3 Key Lessons in Vendor Management Highlighted by the MOVEit Cyber Incident

Association of Corporate Counsel - St. Louis Newsletter
September 2023 Publications

If you are anything like me, the company “MOVEit” was not on your radar prior to the end of May 2023. But following the cyberattack experienced by the file transfer company over Memorial Day weekend, it has been hard to go a week, or even a day, without seeing “MOVEit” in a headline.

MOVEit is (or perhaps, was) a popular file transfer system used by many organizations, and particularly by vendors to receive information to process on behalf of companies. Over Memorial Day weekend, a well known ransomware group, CL0P, exploited a vulnerability in the MOVEit transfer software, allowing the ransomware group to gain access to information contained in files that were transferred using MOVEit. After the incident, headlines started to break about the various organizations impacted and the scope of the incident, which by some counts, is estimated to have impacted more than 34 million individuals and 500 organizations.

While there is always an opportunity to consider “lessons learned” following a cybersecurity incident, the MOVEit incident underscores the importance of having sound vendor management practices. In particular, the MOVEit incident highlights three key takeaways: 1) know your vendors (and strive to know your vendors’ vendors); 2) solid vendor contracts are crucial for managing risk and clarifying roles in the event of a security incident; and 3) incident response plans or procedures should address vendor vulnerabilities and incidents.

1. Know your Vendors (and Strive to Know your Vendors’ Vendors)

MOVEit is a vendor or service provider that offers a tool to organizations to transfer files. But because MOVEit is a file transfer tool, MOVEit was also often used by vendors or data processors who processed data on behalf of or provided services to organizations to receive information from clients or organizations that they provided services to. For example, MOVEit was used by PwC, Ernst & Young (both consultants and accounting firms to organizations), the National Student Clearinghouse (a vendor to colleges and universities), PBI Research Services (PBI) (a vendor to financial institutions), and others. Accordingly, not only was MOVEit itself a vendor to organizations, but MOVEit was often a vendor-of-a-vendor to organizations that were ultimately impacted by the incident.

In the case of the vendor-of-a-vendor posture, many organizations whose data was being transferred to their vendor (via MOVEit) did not know that MOVEit was involved in the transfer or anywhere in the information disclosure chain. However, most state data breach notification laws place obligations to notify individuals and regulators on the owner or licensor of the data, and not on the licensee or vendor of the organization. Because the law is framed in this way, many organizations who were two layers removed from the incident (i.e., MOVEit was used by the organization’s vendor) still found themselves announcing the vulnerability, making public notice on their website, and facing the pushback and reputational damage that often follows such public statements. This also often led to the organization answering questions regarding or defending the use of MOVEit, which it may or may not have been in a position to answer, particularly if it did not know MOVEit was utilized by its vendor to transfer data. Knowing your vendors, and asking your vendors which critical vendors they use to process your data, can help get ahead of some of the questions and necessary information that organizations often need following a vulnerability.

2. Solid Vendor Contracts are Crucial for Managing Risk and Clarifying Roles in the Event of a Security Incident

In the event of a vendor incident, one of the first things most organizations do is look at their contract with the vendor to determine which obligations (and costs) they can impute on the vendor, which roles the parties agreed to take in the event of an incident, and whether their organization now has a right to terminate the contract because of the incident. Most state consumer data privacy laws require contracts between organizations and vendors who process personal data on their behalf to ensure appropriate privacy measures are undertaken, but these laws do not dictate any required terms with respect to security incidents, and state breach notification laws are usually similarly silent on any requirements for vendor contracts.

Too often when examining the agreement following an incident, organizations discover that the indemnity cap in their vendor agreement either expressly excludes security incidents or breaches of confidential information, or only includes damages for third-party claims as a result of the vendor’s processing of data, neither of which often cover the costs of remediation and notification that organizations typically incur when an incident occurs.

Even more often, contracts do not specify the roles of the parties or the obligations the vendor has to the organization following an incident. For example, many contracts are silent about the type of information the vendor must provide to the organization about the incident. Since the organization often has limited visibility into the innerworkings of its vendor (including their systems that were compromised), yet the organization has the notice obligations, which often include describing specifically what happened, the information impacted, and how it was accessed, this leaves organizations without the necessary information to achieve their notice obligations, and no way to force the vendor’s hand to provide information. Many contracts also do not delegate which party will make notice to individuals or regulators (and pay for such notice), and the organization’s right to be involved, or to require the vendor to be involved, in the notice process. Organizations can often push in their contracts to have vendors make notifications to regulators and/or individuals on their behalf in the event that the vendor experiences a vulnerability, and even in doing this, can often retain the right to approve the content of any notice. However, if this contractual language is not present, vendors often throw up their hands and push all notice obligations down to organizations, despite holding the keys to the information necessary to make notice.

Carefully negotiating vendor contracts to ensure there is indemnity and coverage for the organization’s costs of remediation and notification, and ensuring that the roles of the parties are clearly outlined so there is no question as to the rights and obligations the vendor and organization have, can make navigating a vendor incident much smoother, less costly, and can often result in less reputational damage to the organization.

3. Incident Response Plans or Procedures Should Address Vendor Vulnerabilities and Incidents

While many organizations in recent years have developed incident response plans or procedures to be able to spring into action if they directly experience an incident, many organizations’ plans and procedures do not contemplate incidents involving their vendors. When an organization receives an email from their vendor that they experienced a security incident and their organization is likely impacted, the organization loses valuable time (and bargaining power) by not acting swiftly following the notification. Failure to act quickly can also increase the risk of missing key deadlines. For example, organizations subject to the General Data Protection Regulation (GDPR) have just 72 hours to make a notification following a suspected personal data breach, and many publicly traded companies will now be subject to the same timeframe with the SEC’s new rules aimed at cybersecurity risk management, strategy, governance and incident disclosure.

If an organization does not act swiftly to secure information about the scope and impact of the incident, the organization risks missing these tight timeframes, or not having enough information from the vendor to make meaningful notification. In the event your organization does not have a contract with the vendor that specifies each party’s obligations in the event of an incident, or which aspects of the incident response the vendor will pay for, being one of the first in line making demands on the vendor to cover the costs of remediation and notification can also help ensure that there are still funds in the vendor’s corner (or, their cyber policy) to cover your organization’s efforts to mitigate their incident. Adopting incident response policies and procedures with respect to vendor vulnerabilities can mitigate this risk and ensure that your organization acts swiftly.

While many organizations now operate under the guise that cybersecurity incidents are somewhat inevitable, the above three considerations are proactive and preventive vendor management risk mitigation techniques that organizations can adopt to be more prepared when and if an incident arises.

Contact Us
  • Worldwide
  • Boston, MA
  • Chicago, IL
  • Denver, CO
  • Dublin, Ireland
  • Edwardsville, IL
  • Jefferson City, MO
  • Kansas City, MO
  • Las Vegas, NV
  • London, England
  • Miami, FL
  • New York, NY
  • Orange County, CA
  • Philadelphia, PA
  • Princeton, NJ
  • Salt Lake City, UT
  • St. Louis, MO
  • Washington, D.C.
  • Wilmington, DE
abstract image of world map
Boston, MA
800 Boylston St.
30th Floor
Boston, MA 02199
Google Maps
Boston, Massachusetts
Chicago, IL
100 North Riverside Plaza
Suite 1500
Chicago, IL 60606-1520
Google Maps
Chicago, Illinois
Denver, CO
4643 S. Ulster St.
Suite 800
Denver, CO 80237
Google Maps
Denver, Colorado
Dublin, Ireland
Fitzwilliam Hall, Fitzwilliam Place
Dublin 2, Ireland
Google Maps
Edwardsville, IL
115 N. Second St.
Edwardsville, IL 62025
Google Maps
Edwardsville, Illinois
Jefferson City, MO
101 E. High St.
First Floor
Jefferson City, MO 65101
Google Maps
Jefferson City, Missouri
Kansas City, MO
2345 Grand Blvd.
Suite 1500
Kansas City, MO 64108
Google Maps
Kansas City, Missouri
Las Vegas, NV
7160 Rafael Rivera Way
Suite 320
Las Vegas, NV 89113
Google Maps
Las Vegas, Nevada
London, England
Royal College of Surgeons of England
38-43 Lincoln’s Inn Fields
London, WC2A 3PE
Google Maps
Miami, FL
355 Alhambra Circle
Suite 1200
Coral Gables, FL 33134
Google Maps
Photo of Miami, Florida
New York, NY
7 Times Square, 44th Floor
New York, NY 10036
Google Maps
New York City skyline
Orange County, CA
19800 MacArthur Boulevard
Suite 300
Irvine, CA 92612
Google Maps
Philadelphia, PA
2005 Market Street
29th Floor, One Commerce Square
Philadelphia, PA 19103
Google Maps
Philadelphia, Pennsylvania
Princeton, NJ
100 Overlook Center
Second Floor
Princeton, NJ 08540
Google Maps
Princeton, New Jersey
Salt Lake City, UT
222 South Main St.
Suite 1830
Salt Lake City, UT 84101
Google Maps
Salt Lake City, Utah
St. Louis, MO
7700 Forsyth Blvd.
Suite 1800
St. Louis, MO 63105
Google Maps
St. Louis, Missouri
Washington, D.C.
1717 Pennsylvania Avenue NW
Suite 400
Washington, DC 20006
Google Maps
Photo of Washington, D.C. with the Capitol in the foreground and Washington Monument in the background.
Wilmington, DE
1007 North Market Street
Wilmington, DE 19801
Google Maps
Wilmington, Delaware