.jpg)
Cyber Law Revolution
The cyber war is upon us. We are here to talk about how to keep your business from going bankrupt after a data breach, the legal obligations associated with cyber and privacy law, and all things in between! We welcome questions and comments - call us at 4109175189 or email spollock@mcdonaldhopkins.com
Cyber Law Revolution
Mastering Third-Party Risk: Lessons from the CDK Ransomware Breach
Episode 86 of the Cyber Law Revolution is live!
In this episode, we discuss the ramifications of the CDK breach, third-party management, and the importance of redundancy!
Keep the questions coming! 4109175189 or spollock@mcdonaldhopkins.com
Good morning, good afternoon or good evening and welcome back to the Cyber Law Revolution podcast. I'm your host, spencer Pollack, cybersecurity, data protection and privacy attorney with McDonald Hopkins. As always, keep the questions calls comments coming 410-917-5189, or email me at spollack. That's S-S-S-P-O-L-L-O-C-K at mcdonaldhopkinscom. Today let's talk about again and I think it's a frequent topic, but I got to keep harpy on it third-party risk management.
Speaker 1:Big issue that happened about a month ago was the CDK breach. Cdk provides auto dealerships with a whole range of services, including CRM, customer relationship management, invoices. I think they were running credit reports, services, sales, cybersecurity I mean the whole gambit. Dealerships were very dependent on that. Unfortunately, cdk had a ransomware attack, took down their systems, which then crippled about 15,000 auto dealers, took about a week and a half to recover from that and we're still seeing problems. The other big issue that we're seeing is that CDK houses a lot of sensitive non-public customer information for 15,000 dealerships, which is a massive headache.
Speaker 1:So what are some of the lessons that we should be thinking about from this? First, we need more redundancies in place. Dealerships were way too reliant on cdk and I'm not knocking dealerships, it was an easy solution, it was right. Cyber security, crm, sales, service parts. It's everything it's we are, we love practicality and we love ease, but that creates massive dependencies and then we forget about the rule. The rule two is one. One is none we need redundancies. You know someone like cdk. You can only do so much due diligence and you can only hope that they've got the proper procedures, protocols in place, proper backups. The fact that it took about two weeks to get back up and running, I'm not really sure, but it didn't really appear that they did have the proper backups. That's just. That's not a fact, that's an opinion. But the fact that it took them so long, really big issue. So first lesson we need to learn is we need redundancies in place. Second lesson we need to learn in incident response planning. I'm not here to knock CDK's incident response, but you know I think the communications were interesting, especially from the day of moving forward. I think, having communications, it appeared that they're having different communications with different stakeholders with different messaging, which caused a lot of confusion and they weren't communicating effectively to the dealerships, which caused a lot of anger. So what we really need to do is get the communication plan buttoned up and understand how we're going to communicate in an event like this On the dealership side, we really need to know how we're going to communicate with our customers and employees if one of our third-party vendors go down and then we go down.
Speaker 1:So really being able to control that narrative to provide the necessary facts and not speculate such a huge part of those first 72 hours and so really hammering about that. Third part is we really need to emphasize again what sort of auditing we're doing of our third parties. I get CDK is big, but what sort of aspects are we going to be looking at? Did we get a SOC to report from them? Were we asking them about their insurance? Were we asking them about their backup procedures? Likely not, because I get it large software service provider, but it's time that we really start thinking about that because if we don't, it's hard to message it after an event. Fourth part is business interruption loss and I know there's a lot of discussions right now between dealerships and brokers versus carriers about what qualifies for business interruption laws. So really being able to document that, understanding what you need to demonstrate that and understanding the policy intricacies so you can really pursue those claims. Fifth, understanding what is at risk.
Speaker 1:Cdk houses a lot of customer information. How are we dealing with that? How are we going to deal with the exposure? The hope is that CDK takes on the responsibility and pushes out notifications on behalf of dealerships, but we have to be prepared. We have to be thinking about the likelihood. If they don't, how are we going to be communicating with customers? What's our notification plan? What are we doing in an event of a regulatory investigation or class action? I'm a broken record, but it's about due diligence. It's about creating a narrative around what we did to show what we did was reasonable. This is all about reasonableness. So I encourage everybody out there to start thinking about going and making a vendor inventory list.
Speaker 1:Rank and prioritize pain points. Cdk is a huge pain point for dealerships. In your business. Who's your biggest one? Maybe it's your EHR if you're a hospital. Maybe it's a payroll processor that you can't pay your employees. Maybe it's a supply chain event Supplier if you're a manufacturer. I'm not sure it's industry specific, but I know one is out there. Maybe it's a supply chain event Supplier if you're a manufacturer. I'm not sure it's industry specific, but I know one is out there. Maybe it's your man service provider. I'm not sure, but we need to start going through this. You need to engage internal and external legal and cybersecurity experts to help you bear this burden, because no longer can we just put our heads in the sand and accept that third parties are going to do it. We need to get on them about that. Short and easy again today. Appreciate you stopping by. Keep the questions calls, comments coming, 410-917-5189, or email me at spollock at mcdonaldhopkinscom. Have a great morning, great afternoon or great evening, and I'll see you in the next one.