Navigating the Risk of Doing Business with Unsecured Third Parties

Published: February 5, 2024 by Data Breach Team

Insights from the Cyber Risk Summit Beverly Hills – October 2023

Authored by Ryan Coyne

I recently participated in a panel with industry experts, delving into third-party cyber risks. The panel shed light on best practices, challenges, and strategies to mitigate the impact of third-party incidents.

Panel Participants:

  • Stu Panensky (Moderator) – FisherBroyles, LLP
  • Ryan Coyne – Experian
  • Tom Egglestone – Resilience
  • Mark Grazman – Fenix24
  •  Matthew Saidel – FTI Consulting


  1. Incident Best Practices: Collaboration & Coordination on IR Action Items
  2. Upstream Risk of Third Parties: Vendors, Suppliers & Business Partners
  3. Downstream Risk in the Policyholder Supply Chain

The Cyber Risk Summit held in Beverly Hills provided valuable insights into the risks of engaging unsecured third parties.

Key Takeaways

Understanding the Significance

Tom emphasized the longstanding nature of cyber risk exposure tied to third-party relationships. The increasing reliance on external vendors in a tech-enabled world has heightened this risk, especially with the surge in outsourcing and software adoption. Tom highlighted that, even in 2019, Gartner research indicated that 60% of surveyed companies worked with over 1000 third parties in their supply chain, setting the stage for the escalated risk environment post-pandemic.

Crisis Communications in Third-Party Incidents

Matt shared insights into the challenges faced when third-party incidents unfold. The necessity of involving crisis communications consultants early in the process, especially for upstream and downstream, was stressed. Preserving the right to operate and maintaining client trust amid incidents were key points Matt made.
Hands-On Restoration Perspective
Mark, providing a hands-on restoration perspective, discussed the rarity of involvement at the inception of an event. His emphasis on locking down infrastructure, understanding the threat actor’s persistency, and encouraging robust backup strategies showcased the intricacies involved in restoration efforts.
“Restoration efforts often kick in when patient zero is unidentified. Locking down the infrastructure and focusing on repairing affected elements are essential” – Mark Grazman, Fenix24

Notification Strategies and Legal Implications

Representing Experian, I shared my perspective on notification complexities that the average consumer may not be aware of, such as notifying everyone upfront versus opt-in processes. The legal implications of notifying on behalf of others and coordinating with multiple parties. The nuanced approach to call center communication and the crucial factor of making details clear in notification letters in minimizing confusion for recipients.
I want to emphasize a point I made earlier in the panel on the downstream impact of notification strategies and the need to customize communication for recipients.
“For these incidents, it’s most important to minimize complexity on the notification side and minimize confusion for the recipient of your notification letter.” – Ryan Coyne, Experian

Insights from an Insurance Claims Handler

Tom, as an insurance claims handler, underscored the importance of understanding vendor contracts, particularly clauses related to defense and indemnity. He highlighted the need for transparency in the vendor’s incident response process, especially when the insured isn’t in control, adding a layer of complexity to communication and expectation setting.

Crafting a Seamless Notification Process: Public-Private Partnerships

Stu Panensky, Moderator: Public-private partnerships emerged as a recurring theme during the panel discussions. The need for collaboration between law enforcement, insurance companies, and businesses became evident. Stu emphasized the role of public-private partnerships in influencing better outcomes and impacting data protection, regulation, and litigation.

The insights from the 2023 Beverly Hills Cyber Risk Summit underline the interconnected nature of cyber risks and the critical importance of proactive measures. Stakeholders are urged to adopt a collaborative approach, navigate legal complexities, and stay vigilant in the face of evolving challenges.’ I welcome you to watch the full discussion on-demand.

Watch the NetDiligence Cyber Risk Summit session on-demand now.