Accellion Data Breach: Four Strategies for Third-Party Risk Response

The Accellion third-party data breach, which has already claimed law firms, retailers, telecoms, banks and governments worldwide as victims, has now impacted one of the largest companies in the world: Royal Dutch Shell.

To re-cap, Accellion’s 20-year-old file transfer software, FTA, was compromised in December 2020. While it has since been patched, this near end-of-life tool still counts more than 3,000 customers, meaning that there were potentially thousands of companies – and their customers – that could have been at risk.

Like the SolarWinds supply chain breach before it, this increasingly damaging third-party data breach continues to provide an example of how a single compromise can negatively impact customer systems, and why a more proactive approach to third-party risk management is needed.

4 Risk Management Strategies to Help with the Accellion Breach

Third-party risk management (TPRM) (sometimes called vendor risk management or VRM) is part of an overall risk management strategy meant to identify, assess and mitigate risks presented throughout the lifecycle of relationships with third parties – including vendors, partners, suppliers or other Nth parties.

TPRM plays an essential role in managing vendors. If you’re concerned about an Accellion-style breach impacting your organization, consider these 4 TPRM strategies for understanding your vendor risk and what to do about it.

1. Use Inherent Risk to Accurately Tier and Profile Your Vendors

In order to properly understand the risk that vendors pose to an organization, risk management teams must be able to calculate inherent risk, or the current risk level given what is understood to be the existing set of (or lack of) controls for that vendor. Calculating inherent risk is important when onboarding new vendors, and informing profiling, tiering and categorization decisions.

When considering how to tier a vendor, it’s important to fully understand the impact a supplier could have on your business if it were to fail. Accordingly, you should leverage a scoring system that determines the supplier’s tier group. This could include the following criteria:

• Operational or client-facing processes
• Interaction with personal data
• Financial status and implications
• Legal and regulatory obligations
• Reputation

In the context of this data breach, Accellion could have been placed in a high tier because they handled the personal data of customers. Being in a higher tier would have automatically increased the level of scrutiny over their processes, which in turn may have revealed a vulnerability before it was exploited.

2. Assess Your Third Parties Flexibly According to Business Needs

Conducting cybersecurity assessments of your suppliers and vendors provides a baseline against which to measure compliance or adherence to security protocols. However, don’t force-fit every vendor in every tier into a single rigid questionnaire. While using a similar set of questions to evaluate all vendors is important, be sure to have the flexibility to assess them against unique requirements, too.

Regardless of the questionnaire, vendors should be invited into a central portal to provide answers and submit supporting evidence. Their answers would be flagged as risks automatically if they fail to meet certain thresholds, and then automated actions can be taken to resolve the issue.

Using Accellion as an example, their customers could have been assessing the company on their adherence to the software development lifecycle (SDLC) – specifically maintenance processes, patching and updates. If Accellion was not able to demonstrate that it had the patching and update processes in place to prevent vulnerabilities from being exploited, a risk would be raised.