Episode 86 of the Cyber Law Revolution is live!
In this episode, we discuss the ramifications of the CDK breach, third-party management, and the importance of redundancy!
Keep the questions coming! 4109175189 or spollock@mcdonaldhopkins.com
Episode Transcript
Good morning, good afternoon or good evening and
welcome back to the Cyber LawRevolution podcast.
I'm your host, spencer Pollack,cybersecurity, data protection
and privacy attorney withMcDonald Hopkins.
As always, keep the questionscalls comments coming
410-917-5189, or email me atspollack.
That's S-S-S-P-O-L-L-O-C-K atmcdonaldhopkinscom.
(00:24):
Today let's talk about againand I think it's a frequent
topic, but I got to keep harpyon it third-party risk
management.
Big issue that happened about amonth ago was the CDK breach.
Cdk provides auto dealershipswith a whole range of services,
including CRM, customerrelationship management,
(00:44):
invoices.
I think they were runningcredit reports, services, sales,
cybersecurity I mean the wholegambit.
Dealerships were very dependenton that.
Unfortunately, cdk had aransomware attack, took down
their systems, which thencrippled about 15,000 auto
dealers, took about a week and ahalf to recover from that and
(01:07):
we're still seeing problems.
The other big issue that we'reseeing is that CDK houses a lot
of sensitive non-public customerinformation for 15,000
dealerships, which is a massiveheadache.
So what are some of the lessonsthat we should be thinking about
from this?
First, we need moreredundancies in place.
(01:28):
Dealerships were way tooreliant on cdk and I'm not
knocking dealerships, it was aneasy solution, it was right.
Cyber security, crm, sales,service parts.
It's everything it's we are, welove practicality and we love
ease, but that creates massivedependencies and then we forget
(01:50):
about the rule.
The rule two is one.
One is none we needredundancies.
You know someone like cdk.
You can only do so much duediligence and you can only hope
that they've got the properprocedures, protocols in place,
proper backups.
The fact that it took about twoweeks to get back up and
(02:12):
running, I'm not really sure,but it didn't really appear that
they did have the properbackups.
That's just.
That's not a fact, that's anopinion.
But the fact that it took themso long, really big issue.
So first lesson we need tolearn is we need redundancies in
place.
Second lesson we need to learnin incident response planning.
I'm not here to knock CDK'sincident response, but you know
(02:34):
I think the communications wereinteresting, especially from the
day of moving forward.
I think, having communications,it appeared that they're having
different communications withdifferent stakeholders with
different messaging, whichcaused a lot of confusion and
they weren't communicatingeffectively to the dealerships,
which caused a lot of anger.
So what we really need to do isget the communication plan
(02:56):
buttoned up and understand howwe're going to communicate in an
event like this On thedealership side, we really need
to know how we're going tocommunicate with our customers
and employees if one of ourthird-party vendors go down and
then we go down.
So really being able to controlthat narrative to provide the
necessary facts and notspeculate such a huge part of
those first 72 hours and soreally hammering about that.
(03:22):
Third part is we really need toemphasize again what sort of
auditing we're doing of ourthird parties.
I get CDK is big, but what sortof aspects are we going to be
looking at?
Did we get a SOC to report fromthem?
Were we asking them about theirinsurance?
Were we asking them about theirbackup procedures?
(03:42):
Likely not, because I get itlarge software service provider,
but it's time that we reallystart thinking about that
because if we don't, it's hardto message it after an event.
Fourth part is businessinterruption loss and I know
there's a lot of discussionsright now between dealerships
and brokers versus carriersabout what qualifies for
(04:04):
business interruption laws.
So really being able todocument that, understanding
what you need to demonstratethat and understanding the
policy intricacies so you canreally pursue those claims.
Fifth, understanding what is atrisk.
Cdk houses a lot of customerinformation.
How are we dealing with that?
(04:25):
How are we going to deal withthe exposure?
The hope is that CDK takes onthe responsibility and pushes
out notifications on behalf ofdealerships, but we have to be
prepared.
We have to be thinking aboutthe likelihood.
If they don't, how are we goingto be communicating with
customers?
What's our notification plan?
What are we doing in an eventof a regulatory investigation or
(04:46):
class action?
I'm a broken record, but it'sabout due diligence.
It's about creating a narrativearound what we did to show what
we did was reasonable.
This is all aboutreasonableness.
So I encourage everybody outthere to start thinking about
going and making a vendorinventory list.
Rank and prioritize pain points.
Cdk is a huge pain point fordealerships.
(05:08):
In your business.
Who's your biggest one?
Maybe it's your EHR if you're ahospital.
Maybe it's a payroll processorthat you can't pay your
employees.
Maybe it's a supply chain eventSupplier if you're a
manufacturer.
I'm not sure it's industryspecific, but I know one is out
there.
Maybe it's a supply chain eventSupplier if you're a
manufacturer.
I'm not sure it's industryspecific, but I know one is out
there.
Maybe it's your man serviceprovider.
(05:28):
I'm not sure, but we need tostart going through this.
You need to engage internal andexternal legal and
cybersecurity experts to helpyou bear this burden, because no
longer can we just put ourheads in the sand and accept
that third parties are going todo it.
We need to get on them aboutthat.
Short and easy again today.
Appreciate you stopping by.
Keep the questions calls,comments coming, 410-917-5189,
(05:52):
or email me at spollock atmcdonaldhopkinscom.
Have a great morning, greatafternoon or great evening, and
I'll see you in the next one.
Popular Podcasts
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com
On Purpose with Jay Shetty
I’m Jay Shetty host of On Purpose the worlds #1 Mental Health podcast and I’m so grateful you found us. I started this podcast 5 years ago to invite you into conversations and workshops that are designed to help make you happier, healthier and more healed. I believe that when you (yes you) feel seen, heard and understood you’re able to deal with relationship struggles, work challenges and life’s ups and downs with more ease and grace. I interview experts, celebrities, thought leaders and athletes so that we can grow our mindset, build better habits and uncover a side of them we’ve never seen before. New episodes every Monday and Friday. Your support means the world to me and I don’t take it for granted — click the follow button and leave a review to help us spread the love with On Purpose. I can’t wait for you to listen to your first or 500th episode!