The challenges of third-party risk management
Vendors and other third parties should be treated with the same level of intense scrutiny as your own in-house risk compliance mandates.
How seriously is your company treating the risk of a data breach? Have you done due diligence on all of your vendors and third-party partners? Cyberattacks can have a devastating impact in terms of reputation and customer trust. It takes time and resources to deal with the fall out. The true cost of a serious data breach is hard to calculate.
According to Verizon’s 2015 Data Breach Investigations Report, the estimated financial loss for 70 organizations in various industries around the world from 700 million compromised records was $400 million. No business can afford to ignore a threat like this.
Redirecting resources
There’s plenty of evidence that the enterprise takes the threat seriously. Gartnerestimates that global information security spending will hit $76.9 million this year, up 8.2% on 2014. But are companies spending that money in the right places? No matter how much internal systems are tightened and improved, companies can still be exposed by third-party vendors.
It’s not enough to ensure that your own house is in order, you have to assess every business relationship. After all, a chain is only as strong as its weakest link, and cybercriminals are adept at finding weak spots. The superintendent of the New York State Department of Financial Services, Benjamin M. Lawsky, summed it up nicely in hisFebruary speech:
“In many ways, a company’s cyber security is only as strong as the cyber security of its third-party vendors.”
Learning from the OCC
For many industries, third-party risk management is not optional. Regulators in the U.S. and Europe are starting to bring more pressure to bear. For example, the Office of the Comptroller of the Currency (OCC) extended regulatory responsibility to senior management in financial institutions with Bulletin 2013-29.
You don’t have to be in the finance industry to learn from the main issues it highlighted:
- Failure to properly assess, understand, and document the risk and cost of outsourcing services.
- Failure to perform proper due diligence and ongoing monitoring.
- Entering into contracts without a proper assessment of the third-party’s risk controls.
- Entering into contracts that could incentivize a third party to take risks in order to maximize profit, even if those risks could be detrimental to the bank or its customers.
- Engaging in third-party relationships without a formal contract, or with inadequate contracts.
These issues should resonate with any industry, not just financial services. We’ve seen data breaches in healthcare, hospitality, retail, entertainment, manufacturing, technology, and the list goes on. We find the same root causes every time – a failure to identify and manage third-party risk.
Tackling third-party risk management
There are lots of different ways you might begin to identify and address risks associated with vendors. Firstly, it’s important to plan properly. There’s no one-size-fits-all answer for third-party risk management, but you should always be asking certain questions:
- Why are these services being outsourced in the first place?
- Is there any possibility the third-party will subcontract?
- Do they have data centers based overseas?
- What data is being shared?
- What is the plan in the event of a third-party failure or breach?
- How often are vendors assessed?
The planning phase should produce solid documentation, including a comprehensive due diligence report, a map of third-party relationships, risk assessments, performance reports, audits, and reviews. There’s no room for trust. If you don’t ensure compliance with service-level agreements, for example, then you could be exposing your company, not just to the risk of data breach, but also to legal liability.
Re-imagining vendor assessments
We need a fresh approach to vendor assessment and an understanding that issues must be addressed in a timely manner. Remediation efforts need to be audited, and there must be room for companies to terminate when third parties cannot or will not comply. There are two major failings with traditional vendor assessments:
- Rating system: Reports can produce an arbitrary score or ranking. All too often that ranking doesn’t take the bigger picture into account. The risk isn’t just about the systems that any given vendor has in place, it’s about the nature of the relationship your business has with that vendor. What is your potential exposure in the event of an incident?
- Regular reviews: an annual snapshot of your vendor’s security is rarely enough to provide peace of mind. Where serious risks are identified, it may be necessary to institute real-time, continuous monitoring. There also needs to be follow up to confirm that action is being taken to tighten security when required.
In the modern climate, with cyber security growing in importance, there’s simply no room for casual business relationships based on blind trust. It’s time to take third-party risk management seriously and work out a solution that delivers the oversight your business really needs.
This article was recently published in Network World.
Imagery credit Thinkstock.