There has been a breach at a vendor or what we’ll call a “third party.” Just to be clear, it can happen to anyone, but that’s no excuse. Regulators will ask what due diligence you performed to ensure you could reconnect with them. Unlike your initial third-party due diligence, this time you are aware of the harm, and all the liability will fall on your shoulders. On the other side, the breached entity will be fighting an internal battle between operations (keeping everything running), their business leaders (getting everyone back on board to make money), and legal (avoiding additional risks).
I’m quite strict about reconnection. Internally, I’m skeptical of my team’s decision to rely on a third-party risk assessment of an entity that was breached, especially since they handled the post-incident breach analysis for reconnection. Externally, I’ll need to explain the decision-making process to auditors and possibly regulators, depending on the damages.
When a vendor walks back into the room after a breach, it feels a bit like a sailor returning from a storm with a cracked mast and a smile that says all is well. No seasoned captain buys it. A breach changes the relationship. You need to see the knots they tied, the planks they replaced, and the repairs that need to be inspected for quality. Trust does not grow from charm. It grows from proof.
The first proof is the post breach incident analysis. Think of it as the ship log after a wreck. If the pages are too clean, you know the crew rewrote the night. You want stains, crossed out guesses, and the blunt story of how the hull gave way. When a vendor cannot name the root cause or pretends the damage was mild, they are already hiding the next mistake.
A compromise assessment follows. This is the search for stowaways. Attackers who slip through leave small signs behind. A strange footprint. A loose board. A familiar pattern in the dust. A vendor that avoids this search is not ready to be trusted again. If they refuse to look for hidden trouble, you can assume it is still there.
A forensic analysis report is a level deeper. This is when you bring in someone who does not owe the vendor anything. A third party is like a diver who swims down to inspect the keel. They see cracks the crew never mentioned. If the vendor pushes back on this, you have to ask why they fear an unfiltered set of eyes.
You also need a real remediation plan. This is more than a promise to patch holes. It should read like a blueprint with names, dates, and clear measures of progress. If they hand you a plan full of warm language and empty lines, they are giving you hope instead of work. And hope never fixed a broken system.
Policies and procedures need a fresh coat of paint as well. A breach forces any crew to rethink its routines. If the policies look untouched, it means they learned nothing. If they updated only the introductions and left the real process unchanged, they are trying to look busy without changing their habits.
Next comes evidence that they actually built something new. Not descriptions. Not assurances. You want to see the upgraded locks, the strengthened gates, the new watch schedule. Without this proof, the vendor is that sailor who claims they repaired the hull but refuses to let you walk the deck.
Their compliance posture should shift too. A breach exposes where controls failed. If they claim full compliance without showing how they reassessed those controls, something feels off. It is like saying the compass was true even though the ship drifted. You need to see how they checked their bearings.
An independent security assessment is the real test. This is the rival captain who boards the ship with no need to flatter anyone. They tug at lines, open boxes, and call out problems plainly. A vendor that fears this visit is telling you their repairs will not survive daylight.
Continuous monitoring is another anchor. Without it the vendor is just hoping the sea stays calm. You want to see the tools, the alerts, the crew assigned to watch the horizon. A vendor without active monitoring is simply waiting for the next wave to knock them flat.
A vendor risk management plan helps you understand their future behavior. It shows whether they intend to check their own work or drift back into old habits. Think of it as the chart for the next season. If the chart is missing or vague, you will be the one blindsided when the next storm arrives.
The communication plan is the final piece. When trouble returns, and it always does, you need to know how fast the vendor will speak up. Some try to plug leaks in silence, hoping no one notices. Others call you early before the damage spreads. You want the second kind. A vendor who will raise the flag before the ship takes on water.
Meanwhile, your leadership team is likely looking at you as a barrier to the “business”. You’ll have to explain multiple times that hooking up for the fun of it isn’t going to work and now you’re likely in personal liability land. This is where CEO’s like to say they are the great deciders right up until the trial.
All these documents do not magically restore trust. They give you clues. They reveal whether the vendor faced the breach with honest eyes or tried to paint over the damage. A breach can teach an organization how to grow stronger. It can also expose that they never took security seriously. Your job is to look past the words and decide which one you are dealing with.
About the Author
