Third-party data breaches: is possession nine-tenths of the law?

In this article we consider the rising threat of third-party data breaches, and identify steps businesses in New Zealand can take to protect themselves.

What is a third-party data breach?

Third-party breaches originate from the systems of supply chain vendors such as payroll service providers, product suppliers, professional services providers (e.g. law firms), or cloud-based storage providers.

These businesses are increasingly targeted by cyber-attacks due to their access to large amounts of sensitive data from multiple entities.

Threat actors can expand the scope of their breaches, turning a single breach into multiple incidents affecting numerous victims. 

Recent large-scale third-party breaches have affected hundreds of clients and compromised the data of millions of individuals.

How big is the problem?

The rise of remote work post-COVID-19 has led to a significant increase in the number of organisations relying on external vendors for software-as-a-service and web and data hosting.

For example, Stats NZ found that export sales of IT services rose 21 percent from 2021 to 2023, and in 2023 had increased by 96% since 2017.

While third-party suppliers offer benefits such as streamlined supply chain management, reduced costs, and enhanced security and operational efficiency, they also increase an organisation's attack surface. 

This exposes even the most robust cybersecurity controls to the risk of a data breach through their supply chain. The risk is most prominent when an organisation inadequately manages the security controls of its third-party vendors during due diligence and fails to implement ongoing monitoring practices.

The easy way out

Threat actors have shifted their focus to exploiting a single upstream third-party vendor to achieve maximum impact with minimal effort. This attack type saw a significant increase in 2023 compared to previous years.

Recently across APAC, there have been several large-scale incidents involving various HR-as-a-service providers, accountancy firms, legal service providers, e-discovery platform providers, and MSPs.

Ransomware and data extortion are the most common attack method for third-party breaches. Third-party vendors, especially managed services providers (MSP), must bolster their cybersecurity resilience and response practices. Organisations must understand their integration with third parties and potential risks from outside their organisation.

The weak link: MSPs

MSPs, which offer IT-related services such as managing IT infrastructure and providing technical support, have become a preferred target because they often have remote access to their customers' networks. Over the past couple of years, almost half of the third-party data breaches that we have acted on stemmed from MSPs.

More stakeholders, more costs

The costs of third-party breaches can vary depending on the type and size of the vendor and the nature of the breach. IBM and the Ponemon Institute found that the average cost of a third-party data breach is approximately USD 4.33 million (~NZD 7 million), compared with USD 3.86 million (~NZD 6.2 million) for general data breaches.

For clients of an impacted third-party service provider, the collective costs of dealing with a third-party breach are significantly higher than those involving just the clients' own staff and customers' data. Additional efforts are required to communicate with and support clients, manage large-scale multi-party data breaches, and address business to business liability costs.

What can you do?

Entities can mitigate the risks of third-party breaches by adopting the following best practices:

1. Evaluate Potential Vendors: Assess a vendor’s security posture and data handling practices before onboarding to ensure robust cybersecurity measures are in place.
2. Risk Mitigation in Contracts: Integrate clauses specifying vendors' obligations regarding security of jointly held data, notification obligations, and indemnities for security/privacy breaches.
3. Enhance Notification Expectations: Pre-determine expectations around timely notification of joint breaches.
4. Align Cybersecurity Controls: Ensure vendor’s security policies, procedures, and risk tolerances align and regularly assess for potential vulnerabilities.
5. Mandate Cyber Insurance: Ensure vendors hold cyber insurance to cover both first-party and third-party liability costs associated with a cyber breach.
6. Lead by Example: Industry leaders should support SMEs and medium-sized businesses in the supply chain. For example, large enterprises can help suppliers with BEC and FTF mitigation to prevent them from being caught up in scam email activity.

For a more detailed briefing on the case, please contact us.

Clyde & Co’s Technology & Media Team houses the largest dedicated and market-leading privacy and cyber incident response practice across Australia and New Zealand. Having managed over 5,000 incidents globally, we know how to manage cyber risks.

We are focused on providing an end-to-end solution that covers all aspects of cyber, data protection and technology-related risk. Our service offering in New Zealand and around the world covers pre-incident, incident response and regulatory investigation services.

For more information, please contact our team – Anthony Cooke, Richard Berkahn.