In 2021, Accelion FTA suffered a massive third-party data breach of consumer and patient data that impacted 100 companies and 9.2 million users – roughly the population of New York City. What was memorable about this breach was that it occurred twice. Although a security patch was released after a breach in December 2020, it was insufficient to thwart a subsequent attack a month later. With the average organization having ten third-party rel ationships, and many having two dozen in over ten countries, the need to assess third-party risks is essential not only for your organization, but every vendor in your supply chain.
One tool organizations should use to evaluate their risk is a third-party risk assessment.
What is a Third-Party Risk Assessment?
A third-party risk assessment is a process that explores the risk posed to your organization by third-party vendors along the supply chain. This process evaluates the likelihood that your business is exposed to different third-party risks such as compliance risk, operational risk, financial risk, security risk and cybersecurity risk. For example, a third-party risk assessment informs you which business relationships could expose your organization to data breaches or reveal customer data and operational data and confidential information such as intellectual property or patents in your network or system. Along with monetary penalties, data breaches cost organizations time and resources and lead to reputational damage.
How Do You Conduct a Third-Party Cyber Risk Assessment?
Organizations conduct third-party risk assessments with the help of standardized questionnaires to verify how closely vendors are managing third-party risks. These questionnaires evaluate a vendor’s processes and policies, including whether or not they are meeting regulatory requirements and have a risk management program in place.
For example, questionnaires for high-risk vendors should ask:
- Does your organization adhere to a cybersecurity framework such as NIST CSF?
- Are you fully compliant with regulations that set standards for working with your organization’s data (i.e., GDPR, HIPAA, CCPA)?
- Does your organization have a history of suffering data breaches?
- Have you paid monetary penalties due to non-compliance?
- What is your reliance on 4th and nth parties?
- Has your organization been audited by a third party to ensure compliance with regulatory requirements?
- Are there laws in this organization’s country that require them to disclose data or other important information?
When Should You Conduct a Third-Party Risk Assessment?
Evaluating vendor risk should be a continuous process in your organization. It should be an essential component of due diligence before onboarding and giving the vendor access to your data and files. It should also be conducted at various points to ensure compliance with service-level agreements, and during the offboarding process to verify that access to data has been terminated. Risk assessments should also be conducted after any significant change to your organization’s ecosystem.
After a data breach, authorities will want to see documentation of your third-party risk management program, which includes a risk assessment Your organization’s risk assessment may also help point to the various factors contributing to the breach.
What are the Vendor Risk Criteria for Vendor Risk Assessments?
Before you conduct a third-party assessment, you’ll need to establish different risk criteria to determine the scope of the supplier risk assessment and the techniques used. The vendor risk criteria will help you to be more careful in your selection of supplier relationships and business partners.
The first step in establishing vendor risk criteria is through classifying vendors according to their risk. Next, you’ll want to evaluate the current third-party onboarding process in your organization. This may include diagrams outlining the business relationships you have with your vendors. Finally, you’ll want to evaluate the success of your current risk management program through risk assessment metrics such as Key Risk Indicators (KRIs) that measure the performance of the risk management process.
The main types of KRIs in the risk assessment process include:
- Number of third-party risks identified. What are the cybersecurity threats and vulnerabilities in your network, system and other areas of your organization? (You can calculate a success metric by comparing this number to the number of risks monitored and then the number mitigated).
- Number of risks that occurred. Not all vulnerabilities can be fixed and not all risks become security issues.
- Percentage of risks monitored. Only when your organization is able to monitor all risks, can it identify those that threaten your supply chain.
- Percentage of risks mitigated. This metric is critical for understanding how efficient your third-party risk management and improving it to eliminate prioritized risks.
Why Do You Need a Third-Party Risk Assessment?
According to a recent Deloitte survey, while organizations faced challenges managing third-party risk prior to COVID-19, the pandemic has shown just how ill-prepared organizations really were for a disruption of this magnitude. Now more than ever, performing third-party cyber risk assessments is paramount.
Here are four reasons why you should be performing third-party risk assessments.
1. Get to know your vendors’ cybersecurity.
When you give vendors access to your systems, you are providing additional avenues for cybercriminals to find a way into your network. Therefore, you want to be sure that your vendors are taking cybersecurity as seriously as you are. Cyber risk assessments will help ascertain what security controls are currently in place, as well as how resilient they are should an attack occur. It is imperative to assess current vendors as well as new vendors that you’re looking to onboard.
2. Protect your business’s financial health.
To safeguard your business, you must be able to identify and anticipate risks and disasters before they happen. This applies not only to your own organization, but also to your vendors. If one of your vendors, especially a key vendor, is the victim of a security breach, it can have devastating and far-reaching effects on your business. The time and financial investment spent on protecting your assets is a worthwhile investment. The bottom line is that it is more economical to be proactive than to contend with the financial aftermath of a security breach.
3. Comply with requirements.
Globalization, along with the rise of regulations such as GDPR and CCPA, means organizations are tasked with examining their vendors’ adherence to these regulations. Marriot’s failure to do their due diligence during the acquisition of Starwood Hotels in 2016 made headlines worldwide. The hotel chain was fined over $120 million as a result of violating GDPR when a breach was discovered two years after the acquisition. Similarly, industry regulations such as NYDFS, PCI-DSS and HIPAA also include compulsory risk assessments as part of the compliance process.
4. Protect your company’s reputation.
Failure to adequately assess your vendors’ risk exposes you to reputational risks that could hurt your organization. Besides the obvious physical damage that a breach causes, the reputation of your company is at stake. Whether customers hear from you or from the headlines that their private information has been compromised, customer confidence is reduced and that loss may be irrevocable.
Clearly, performing a risk assessment is an integral step in evaluating the security posture of your vendors. But it’s not the only step. It is simply a snapshot of your vendors’ current security practices, meant to help you understand your vendors’ weaknesses. Next, you need to create a third-party security management program to manage vendor risks. This takes time and effort, especially when working with numerous vendors. The good news is that an end-to-end third-party security management platform such as Panorays can quickly, easily and thoroughly assess vendor cyber risk to your organization.
How Panorays Helps You Manage Third-Party Risk
Panorays helps expedite your third-party security management program through its automated platform. It is the only platform providing a rapid supplier Cyber Risk Rating that combines automated security questionnaire results with external attack surface evaluations while also considering the business context. Additionally, the platform ensures your vendors’ compliance with regulations and standards by continuously monitoring any security changes with your vendor.
Want to learn more about how you can implement the risk assessment process with potential vendors? Get started with a Free Account today to help build a streamlined third-party risk assessment process in your organization.
A third-party risk assessment identifies the potential risks presented by vendors or suppliers along the entire supply chain. These include operational, financial, reputational, security and cybersecurity risks. These assessments are implemented with standardized questionnaires sent to vendors to evaluate the procedures and processes they have to manage risk.
One example of a third-party risk posed by vendors is a data breach, which can reveal confidential information such as intellectual property (IP) and other trade secrets, personally identifiable information of customers, and operational data. The exposure of this information causes enormous damage to an organization in terms of time and resources, monetary fines, and reputational loss.
A third-party risk assessment is an essential part of any organization’s third-party risk management program. It helps evaluate risks posed to your entire supply chain through third-party vendors and services that can lead to reputational damage, monetary penalties, financial loss, and cost your organization time and resources. With a proper third-party risk assessment, however, your organization can either select vendors who pose less risk or remediate risk before entering into a business relationship with that vendor.
Third-party risk management, or TRPM, is a practice of evaluating and mitigating the risks involved with doing business with vendors and third parties along your supply chain. TRPM is done both before and during a vendor relationship.
This post was originally published on November 12, 2020, and has been updated to include fresh content.