With 75% of executives stating that they’ve experienced a third-party incident in the last three years, it should be no surprise that 85% of senior management are placing third-party risk management as a strategic priority this year. Although they are essential for the operation of most organizations today, third parties also pose significant potential risks in terms of compliance, security, business continuity and brand reputation. In a world of increasing cybersecurity threats to organizations in all industries, third-party risk management helps organizations effectively evaluate and manage these risks.
What is Third-Party Risk Management?
Third-party risk management (TPRM) is a type of risk management that involves identifying and eliminating operational risks related to third-party relationships. It is also known as vendor risk management. A third party is defined as any vendor, partner, subsidiary, external contractor or that delivers a good or service to your business. This could be delivered either through software or as a physical service. Since these third parties are a part of your business ecosystem, risks in their organizations pose a risk to yours, and effective third-party risk management takes into account that these risks extend far beyond the scope of cybersecurity risks.
Not all vendors pose a risk to your organization, nor do all third parties pose the same risk. Third-party risk management is also an effective method for prioritizing your vendor relationships and understanding which ones pose a low, medium, high or critical risk to your organization. In many cases, this is an automated process that includes monitoring third parties, sending alerts, calculating inherent risk, and determining when third-party risk assessments need to be re-evaluated.
Why Do You Need a Third-Party Risk Management Process?
By implementing a formal third-party risk management process, you can evaluate the risks associated with third-party relationships. A proper TPRM process that has buy-in from all senior management from the procurement, risk and compliance departments to marketing, sales and the C-suite. It is especially important to involve procurement early in the process because it helps minimize risk during the due diligence process. Evaluation of risk at this point is essential in determining whether or not the organization should onboard a customer or enter into a new business relationship with a supplier.
A third-party risk management process also mitigates against risk by ensuring that your organization maintains compliance requirements, operates at the highest level possible, strengthens your supply chain security, protects user data and other confidential company information and has a strategy in place in the event of a cybersecurity incident or disruption to operations. In addition, a streamlined process for enterprise risk management helps you make informed decisions and reduce vendor risks to an acceptable level.
What are the Most Common Third-Party Risks?
Risk management technology can help your organization both consolidate vendor information and conduct an ongoing third-party risk assessment of all your vendors to help identify risk factors and evaluate each vendor’s inherent risk. Often, the technology determines the risk according to risk scores. After identifying the risk level that each vendor poses, a risk reduction strategy can be put into place according to your organization’s risk tolerance.
Third-party risks include:
- Cybersecurity risk. A data breach, phishing, DDoS, social engineering or ransomware attack from a third party can cost your organization in time and resources, halt or disrupt operations and significantly impact its reputation.
- Operational risk. If a third party provides a critical component of your system and is disrupted due to a natural disaster, political conflict or cybersecurity attack, it also poses a critical risk to your business continuity.
- Financial risk. If a supply chain is poorly managed, it can result in financial risk to a third party as they are unable to properly evaluate which products they offer are in high demand and which are not.
- Strategic risk. Market changes, new acquisitions or mergers, and changing expectations of customers can make it difficult for all parties in the supply chain to align on business strategy.
- Compliance risk. Compliance requirements depend on the industry (e.g. HIPAA and PCI DSS), your company’s location, and your customer’s location (e.g. GDPA, CCPA, EBA).
- Geopolitical risk. For example, political tensions can make it difficult to continue a business relationship with a supplier or vendor. Political instability can motivate companies to look for a vendor in another location.
Who is Responsible for Third-Party Risk Management?
Traditionally, third-party risk management has been the responsibility of the procurement or risk and compliance teams. For example, at one time a banking system had limited interaction with third parties. Perhaps a consultant would come in to evaluate specific programs or procedures, or a lawyer might examine internal processes to determine any legal risk. Integration was limited to networks such as SWIFT, an international system for exchanging monetary transactions, which would integrate into the banking system. As software systems become more interdependent, however, each bank evolved into a complex layer of third, fourth and even fifth-party systems.
As a result, a dedicated third-party risk professional today is an essential part of the third-party risk management process, particularly in the banking and finance industries. This person is responsible for assessing and managing the third-party risks for an organization, which includes a wide range of responsibilities such as collecting information from third parties regarding, assessing their ability to manage compliance, prioritizing third-party risks, creating and sending questionnaires to these third parties, and overseeing legal contracts such as SLAs to mitigate any legal risks to the organization.
Why is Third-Party Risk Management Important?
Although third-party risk has been an issue for years, recent events and increased outsourcing have brought the discipline to the forefront like never before. Disruptive events can affect businesses and their partners – regardless of the size, type, or industry. Cybersecurity incidents are common when working with third-party providers. In fact, more than half of the breaches over the past two years have been caused by a third party, rather than by the company itself.
Not only do these attacks impact an organization’s operations and reputation, but they are also becoming increasingly expensive. The average cost of a data breach rose to $4.45 million this year, a 15% increase in the last three years. In the healthcare industry, costs have hit $11 million; an increase of 53% from 2020.
What is the Third-Party Risk Management Lifecycle?
The third-party risk management lifecycle is a process that organizations use to identify, assess, and mitigate risks posed by third-party relationships. The vendor lifecycle is an ongoing process that should be revisited on a regular basis. As third-party relationships change and new risks emerge, the risk management plan should be updated to reflect these changes.
A typical relationship with a third party involves a series of stages such as the ones outlined below.
4 Key Steps to Your Third-Party Risk Management Process
A comprehensive third-party risk management process will gather information about your third parties and your relationship with them to understand the context of the risk and have enough visibility to identify all of the third parties in your supply chain. This is particularly important in the early stages of deciding whether or not to enter into a business relationship with a vendor. Initial due diligence can help your organization better evaluate third-party risk and either mitigate the risk or decide not to pursue a business relationship with that vendor. A TPRM program also helps your organization maintain compliance.
As there are significant advantages, many organizations have a third-party risk management program that conducts ongoing vendor inventory to evaluate critical risks to their organization. A vendor inventory lists the types of vendors, the business relationship with your organization, their access to your systems and data and the type of data that they process.
Here are four key steps that should be part of your process for assessing your third parties’ compliance posture:
1. Mapping your vendors according to inherent risks
The first step is to make sure you have a complete list of every vendor that supports your organization. Profile each vendor, grouping them with similar vendors. List what service they provide, the criticality of that service, the types of data they are handling, whether and how much they handle sensitive data and the internal contact managing the vendor. This will help you determine which questionnaires to send out to your vendors, according to your regulatory requirements and risk appetite.
2. Sending questionnaires and receiving evidence
Completing security questionnaires is a lengthy process that often involves multiple team members on the vendor side. It is not uncommon for vendors to have questions or need clarifications about the questionnaire, so be prepared for some back-and-forth communication between you and your vendors during this process.
The vendor is then required to respond to the questionnaire by providing relevant evidence corresponding to each control. It is imperative that you provide a timeline for completing the questionnaire and that it is returned in a timely manner. Remember, your organization’s security posture, as well as regulatory compliance, is dependent on the security of your vendors.
3. Assessing your vendors’ attack surface
At the same time that you send questionnaires, it’s important to perform vendor risk assessments of their vendors’ public-facing digital footprints to unveil their assets and any possible cyber gaps. Such an assessment can also serve to verify answers to the questionnaire.
A attack surface analysis should examine at least three layers:
- IT and network: Parameters involving DNS servers, SSL-related protocols, etc.
- Applications: Parameters involving Web applications, domain hijacking, etc.
- Human: Parameters involving social posture, presence of dedicated security team, etc.
4. Monitoring continuously
Hackers are constantly using new and advanced methods to exploit new vulnerabilities and engage in cyberattacks. In addition, suppliers frequently add new assets and software and may also change or update their internal policies. All of these can result in new cyber gaps.
For these reasons, it’s important to implement continuous monitoring of vendors throughout the business relationship to uncover issues, detect suspicious activity and stay updated about security policy changes. With continuous monitoring, your organization can take a more proactive approach, since it receives data about the cyber landscape in real time.
How Panorays Helps Manage Third-Party Relationships
Vendor security risk management is a necessary process, but not a simple one. In fact, it could be long, tedious and frustrating when working with tens, if not hundreds or thousands of third parties to determine which ones pose a risk to your organization and the level of risk that each presents.
With Panorays, you can expedite the management of the third-party vendor risk process by gaining visibility into your vendors’ attack surface. Each vendor receives a Cyber Rating by collecting information about any exposed assets or lack of security best practices. Its automated and contextualized questionnaires only gather information relevant to each vendor relationship, such as their ability to meet specific types of compliance or regulations. The insight gained from such deep and wide analysis of your third-party ecosystem enables you to stay one step ahead of real-time events and proactively respond to cyber events with effective third-party risk management.
1. Mapping your vendors according to inherent risks. Categorize each vendor with similar types of vendors. Understand their services, how critical their services are, the type of data they handle and if the data is sensitive or not. This assists you in customizing questionnaires accordingly.
2. Sending questionnaires and receiving evidence. Acknowledge that questions from the vendor and your communication with them take time. At the same time, however, the vendor questionnaire should have a timeline for completion by both you and the vendor.
3. Assessing your vendors’ attack surface. This includes parameters involving your IT and network (e.g. DNS servers), your applications (e.g. domain hijacking) and human parameters such as the presence of a security team.
4. Monitoring continuously. Adding new software, suppliers, and constantly changing regulations means a risk of cyber gaps at any point in the vendor relationship. Ongoing monitoring keeps you up-to-date of any new security risks posed to your organization.
An example of third-party risk posed to your organization is a vendor’s inability to meet compliance. If a vendor is in the healthcare industry and does not have proper privacy controls in place, your organization would be held responsible in the event of non-compliance. As a result of non-compliance from this vendor, your organization is at risk of suffering from a data breach or other data security incident.
You can mitigate risk from a third party that it cannot or is unwilling to fix by placing your own internal compensating security controls on the vendor. For example, your organization might decide to mitigate risk by limiting the number of records it shares with a particular vendor to 5,000 instead of 10,000 until the vendor has more effective privacy controls in place. Or it might decide that external contractors can only enter the building after receiving a guest badge. Both of these measures help to mitigate third-party risk.
Third-party risk management is important because third-party risks have increased as more organizations rely increasingly on third parties for their operations and business growth. Recent supply chain attacks such as the MoveIt and Applied Materials attacks have highlighted the need to apply resources to TPRM. In addition, as these cybersecurity attacks increase in size, scope and cost to organizations, they are posing a greater threat to the reputation, operational disruption and the effective revenue and growth of organizations.