Expanding regulations and stakeholder expectations could require organizations to report cybersecurity incidents more quickly — even incidents at a third-party vendor or supplier.
That poses two challenges for organizations:
- There are potential regulatory liabilities in the event of a third-party breach, and traditional third-party due diligence may not sufficiently address these.
- Incident management processes must extend out to vendors and suppliers, so the organization can understand the scope of any breach (including the systems, customers, and other factors affected) and complete the required reporting and disclosure procedures.
To meet the first challenge, many organizations still assess their liabilities with a list of yes-or-no questions that has not evolved much since the early days of cyber liability insurance underwriting. However, growing premium payouts have convinced insurers that high-level questionnaires are not enough to manage cybersecurity exposure. The same is true for third-party risk exposure.
Checking a box rarely provides enough context to understand whether a risk is mitigated. The real questions you need to answer are more like…
