Third-Party Risk Management
Cybersecurity risks and exposures for organizations are at an all-time high andrising.Beyond the cyber risks and vulnerabilities emanating from within an organization’s own network, organizations augment their exposure when they hire third-party vendors. In fact, vendors that provide hosting services or enable key supply chain functions of an organization are considered by many observers to be one of the most significant insider threats to networks.
Vendors such as core hosting providers, cloud service providers, and the evolution of IoT devices used through third-party vendors or service providers, and at times fourth party service providers, create another level of significant risk to the organization.An organization can have fortress-grade security posture within its four walls, but when it outsources to third-party service providers and provides a connection to its network, the organization is no longer in control of the entire perimeter.
To be sure, foregoing the service of vendors completely is not a realistic option. Increasing global competition andthe ever evolving regulatory and compliance landscape makes it critical to depend on third-party service providers to access innovation, gain efficiency and expand market reach. So, organizations’ guiding principle must be:outsource the function but do not outsource the risk. Practicing and executing this principle requires several critical procedures.
Third-party risk management requires identifying a company’s most critical assets and all the exposures that arecreated by doing business with a third-party
As many chief information security officers and risk managers know, third party risk exposures do not just include data breaches or exposures, it includes stolen intellectual property or commercially sensitive information. There arealso risks stemming from human errors such as lost devices and data leakage through insecure email practices, as well as the potential for disruption of service.
To address these issues, cybersecurity and risk mitigation must be entrenched in an organization’s contractual agreement, vendor onboarding, and overall third party due diligence process with existing and new vendors. The process should start by auditing the third party’s security practices and business continuity plans. Organizations must establish performance standards, define default and termination terms, provide for data security concerns for foreign-based service providers, and outline data governance and vendor subcontracting rules. These must be accompanied by a requirement to receive technology service-providers’ detailed action plan in response to relevant issues and regulations, and, importantly, permit sharing of knowledge.
Companies leveraging third-party service-providers should also conduct further due diligence around a service-provider’s Incident Response capability: Does the service provider have an enhanced and up to date incident response plan? Does the vendor test the resiliency of its plan, and go through simulated tabletop exercises? Does the provider have forensics expertise on staff and the technology to support aninvestigation? Does it have an outside forensics and legal support on retainer? Does the organization have an SLA in place with the service provider that goes beyond the right to audit the vendor and to be notified by the service-provider of a compromise or cyberattack in a defined time period?
While new technologies and innovations bring greater efficiency, they also create more exposure. The proliferation of IoT devices and the convenience and capabilitiesthat it brings to companies and its end users, both for business and personal use, is an example of emerging technologies that companies continue to embrace. In many instances, IoT technologies are being implemented with end-users unaware of how technology works – as long of as their end goal is met, users rarely care to know.Unfortunately, while end-users may not understand how the technology functions, they also may not recognize the exposure that the technology creates. Further exacerbating the situation is the use of IoT technology by third-party vendors; ultimately leading to increased exposures through a fourth-party service-provider. In short, outsourcing has created a web of risks.
Technology is like fire; fire is good if it is managed. If not, it can be chaotic, or in some instances, catastrophic. In many cases, regulators continue to step in andtackle increasing risks of exposure. There are several regulatory and compliance standards that are already in place and continuing to evolve across most industries including New York State Department of Financial Services (DFS) Cybersecurity requirements, HIPAA, PCI DSS, NERC, GDPR, CCPA, and a rising number of other privacy laws being adopted in the US and internationally. Third-party risk frameworks and standards continue to evolve and emerge including the Shared Assessments SIG, which was one of the first industry frameworks that was developed in response to the FFIEC issuing guidance to banks regarding their obligations when outsourcing to vendors and third-party service providers. Several other third-party risk and compliance frameworks have emerged over the years – some industry-specific, others that are a catch-all.
The Shared Assessments continues to expand its framework tocapture third-partyrisks in general as well as privacy and regulatory requirements.These regulatory and compliance measures have an element of managing third-party risk exposures.California became the first U.S.state to impose a specific regulatory requirement on IoT devices by adopting California SB 327. Under it, any manufacturer of a device that connects “directly or indirectly” to the internet must equip itself with “reasonable” security features designed to prevent unauthorized access, modification, or information disclosure. It mandates that anyone producing a device that connects to the internet must have a unique pre-programmed password on the manufactured device.
While these regulatory and compliance requirements are a safeguard in managing third-party risk exposures, compliance requirements should be the minimum baseline in managing third-party risk exposure. Being compliant does not equal to being secure. This statement alone speaks volumes in an age when we are witnessing an astonishing and increasing number of cyberattacks and data breaches.While companies must address their regulatory and compliance obligations, they must apply greater due diligence in securing and understanding their risk exposures when outsourcing to third-party service-providers, especially when it involves an emerging technology that has not been fully understood. New technologies have a greater chance of having unknown exposures or vulnerabilities that can be exploited.
Regulatory and compliance measures are astep in the right direction,but third-party risk management is not just about protecting regulated and sensitive data. Third-party risk management requires identifying a company’s most critical assets and all the exposures that is created by doing business with a third-party. The risk exposure goes beyond sensitive data and includes the business process and operations. Business disruption resulting from a third-party risk exposure needs to be addressedthrough a strategic and all-encompassing cyber hygiene process. Companies need to take it one step further and include cyber risk quantification into their processes. If a third-party service provider has a certain control or process in place, that doesn’t mean that an organization is absolved of risk exposure completely. Companies need to quantify the exposure and tackle these issues and ensure that the third-party service provider conducts good cyber hygiene and extend strong cyber resilience measures when reviewing third-party service providers. This includes understanding the depth of a service-providers’ monitoring, detection, response capabilities to an incident, and recovery capabilities.