Cookie Settings

We value your privacy

We use cookies to enhance your browsing experience, serve personalized ads or content, and analyze our traffic. By clicking "Accept All", you consent to our use of cookies.

Customize Consent Preferences

We use cookies to help you navigate efficiently and perform certain functions. You will find detailed information about all cookies under each consent category below.

The cookies that are categorized as "Necessary" are stored on your browser as they are essential for enabling the basic functionalities of the site. ... 

Always Active

Necessary cookies are required to enable the basic features of this site, such as providing secure log-in or adjusting your consent preferences. These cookies do not store any personally identifiable data.

No cookies to display.

Functional cookies help perform certain functionalities like sharing the content of the website on social media platforms, collecting feedback, and other third-party features.

No cookies to display.

Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics such as the number of visitors, bounce rate, traffic source, etc.

No cookies to display.

Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.

No cookies to display.

Advertisement cookies are used to provide visitors with customized advertisements based on the pages you visited previously and to analyze the effectiveness of the ad campaigns.

No cookies to display.

Other cookies are those that are being identified and have not been classified into any category as yet.

No cookies to display.

The challenges of third-party risk management

Back to Top
leadership team 2024

By Michelle Drolet

Founder & CEO

Michelle is a prominent leader in data security preparedness, renowned for her extensive expertise i

Read More

4 Minute 8 Second Read

November 17, 2015

Vendors and other third parties should be treated with the same level of intense scrutiny as your own in-house risk compliance mandates.

How seriously is your company treating the risk of a data breach? Have you done due diligence on all of your vendors and third-party partners? Cyberattacks can have a devastating impact in terms of reputation and customer trust. It takes time and resources to deal with the fall out. The true cost of a serious data breach is hard to calculate.

According to Verizon’s 2015 Data Breach Investigations Report, the estimated financial loss for 70 organizations in various industries around the world from 700 million compromised records was $400 million. No business can afford to ignore a threat like this.

Redirecting resources

There’s plenty of evidence that the enterprise takes the threat seriously. Gartnerestimates that global information security spending will hit $76.9 million this year, up 8.2% on 2014. But are companies spending that money in the right places? No matter how much internal systems are tightened and improved, companies can still be exposed by third-party vendors.
It’s not enough to ensure that your own house is in order, you have to assess every business relationship. After all, a chain is only as strong as its weakest link, and cybercriminals are adept at finding weak spots. The superintendent of the New York State Department of Financial Services, Benjamin M. Lawsky, summed it up nicely in hisFebruary speech:

“In many ways, a company’s cyber security is only as strong as the cyber security of its third-party vendors.”

 

Learning from the OCC

For many industries, third-party risk management is not optional. Regulators in the U.S. and Europe are starting to bring more pressure to bear. For example, the Office of the Comptroller of the Currency (OCC) extended regulatory responsibility to senior management in financial institutions with Bulletin 2013-29.
You don’t have to be in the finance industry to learn from the main issues it highlighted:

  • Failure to properly assess, understand, and document the risk and cost of outsourcing services.
  • Failure to perform proper due diligence and ongoing monitoring.
  • Entering into contracts without a proper assessment of the third-party’s risk controls.
  • Entering into contracts that could incentivize a third party to take risks in order to maximize profit, even if those risks could be detrimental to the bank or its customers.
  • Engaging in third-party relationships without a formal contract, or with inadequate contracts.

These issues should resonate with any industry, not just financial services. We’ve seen data breaches in healthcare, hospitality, retail, entertainment, manufacturing, technology, and the list goes on. We find the same root causes every time – a failure to identify and manage third-party risk.

Tackling third-party risk management

There are lots of different ways you might begin to identify and address risks associated with vendors. Firstly, it’s important to plan properly. There’s no one-size-fits-all answer for third-party risk management, but you should always be asking certain questions:

  • Why are these services being outsourced in the first place?
  • Is there any possibility the third-party will subcontract?
  • Do they have data centers based overseas?
  • What data is being shared?
  • What is the plan in the event of a third-party failure or breach?
  • How often are vendors assessed?

The planning phase should produce solid documentation, including a comprehensive due diligence report, a map of third-party relationships, risk assessments, performance reports, audits, and reviews. There’s no room for trust. If you don’t ensure compliance with service-level agreements, for example, then you could be exposing your company, not just to the risk of data breach, but also to legal liability.

Re-imagining vendor assessments

We need a fresh approach to vendor assessment and an understanding that issues must be addressed in a timely manner. Remediation efforts need to be audited, and there must be room for companies to terminate when third parties cannot or will not comply. There are two major failings with traditional vendor assessments:

  • Rating system: Reports can produce an arbitrary score or ranking. All too often that ranking doesn’t take the bigger picture into account. The risk isn’t just about the systems that any given vendor has in place, it’s about the nature of the relationship your business has with that vendor. What is your potential exposure in the event of an incident?
  • Regular reviews: an annual snapshot of your vendor’s security is rarely enough to provide peace of mind. Where serious risks are identified, it may be necessary to institute real-time, continuous monitoring. There also needs to be follow up to confirm that action is being taken to tighten security when required.

In the modern climate, with cyber security growing in importance, there’s simply no room for casual business relationships based on blind trust. It’s time to take third-party risk management seriously and work out a solution that delivers the oversight your business really needs.

This article was recently published in Network World.
Imagery credit Thinkstock.

Related Insights

View All Insights