In a globally interconnected world, knowledge-based economies are shaping our future, and vendor relationships are critical to success. Global enterprises increasingly rely on hundreds, if not thousands, of third-party vendors, contractors, and systems to support business operations and achieve strategic objectives. Financial services firms outsource support and processing. Manufacturers work with suppliers, distributors, freight forwarders, and resellers around the world. Healthcare providers rely on data collectors, coders, data transmitters, document shredders, and POS vendors.
In their 2016 Ethics & Compliance Third Party Risk Management Benchmark Report (PDF), NAVEX Global found that nearly 60% of the 400 respondents expect to increase their reliance on third-party relationships. Outsourcing operations, forming new partnerships, shifting business offshore, and implementing cloud computing services are integral to achieving business goals. Yet each of these initiatives can also introduce cyber security risk and reduce control.
NAVEX Global found that 67% of financial services firms and 50% of healthcare respondents put cybersecurity risk at their top of their concerns – above fraud, bribery and corruption, and conflicts of interest. This makes sense since both industries are the most frequent victims of breaches according to Verizon’s 2017 Data Breach Investigations Report. But cybercriminals don’t discriminate – all industries and organizations of all sizes are targets. Every enterprise must be actively engaged in identifying, managing, and limiting the liability third parties can introduce as a result of inadequate or ineffective security practices.
As security becomes more complex and networks more intertwined, third party risk management has become an essential part of business strategy. Third-party risk is now a boardroom discussion, especially in highly regulated industries. Many organizations rely on third party certifications such as SOC2 and ISO 27001 to mitigate risk. However, many significant risks are not programmatic, they’re in details such as how connectivity and collaboration between the organization and third party is being achieved, the infrastructure and software architectures, poorly protected ancillary systems, and other aspects which aren’t addressed in most audits.
An effective third party risk management program is required, but where do you begin? For most organizations budget pressures are significant and staff is already over-burdened. Adding to the challenge, you need a team with a unique combination of security, risk management, program management, and vendor relationship skills to develop and run the program. And like all things security, this isn’t a situation of “set it and forget it.” Staying up to date on the constantly-evolving risk environment and emerging threats is also required in order for the program to remain effective.
Third party risk can encompass a wide range of issues, from contractual to supply chain to data protection. The NAVEX survey reveals that organizations that use an outsourced third party due diligence provider tend to discover more “red flags” or other potentially negative third party information than those who do not. Whether you are creating your own program, or looking for a provider to help with some or all aspects of your program, here are five key considerations:
1. Defining risk-based tiers of vendors – Not all vendors are equal; the level of risk varies based on criticality and risk to your operations. Make sure you consider the types of data and systems they have access to, your level of dependency on their services to remain operational, as well as compliance risks. You need a strong understanding of the risk landscape and how the desired benefits, whether improved agility, increased performance, or cost savings, could be offset by unforeseen vulnerabilities.
2. Assessing vendors’ security controls effectiveness – How likely is it that each of your vendors will be negatively affected by various types of threats? You need to understand if they have effective controls to protect against threats such as insider data access and exfiltration, web application attacks, network-based attacks, social engineering, mishandling or accidental exposure, and operational outages or data corruption. Assessing whether partners (particularly those at the highest tiers) are meeting your security and risk management requirements is imperative.
3. Addressing risk issues – When you do find a security, operational resiliency, or compliance gap, you need processes in place to proactively address this and ensure remediation or replacement of vendors who are not able to meet your standards. Do you have contractual requirements in place, how are they monitored and enforced, and do they need to be revised?
4. Understanding and addressing emerging threats – Geo-political instability; new attack vectors; evolving tools, techniques, and procedures (TTPs); industry-specific attacks; and attacks targeting a specific partner organization can introduce risk to your enterprise. Ongoing monitoring capabilities and access to global threat intelligence will allow you to stay ahead of the changing threat landscape.
5. Reporting to management – Third-party risk management is a boardroom topic. You need reporting mechanisms that provide management transparency to vendor risks including executive metrics and proactive security guidance from an operational and technological standpoint. Transparency to risks is also important to the lines of business that hold the vendor relationships. Balancing risk and opportunity on an ongoing basis will allow business leaders to make sure they are engaging with the most risk-appropriate organizations.
When evaluating, implementing, or expanding third-party relationships, you need to understand your full risk profile across the entire relationship lifecycle. With capabilities in place across these five key areas you can make better decisions about how you connect, communicate, and collaborate with third parties to make sure the risk doesn’t outweigh the reward.