Third-party risk management (TPRM) entails the assessment and control of risks resulting from doing business with third-party vendors. Those risks can be financial, operational, regulatory or cyber. By engaging in due diligence about third-party risk, organizations can reduce the likelihood of operational failures, data breaches, vendor bankruptcy and more.
In this guide, we will focus on the cyber risk part of third-party risk management.
Third-party security involves checking and ensuring that third parties such as business partners, suppliers and vendors maintain an acceptable level of cybersecurity so that they can safely do business with your organization. To accomplish this, organizations must create comprehensive third-party security policies and procedures, which include assessments of third parties against those policies prior to onboarding, as well as continuous monitoring throughout the business relationship to check for cyber gaps.
A data breach through a third party can wreak havoc on the organizations to which the third party is connected. Such breaches are increasing in frequency and severity, and take place across all industries.
Here are a few notable examples:
A study by the Ponemon Institute found that 61% of US respondents reported that their organizations experienced a data breach caused by one of their third parties. In 2017, this figure was 56%; in 2016, 49%. Moreover, the vast majority of respondents indicated that they had insufficient resources to manage third-party risk.
Clearly, vendor cyber risk management is a pressing concern for organizations, but it’s particularly important now for these reasons:
The online world is teeming with cyber threats. Not a week goes by without reports of massive data breaches, with some that remained undetected for months before being discovered.
Clearly, cyber criminals are becoming more sophisticated in the way they gain access to personal and business data. Often, they do so by targeting the weakest entry point: the third parties that are connected to the company. They can be connected through IT systems or integrations, and they can be SaaS vendors or third parties that hold sensitive data. These third parties may not have as strong a cyber defense as their customers; hence, they can present an easier vector for hackers to exploit.
Enterprises are doing business with an increasing number of third parties. The average corporate third party ecosystem increased from 378 in 2016 to 588 in 2018 (“Data Risk in the Third-Party Ecosystem,” Ponemon Institute, Nov. 2018). Accordingly the percentage of third parties that share organizations’ sensitive and confidential data increased from 37% in 2016 to 43% in 2018.
Organizations have much more at stake than the data exposed in a breach. Besides losing consumer confidence and loyalty, companies can face costly penalties for violating data privacy regulations.
Not complying with HIPAA can cost as much as $1.5 million per year for each violation category. The fines for not complying with the EU’s General Data Privacy Regulation (GDPR) could be up to €20 million or 4% of annual revenue—whichever is greater. And businesses that fail to comply with the California Consumer Privacy Act (CCPA) could face penalties of up to $2,500 per negligent violation and $7,500 per intentional violation. In addition, individuals can also seek CCPA damages of between $100 and $750, and actions can be aggregated into a class action.
For all of these reasons, robust, efficient and reliable third-party cyber management is crucial for organizations.
Security must be a priority for organizations throughout the lifecycle of their relationships with third parties. To accomplish this effectively, organizations should establish a clear process that should include the following steps:
When considering whether to do business with a third party, the company identifies the inherent risk of the business relationship and the level of due diligence to be performed. Accordingly, the company thoroughly evaluates the third party’s security posture and performs a gap analysis to uncover any cyber gaps.
The company works together with the third party to ensure a thorough security assessment. Once the company has pinpointed cyber gaps, it collaborates with the third party about how to close them.
The third party takes steps to fix the cyber gaps.
The company approves the third party or rejects it based on risk tolerance.
The company continues to monitor the third party throughout the business relationship to detect any new cyber gaps. The company receives live alerts if there are any security issues.
A third party includes suppliers, vendors, partners and others doing business with an organization. But there’s another level that all businesses need to be concerned with: the partners and supplier of their third parties, which are better known as fourth parties. Fourth parties (or “Nth parties”, reflecting relationships deeper in the supply chain) are not contractually connected to an organization, but they are connected to the organization’s third parties. Research has found that there is a direct correlation between the security posture of the third party and the fourth parties.
A vendor management policy identifies the vendors that are most risky to an organization and specifies the controls that must be put in place to minimize that risk. Such a document ensures that an organization is fully aware of and is actively managing vendor risk, helps an organization comply with regulations and reduces the likelihood of a third-party breach.
Various solutions and methods exist for evaluating third parties. Organizations can pick and choose the ways that are most relevant for them, depending on their industry, the number of vendors they employ and their own particular security process. The solutions and methods include:
Security ratings services (SRSes) provide organizations with an rating of their third parties’ cyber posture by assessing their attack surface.
Third-party risk management questionnaires are typically completed prior to vendor onboarding and then updated afterwards at regular intervals.
These are independent security assessments performed by an outside entity. They may include expert reviews of policy and procedure documents, as well as physical reviews of security controls at vendor facilities.
There are a number of significant difficulties that organizations face with regard to third-party vendor management:
An important part of third-party security management has traditionally been questionnaires that third parties are asked to complete, identifying the strength of their security controls. Often, these questionnaires take the form of lengthy spreadsheets, resulting in an arduous, time-consuming and often impractical process that does not scale.
In addition, many organizations mistakenly believe that there is no need to monitor so-called “low risk” third parties, such as marketing tools. Consequently, such organizations are not even aware that all of their third parties’ security should be evaluated, and thus do not realize that scalability is essential.
To ensure scalability, automated tools are a fundamental requirement for any comprehensive third-party security process.
Many assessments also fail to comprehensively evaluate third-party cyber posture. The answers to questionnaires can be highly subjective and frequently fail to provide a reliable and transparent view of the vendor’s true posture. In addition, organizations and third parties often do not fully understand the reasons behind the results of security evaluations, as well as what can be done to improve them.
Even when a questionnaire truthfully reveals the effectiveness of a given vendor’s cybersecurity controls on day 1, with IT evolving at the speed of light, it may not reflect current realities months, weeks or even days after it is completed.
Organizations must have a clear cybersecurity assessment process in place so that all parties fully understand what is being evaluated and how cyber posture can be improved. It’s critical to have a mechanism for monitoring how third parties’ cybersecurity changes over time.
Many assessments do not consider context, otherwise known as inherent risk, as a factor for security management, even though different types of vendor relationships (even with the same vendor!) may expose an organization to different levels of risks. For example, a supplier may not have an API to internal systems, while another one may be involved with vital data transfers daily. While protection from the former may not be a priority, taking action to mitigate any risk associated with the latter is critical, since it poses a clear threat.
Identifying the riskiest relationships is vital to defining a well-prioritized mitigation roadmap. This way, security teams can tackle the biggest threats first and make effective use of their time.
Some organizations must assess hundreds or even thousands of third parties, and it can be a challenge to keep track of all of them.
It’s important to closely monitor security risk questionnaires, allowing companies to see at a glance when they were sent, how much has been answered and when they were completed.
It can be challenging to communicate effectively with vendors about cybersecurity, especially since multiple teams—each with different perspectives and different goals—are typically involved in the process. It’s not uncommon for organizations to spend weeks or months following up with suppliers about answering questionnaires.
It’s important for organizations to be able to easily reach out to suppliers for clarification without having to leave endless phone messages and send repeated emails.
Because of the complexity of vendor cybersecurity management and the ongoing need to scale vendors, automating third-party security management is essential.
Effectively managing third-party security is essential. When building a process, companies need to consider where their bottlenecks and lack of visibility occur. These should be addressed by automating the lifecycle stages of analysis, engagement, remediation, approval and monitoring. When searching for a platform that tackles these issues, companies should be sure to consider the following capabilities:
Third-party security should be based on an “outside-in” view of the supplier’s attack surface that mimics the reconnaissance that a hacker does. This should be combined with an “inside-out” security questionnaire that checks that the supplier adheres to internal company security policies and complies with regulations.
Certain third parties do not pose the same risk as others because of the nature of the business relationship (inherent risk). Automated third-party security platforms must consider the context of these relationships in a final residual risk (actual business risk) rating.
Using automation ensures rapid scaling and the management of hundreds of third parties throughout the business relationship.
Third parties should be able to easily engage and interact with their partners, as well as understand necessary remediation steps.
Numerous stakeholders (security, legal, risk, etc.) at the company have different views of risk. Reporting capabilities need to support various business languages, overviews and details as required by the users.
With Shadow IT, outsourcing and cloud app trends, companies may not be aware of all of the vendors they buy from. Working with third parties compounds the problem, introducing their vendor’s third,fourth through Nth parties into their own cybersecurity equations. Full visibility is paramount.
To take corrective actions, organizations should receive live alerts about any change in security.
Multi-language translation, which allows third parties to respond to questionnaires in their native language, supports today’s global supply chains. Furthermore, questionnaires should support various accepted formats such as SIG and CAIQ, as well as recognized standards such as NIST, ISO 2700x and CIS, and provide adjustable weighting for responses.
Security questionnaires should provide a way to check that a supplier complies with specific regulations, such as GDPR and CCPA.
The organization should not need to chase false positives and negatives. Signs of a comprehensive third-party vendor security assessment include cyber gaps related to the third party, level of severity of cyber gaps, as well as assessments on various layers and categories including network, application and human.
Want to learn more about creating a comprehensive cybersecurity vendor management program for your organization? Contact us today.