The Complete Checklist: What to do if Your Third-Party Vendor Is Breached

Outsourcing some of your business processes and services to a third-party vendor can increase efficiency, improve customer service, and help you manage costs. But what should you do if that vendor is breached? 

According to Black Kite’s 2022 Third Party Data Breach Report, breach impacts almost doubled in 2022 compared to the previous year. In those breaches, an average of 4.73 companies were affected per vendor, not including the vendors themselves. The increase in cyberattacks can be attributed to an expanding attack surface with more devices to serve as entry points and the increasing sophistication of hackers and ransomware attacks, among other reasons. 

The best way to prepare for these escalating attacks is to put an incident response plan (IRP) in place for all your third-party vendors. Your plan should define a systematic process for detecting, responding, and recovering from a security event related to any third-party vendor. It will also help you minimize losses and maintain business continuity if a breach occurs. 

To help you get started, we’ve put together a checklist of tasks your IRP should cover both before and after a security incident occurs.

Before Your Vendor Is Breached

Long before a security incident occurs, you should have a well-developed incident response plan (IRP) in place so you can quickly and effectively resolve security incidents if a vendor is breached. Here’s what your plan should include:

Develop Standard Response Protocols

Develop a standard incident response protocol that documents notification processes, investigation procedures, mitigation activities, and technology interventions. Furthermore, implementing a privileged access management solution (PAM) mitigates malicious actors and secures users across all of your environments.

Conduct Vendor Due Diligence

Make a list of all your third-party, including service providers, contractors, and external partners. In addition, request copies of their due diligence documents, including business continuity plans, service level agreements, and incident response plans.

Assess Your Vendor Agreements

Looking at your third-party vendor agreements to ensure that they meet industry standards is vital. Agreements should include clearly defined incident response processes, liability, cybersecurity insurance, escalation processes, risk mitigation, and an annual assessment.

Build Your Incident Response Team

Determine who will be involved in incident responses and assign roles and responsibilities.

Review and Test

Conduct tabletop exercises to familiarize teams with process responsibilities and expectations. This ensures that you have all the required capabilities covered should the need arise.

Validate Contact Lists

Determine who should be notified and when. Validate contact information, communication channels, tools and methodologies ahead of time.

Monitor for Security Events

Monitor for security incidents. Conduct regular audits and assessments to identify potential vulnerabilities or risks.

Following A Vendor Breach

After a security breach, time is of the essence. The faster you can stop the breach, the less damage will occur and the less it will cost. Here’s how to protect the integrity of your systems and data if a security incident occurs.

Contain the Incident

In the event of a breach, immediately revoke access and suspend any services connected with that vendor. Get reports from the vendor about their containment processes and disable technology functions to reduce impacts if necessary.

Inform Key Stakeholders

Notify relevant internal and external stakeholders. In addition, follow communication protocols for interacting with the vendor and keeping your organization informed.

Investigate the Breach

Analyze where and how the breach occurred. Implement the workflow processes in your incident response plan, classify the incident, and follow escalation procedures as necessary.

Mitigate Vulnerabilities

Remove the cause of the incident by installing patches, halting information sharing, increasing cybersecurity measures, or taking other steps depending on the nature of the incident. Additionally, always remember to change your passwords following any kind of breach. Password managers provide strong encryption and are the most effective way of keeping your data safe.

Review Your Contract

Review your vendor contract to determine whether you need to update relevant policies and liability or, in a worst-case scenario, terminate the contract.


Document what you did, what the outcome was, and what lessons you learned through the incident. Use this information to update your incident response plan and make needed adjustments. 

All in all, putting the right incident response plan in place is a critical component of your cybersecurity strategy. Taking the right steps can help you minimize damage, prevent future incidents, limit costs, and ensure business continuity.

In addition, you’ll want to conduct assessments of your current cybersecurity policies and strategies to reduce your vulnerability. This may include examining your password management policies, privilege access management, monitoring strategies, and other key processes. By following best practices in these areas, you can limit your risk and enhance security both internally and externally.

To learn more about PAM and password management, contact CyberFOX today!