Incident Response and Third Party Risk

Today, the Shared Assessments Program released a briefing paper titled Building Best Practices for Effective Monitoring of a Third Party’s Incident Event Management Program. The paper was developed out of great necessity, as it became clear that Program members needed additional guidance when managing incidents at the service provider level. The goal of the paper is to offer a guide on effective third party incident management across three distinct stages:

  1. Pre-incident
  2. During the incident
  3. Post-incident

Incident response has become a hot topic for organizations of all sizes as the level and sophistication of cyber attacks continues to increase. Additional requirements around the protection of data, as well as notification requirements, seem to be dominating the conversations with regulators and at the board of directors level. Although there is a significant trove of information available on incident management, the topic of incident management and response in relationship to a third party outsourcing agreement has been notably missing.

Born as a project within the Shared Assessments Program’s Standardized Information Gathering (SIG) Development Committee, a group of industry thought leaders and contributors to the Shared Assessments Program who have experience in incident management at third parties, came together to develop the briefing paper. It represents a great effort by those involved and I expect the final product will help companies of all sizes better prepare for and manage monitoring their third parties’ incident event management programs. I would like to thank everyone who participated in the Third Party Incident Response Subcommittee in support of the paper.

The next step is to determine the applicability of the information presented within the briefing paper to be included in the SIG itself or potentially as a separate Shared Assessments Program Tool. If you find the briefing paper interesting and choose to incorporate it into your organization’s best practices, I would love to hear about whether it was helpful, led to changes in your organization’s approach and/or if you believe improvements should be made to the paper. My organization, Prevalent, Inc., along with others on the Shared Assessments Program’s SIG Development Committee, hosted a webinar with more detail about this paper today and will make the webinar replay available within the coming weeks.

Jonathan Dambrot, CEO and Co-Founder, Prevalent, Inc., is the 2015 Shared Assessments Program Chair. Jonathan is responsible for driving the direction of Prevalent, as well as managing the sales, project management, operations, legal, and marketing organizations at the company

To obtain a copy of the paper, click here.

To view the webinar, click here.

Please send comments on this subject to Jonathan Dambrot at