EXECUTIVE SUMMARY:
Approximately 60% of Australian organizations lack a comprehensive understanding of third-party data breach risks, with over 50% failing to implement impactful measures to assist with long-term third-party risk management. Authorities are concerned…
The Office of the Australian Information Commissioner’s recent data breach report highlights growing concern over supply chain risks and breaches. The report reveals a significant number of multi-party incidents.
These often originate from cloud or software providers, raising questions about awareness of and efforts to mature supply chain security measures.
Commonly reported incidents, catalyzed by supply chain breaches, include phishing, compromised account credentials and ransomware.
OAIC response
The Office of the Australian Information Commissioner (OAIC) is intensifying its pursuit of regulatory actions against organizations that have experienced data breaches. Civil penalties are being exacted through the Federal Court.
In particular, Australia is prioritizing actions in cases where there were clear failures to adhere to reporting requirements and obvious lapses around protecting personal information. This includes situations where organizations have left data vulnerable by retaining it for undue lengths of time.
“As the guardians of Australians’ personal information, organisations must have security measures in place to minimise the risk of a data breach. If a data breach does occur, organisations should put the individual at the front and centre of their response, ensuring they are promptly told so their risk of harm can be minimized,” said Australian Information Commissioner Angelene Falk.
Steps for organizations
An organization’s third-party risk management approach should be unique to the given enterprise on account of who it works with, its role in the larger ecosystem, regulatory requirements, data protection requirements and risk tolerance.
There are numerous ways in which to go about being more proactive around third-party risk. As a strong initial step, the Office of the Australian Information Commissioner recommends, among other things, embedding risk management into third-party contractual agreements.
If your organization is just starting out in this area or would like to improve existing agreements, consider the following:
Define clear expectations and requirements
- Establish well-defined SLAs. They should clearly outline cyber security expectations and requirements for all parties.
- Specify ownership of data. Clearly define who is responsible for which data and how it can or cannot be used.
- Address access and use of customer data. Ensure that data handling aligns you’re your organization’s privacy and security standards.
- Call out data retention. Define how long data can be stored for. Specify when it should be securely deleted.
Create backup and contingency plans
- Retain backup vendors for critical services. Should one provider fail for whatever reason, your organization will be able to quickly switch to an alternative without operational disruption.
- Have a data breach response plan. Roles and responsibilities should be clearly defined. Establish communication channels and procedures for notifying affected parties, should a breach occur.
Regularly monitor and assess
- Conduct risk assessments. Understand third-party security practices and evaluate risk posture.
- Conduct compliance audits. Conduct audits in order to verify compliance with contractual obligations. Ensure that third-parties adhere to agreed upon cyber security measures.
Further thoughts
In our global business landscape, supply chain risk management is a critical practice. By limiting supply chain breaches, organizations protect their reputations, avoid emergency costs, and reduce the potential for risk management related lawsuits — Which, again, are about to affect a number of organizations in Australia.
If you’d like to get ahead of potential regulatory and legal challenges, be sure to read A CISO’s Guide to Preventing Downstream Effects (And Litigation) After a Breach.