding and what they can be uh you can classify based on what type of supplier you are dealing with. Is it going to be uh like a physical level security assessment? Is it insider risk assessment, data, privacy? These type of things needs to be developed beforehand and you as an IR team can contribute to asking these questions with your supply chain management team uh sorry the TPRM team right uh and this can be converted into something called as SAQs and uh I'm going to give like a little bit question coverage on the next slide but before that it's also important to establish service level agreements on receiving timely responses from the vendors. uh

this is one of the biggest pain points and we understand right like if a company is facing a breach. They are themselves understanding the whole scenario but there needs to be timely notifications sent to their customer so that they can assess what level of impact they need to uh deal with and what type of controls they need to put in place. Right? So establishing the service level agreements ahead of time is going to save both of the supplier and the company customer uh save time, right? So, and investing in the right tooling. So, nowadays there are like a lot of platforms available where you can integrate all these risk assessments, risk profiling of these vendors onto one

particular thing and and you can also combine your contracts to that to uh to that tooling platform. Right? So that way whenever an responder goes in they would get a whole view of what services is this particular supplier dealing with what type of data are they processing are they processing any PII um am I sharing any customer are is the supplier processing any of my customer data what type of things are going in there right so investing in the right tooling risk profiling uh is very important and um the tools also will help you give a risk score based on the open vulnerability ities and um the nature of the supplier right so doing a

pre-risk assessment of how your critical vendors look and what is the risk score so that when it comes to having discussions with them you can leverage this information uh to gain information etc while the breaches right so as we said this is one of the a sample questioner which you can ask right you can ask uh questions like does the system vendor process any personal data and and as I said the questionnaire can be divided in multiple different avenues. You can use your uh compliance and regulatory requirements in the questioners as well uh and divide it in section and combine with your supply chain management contracts which go out. So include this and that will be

helpful. What are the common problems that we uh face right? Um mainly resource constraints. Uh most of the companies don't even have a solid TPRM program. uh even if they have tools on board it only maybe 25% of real data is there uh there is no connection between the supply chain management or procurement and your infosc programs where the whole data is being integrated right so even if there are tools they're not like being used to the fullest so that's been like one of the biggest uh issues some teams are still tracking uh data on spreadsheets and not investing in the right tooling which might help them um elevate the program right and limited remediation. So even after

having risk uh profiles created for vendors and all that companies don't tend to do anything about it, right? So you need to prioritize at least for your critical vendors and they they are going to be supporting your crown jewels, right? So you need to identify those critical vendors at minimum start there. Uh build a risk profile for your critical vendors. uh and also hold the customer accountable on like sorry the supplier accountable on like when are they going to remediate this um vulnerabilities right so having this discussion is important now comes the incident oh sorry now comes the incident response team right um developing IR runbooks uh this is one of the underrated thing which uh people feel like okay whenever

an incident happen we will figure out like who I can work with and all that right so developing a crossf functional IR runbook and defining clear roles and responsibilities for each of the teams at which we discussed is going to going to be important because it shouldn't happen that like oh we wanted to do a communication but we don't know like who is responsible for what right so we don't know where to go for looking at contracts contractual agreements and all that so it's important to develop and run book accounting all these things in there um and that's where the understanding depend interdepend interdependencies part comes Right? You need to collaborate equally with the TPRM team. Ask them how you can help and

uh what type of questions might help during the IR process so that they can send in an questionnaire, right? And the questionnaires can be in the form of both reactive questionnaire and like proactive questionnaires. So the proactive questionnaire was the part which we covered earlier but we will soon get to the reactive questionnaires, right? And also develop an incident seability metrics typic particularly for your third party response. How are you going to handle like what includes P what is the definition of P1 P2 P3's in regards to your supplier incident? It cannot be a generic incident severity matrix. Right? So develop that beforehand that's going to help us and you will see the importance of why it's

going to help us later in the slide. Another piece I would like to add here is the threat intel team. So uh sometimes it takes a lot of time for the supplier themselves to come and send us a notification right. So if you are establishing threat intelligence on your own side like you're continuously monitoring the mentions of your company like if your data is out there and if you partner if you with your threat intel team they are going to help you bring in real time alerting on if anything has happened. And we we have seen a trend lately that a lot of uh these threat actors they just tend to publish data if a a company is not

accomp complying with their requirements or money requests. Right? So it's important to monitor uh this is our backup plan where you need to monitor and get um like gather that supply chain intelligence based on like all platforms available out there tooling everything right. So you could do that and then uh so now we are going to look into a scenario right suppose and I chose the thread intel team they are going to curate they have a continuous monitoring setup and now what happens is they it indicates that one of the like there's a potential supplier who is compromised and so what things they will do is before analysis right and this is an important step that they need to perform

because they can also partner with the TPRM. They can also have access to those toolings which we just spoke about and identify like if this is partic if this particular supplier is a supplier related to your company, right? What is this going to help us with is doing a one-step triage ahead of escalating it to your incident handling team and that will reduce burnout, right? uh it cannot be like okay I saw the mention of my company here this is alert go ahead right they need to go and vet some level of data and that can depend upon like however your setup is right like uh but a level of analysis needs to happen before escalating it to your incident

response team so now as per the scenario they have determined okay this threat intel is legit and uh they want to create this as an incident and now they handle it to uh they escalate it to your incident response team so what happens here right So this is like this flowchart is going to be in two-step process. Uh the highlighted part here is what I'm going to talk right now. This is where your analysis piece comes right to your incident response team. The triage uh so even if the C your third intel team has triaged it, you need your IR team still needs to triage based on the severity metrics that you have. And then first thing first like do analysis

of like is this in supplier to us? Yes. Then you need to launch immediately an uh vendor SAQ which is going to be a reactive questionnaire to understand more of what happened what has happened during this incident right what type of data was compromised the the sooner we send this out the sooner you're going to get information that will help you with your analysis because uh backing of data is the most important thing because we cannot just rely on the intelligence available outside we need to hear back from the supplier on what exactly has happened on their side right So and this is just a sample questionnaire. You can definitely fine-tune it as per your

requirements of your company, what type of data you process, what supplier you are handling with. And this applies for both uh also for software uh services too, right? Um and yeah, so u that is one of the questions uh some questions that you can ask. So moving forward to like the analysis piece, right? So now like it is established that you continue to work and and this is where uh working with your business relationship officer is going to be important and who is the business relationship officer is nothing but the bridge between the supplier and you because not IR team is not always going to have points of contacts where you're working directly with supplier

always like at least for the bigger organizations right so it's important to understand uh who the BRO's are uh get with them interview them understand like how your systems are connected how is the uh what type of data are they processing uh try to understand those type of questions and once that's said you if you have determined there is connect I'm just going to assume that there is a connectivity present right so now what do you need to do next uh you know like okay there is a risk that can penetrate from the supplier's arc to your arc because you're using software services I suppose how what type of containment controls can you put at this

point Right. So that is important to be unders like what containment controls before even going there. One thing I would see is we need to look at the contractual obligations that we have. Suppose that particular service was used to um that particular service was used to process any customer data like my company's customer data right and I do have a contractual obligation with my customer even if there is a mere chance of potential impact do I need to give them an heads up right so for such things you need to have a good understanding of what your contractual obligations are what are your reporting requirements so this is where you pair pair up with your contracts team, your

supply chain team to un get in deeper understanding, right? Um we we did speak about risk assessment and data analysis like understand if there's PII uh are there any reporting requirements requirements based on like regional uh because uh HIPPA and all other different things are there right so you need to uh know what region is this data getting processed at where where do your customers lie and all that right so work on those data profiles and evaluate the assessment questionnaire which you sent out like answers from that assessment questionnaire, right? So those type of things that you can consider during your analysis. Um and now it like as we discussed it was time to put the

containment controls. But what type of containment controls can you put? What can be your containment strategy? Right? How does it look like? There can be short-term containment controls. There can be long-term containment controls like isolating the impacted network, uh revoking user access, disabling uh systems to minimize the risk, activating internal containment protocols and all those type of things. Right? Before putting this containment controls, you need to ask this one question. Is it going to impact your business operations? And if yes, what is the magnitude of that? Is it going to cost me revenue? Is it just like shutting down the service for some time? How is it? Right? So ask these questions beforehand. Get an understanding before

implementing any containment controls. And how will you do that? Right? There needs to be a proper process in which you can um accept the risk, get sign off from stakeholders to continue further. Right? So we are going to make assumption here. I said um based on the internal severity matrix and the analysis we did this was categorized as a P2 incident which is an high level incident right. So why why this situation came right? So you cannot leave this one task on a single incident responder. Right? Like if it's going to impact your business operations, it cannot be one person's decision. It has to be a committee. It there needs to be a clarity on who will

handle these who who is the uh decision maker in these cases. Right? Because uh and this is a real real pain that I I went through, right? Most of the times it used to be like okay gut based decisions or case by case. There was no formal acceptance program here and how do you handle those things because if something happens business is going to come and yell at you like why why did you do this right so um developing that clarity amongst yourself and uh and all the partnership teams who are going to be part of this IR process will help beforehand so this this matrix will give you an good understanding of and and you can

see here and you don't have to do this like for low-level incidents like which is like P3, P4, P5s that's fine you can just uh monitor put containment controls or uh most of the times you won't even need to put containment controls only when it's like high impact incidents that is where impact to business comes in picture right so who is responsible for doing what risk remediation plan is the responsibility of the incident response team they can based on the analysis will develop a plan and present it to this committee uh and the committee um I'll show in the next slide on what the committee is going to be about right and who gets to review the plan the

governance risk compliance and the business relationship officer reviews the entire plan and the supply chain risk management committee is the one who will be giving a go-ahhead like yes you can uh finalize this plan and then you also need to get a risk acceptance and sign off from your business relationship officer or the leader right uh to go and implement those containment and where incident response team goes and deploys this containment controls. So what is the supply chain risk management committee? Right? This particular committee is inclusive of your a representative from procurement team, your legal compliance, business function, CISO, IT, uh incident response and business continuity, right? a combination of all this and you can develop uh with so this

forum can be developed um just as like if you use Slack maybe create a Slack channel uh this can be invoked when um when some like P1 P2 type of incidents happen you can just say like hey we need to meet and take this risk based approach right so the incident commander would be responsible for invoking this committee and then they can meet as a group and present the remediation plan and if everyone agrees if the business leader gives a sign off you go ahead and implement those. So this way it's just not the responsibility of that particular responder to take such a big business decision. So it's a mutual decision right and yeah so this is where

we were talking about right because most of the times when when it comes to doing containment controls the the question is about can I go and cut the cords can I disconnect from this vendor or do I need to stay in business what do I do right so this uh flow is going to give you an understanding of like what can you do so previously we did oh oh yeah previously we did launch the SAQ now analyze internally. The IR and TPRM team can analyze that based on your incident response plan and the severity matrix. You determine what is the severity. If it's P1, P2, you convene the STRM forum for your management decision. and uh

they take the recommended action plan and then the SRM takes a decision of do you want to disconnect from the supplier for timing or do you wait right and if as we said if it was just P3 P4 and P5 use tag remediation status with vendor uh consider what actions are they taking uh understand if your compensation controls are enough um to mitigate the risk and then that's the flow that can look like right so And how how does this committee also take uh the decision right it I mean not everyone is uh from cyber background in that committee right how what are the criterias that they can consider while making a decision it can go from

uh business impact like financial impact regulatory legal uh impacts u then reputational is this is there like loss of uh significant ificant um credibility and confidence are big is there a bigger like a big media interest in this particular incident what is going on right so you need to have all these data points ready and this is what what I mean by the risk based criteria right like if it's not impacting your uh organization with a significant number and the revenue you you need to as a team decide on like what is acceptable and what is not so uh one of the things which I tried uh while doing was uh I don't know if you guys

have heard about fair analysis right so whenever such incidents came in I thought like I could do a mini fair um analysis every time when an supplier incidents happen but uh it didn't work because um I mean it these are such fast-paced incidents that most of the times you don't know like if you will have enough data points to handle right so something like this has always helped us to create um given an understanding of like if business can't take me cutting the cord, right? So yeah, then um moving forward, right? Like what can be the challenges? A lot of times it happens that the vendors don't reply. They are already be busy dealing with

the incidents and everything that they don't reply. So how do you handle in that case? Do you just go on based of uh whatever the threat end is available or um whatever data points you have? Yes. So the STRM committee would still have rights to uh STRM committee will still have rights to take decision in that case based on a mutual decision that happens and then um for lesser severity as we said we can continue to monitor and provide additional contracts and also developing SLAs's uh is again going to be important here because and it can be done by negotiating contracts with your supplier when you onboard them. uh it's the best place where you can include this right.

So communication uh establish clear communication protocols addressing both internal and external audiences. You need to prepare email templates and get it approved by your compliance team. You just don't want to go and send a random text to your customer, right? Like there needs to be a formal uh process in place where when you are reaching out to external parties. So consider that as well. And in recovery um clean bill of health uh defining what terms mean like what this term means to your organization. For some it might be like getting a report from when a supplier goes through a breach report right like is an external party coming and helping them to remediate that risk getting that

clean of sign of health define that beforehand uh and based on the severity also right like sometimes if it's a very high impacting incident you need to have discussions with direct the security team at the third party to understand like what controls did they put in place what were the remediations action that they took and all that right So define that and then post incident right uh remove containment controls and it is very important to inform your business stakeholders. I have seen at cases like six months went by and they they didn't know that uh the containment controls were removed and they were still like waiting for from people to hear back to resume business operations right because

when you communicate you tell them like hey stop using the service stop using u some emails or whatever right so it's important to commu communicate back so that you create the feedback loop and you create a trust and transparency with stakeholders as well and when some incidents happen next time they uh they might be more uh approachable and will help you to resolve quicker. What are the key takeaways uh from this? Uh I would say like strengthening the supplier relationship uh is one thing which I would like to highlight. Uh do do the study beforehand. Uh get to know who you are getting in business with. Understand the risk. Uh yeah and then cross functional

collaboration with your internal teams. very very important. Um meet and this can also be done into a tabletop exercises convert it uh get all the teams together create an hypothetical scenario work this as a tabletop exercise and also uh we learned on how to uh do the risk based decision- making defining that criteria what works for your company uh is important. So yeah that's about it from me today. Uh thank you so much for patiently listening to me. I really appreciate and now open to Q&A. Great. Happy to say we have a few questions here. So first question, what are some tools out there to get visibility to fourth party vendors? Generally your visibility is at third

party. So um a lot of these uh the to I mean I cannot promote any tool here but a lot of the tools that are available if you already like when when you are onboarding a third party supplier you can ask them like uh are you using any other vendor to process our data because that's what you most care about right like and that can be part of your SAQs uh which you send out in the beforehand right like yeah so that is one way and then you and uh onboard them into your monitoring cycle uh for those suppliers. Similar question, maybe you can't also name names but speak to it. What tools or what types of tools can process

questionnaires contracts etc. Uh there are a bunch of Can I recommend any? Yeah, I don't I don't know if it's Yeah. So there there are tools of um I mean uh and now they're also calling it as uh SCDR platform something like that there is like a whole naming convention that Nest gave I guess. So uh look up for those they're readily available where you can uh import your contracts and everything. So how can you easily find what systems the third party is integrated with? Uh yeah a million-dollar question but uh from my experience what I have felt uh thought like getting uh understanding and talking with the business relationship officer has always helped me uh go and interview them have a

casual chat and understand like how is this integration setup right now what are you processing and and try to uh tune it down to a little bit layman terms so that they understand like where are you coming from what are the questions you are trying to ask. Uh yeah, that has been the best bet. Uh if you don't have any other inventory and of course you can check uh your proxy services on like if you are getting any hits for uh particular supplier names and all that, right? So that also has been like a good uh way to see like connectivity, what users are using it and all that. So great and not a question but the final one a comment.

Figuring out the business impact is sometimes non-trivial question at all and it turns out it turns into an archaeological exercise where you have to do a lot of groundwork. So thank you for that uh comment. And then in terms of uh lunch is happening right now and it's open from 12 until 1:30 on the 4th floor city view. Please go eat some lunch. Uh, and we also have head shot. But first, uh, Casori, thank you so much for the conversation. Um, any questions that you have for our speaker, you will have to ask them after the session or speak to her uh, at City View just because we can't crowd the aisles due to uh, fire safety.

Thank you. And thank you. Please, a round of applause for everybody. Thank you.