News continues to break on organizations facing fines, data loss, and shutdowns due to a lack of due diligence in their vendor selection process and the introduction of new vulnerabilities into their environment. Most recently, Delta, Sears, and four energy companies were victims of third-party cyber attacks. No one can forget the infamous 2015 Target breach, where an HVAC vendor was the conduit for criminals to steal the credit card information of more than 40 million customers and Target paid over $200 million in legal fees and settlement costs.
While many organizations understand the importance of assessing third parties, the 2017 Ponemon study “Data Risk in the Third-Party Ecosystem” found that less than 50% of all respondents thought that managing outsourced relationship risks was a priority for their organization.
If you’re on the fence about whether to spend corporate resources improving third-party risk management, start by asking several questions:
- Is the cybersecurity of your vendors and supply chain a consideration in your organization’s risk management program?
- Do you assume that if you’ve outsourced an area of your business that you’re covered by the vendor’s cybersecurity controls, or that you’re indemnified if there is a breach?
- When is the last time you actually read your third-party contracts to see if the language includes specific cybersecurity control and notification requirements?
- Do you have a compliance requirement to meet regulators’ increased emphasis on managing third-party relationships?
How you answer these questions provides clues as to whether you should rethink your approach to third-party risk. It is important to understand that third-party risk management involves more than the completion of a questionnaire or assessment by the third party before engaging in a relationship. Organizations that rely on outside entities for key activities should consider a formal Third-Party Risk Management Program (TPRMP). Key components of a TPRMP include:
- Program Governance
- Identification and Analysis of Third-Party Risk
- Contractual Language
- Monitoring and Review
The same Ponemon study also found that “only 17 percent of respondents rate their companies’ effectiveness in mitigating third party risk as highly effective” and “60 percent of respondents feel unprepared to check or verify their third parties”. This shows that while third-party risk management programs exist, they lack effectiveness.
It is essential for there to be a solid foundation for third-party risk management programs, and this requires organizations to get their own house in order first. Companies should develop an enterprise information security strategy that includes third-party risk management. Documented policies and procedures that have defined goals and objectives for third-party risk management are essential for success.
While the accountability for third-party risk management programs is dispersed throughout organizations, the ultimate responsibility for risk falls to the board of directors, and as such, it is important to have their buy in and support for the program. There should be clearly defined communication channels for risk practitioners to convey their findings to the board, ideally mandated by policy.
Identification and Assessment of Third-Party Risks
Assessing the risks of your third parties begins with identifying who they are. It is important to remember that third parties include suppliers, service providers, contractors, and in some cases clients.
Once an organization has identified its third parties, it should also determine their level of criticality. Not all third parties are equal, and they shouldn’t necessarily be treated equally. Some considerations for determining criticality include:
- What type of data is being provided to the third party (critical/sensitive)?
- What is the volume of that data?
- Are there regulatory requirements to consider?
- What type of access (physical/logical) will the third party have to data/systems?
Once the criticality of third parties has been identified, they should be assessed in alignment with company policy. Many organizations utilize a survey or questionnaire as a large part of the assessment process. Additionally, a tiered approach, with the most critical vendors receiving in-depth assessments that may include on-site visits or other means of verification, should be considered.
The third-party identification and assessment process should result in an understanding of the vulnerabilities that exist within the third party and how they may affect the outsourcer. Outsourcers should utilize this information to calculate a risk rating, taking into consideration the impact and likelihood of a threat exploiting the identified vulnerabilities. In doing so, the outsourcer is able to identify areas in need of mitigation, and in some cases, termination of the relationship. Risk discovered through the third-party identification and analysis phase should be documented and provided to the appropriate organizational stakeholders.
Any language entered into a contract or addendum should be thoroughly vetted by your organization’s legal department. Robust TPRMP’s will have defined boilerplate clauses for inclusion into contracts and utilize them where appropriate. Some language to consider includes Service Level Agreements (SLA’s), “right to audit” clauses, breach notification and incident response requirements, and termination procedures. Additionally, organizations should consider adding security addendums that detail the specific security requirements that it expects third parties to maintain (i.e. risk assessments and management, specific network requirements, business continuity and disaster recovery plans, use of subcontractors).
Organizations should bear in mind that it is their data and systems that are at risk and as such, should mandate third parties to maintain a security posture that is consistent with their risk rating and level of criticality. Strong TPRMP’s, where appropriate, will require third parties to secure their systems/data at levels commensurate with their own organization’s security requirements.
Monitoring and Review
Just like any risk assessment, third-party risk assessments are not “one and done”. Organizations should continually monitor their third parties for any changes to the risk environment. At minimum, third parties should be reviewed on an annual basis, or with any large change (i.e. change in scope of relationship). This review process should include a re-assessment, again based on criticality, and in some cases may warrant an on-site visit. In addition to further assessments, organizations should evaluate compliance with contractual obligations.
Increasingly, regulators and the public are holding companies responsible for managing the cyber risks created by vendors and supply chain providers. The adage, “You can outsource the work, but you can’t outsource responsibility” has never been so true. At the end of the day, an organization can only mitigate (or accept, transfer, avoid) risks that it is aware of. It takes a third-party risk management program to fully understand the risks that third parties can introduce.