According to Deloitte, last year 62% of global leaders identified cyber information and security risk to be the top third-party risk. At the same time, almost half 42% of leaders believe that their third parties play a more important role than ever in driving revenue compared to three years ago. That places a tremendous amount of responsibility on third-party risk and security teams to identify, manage and mitigate risks from integrating these third parties into their IT environment.
As we approach the new year, we’ll see that organizations increasingly rely on third parties and that cyber information and security risks will expand. With this in mind, what can leaders in third-party risk and security do to improve their third-party risk management in 2024?
What is Third-Party Risk Management (TPRM)?
Third-party risk management (TPRM) is the process an organization implements to manage risks that are a result of business relationships with third parties that are integrated into their IT environment and infrastructure. These risks can be operational, cybersecurity, regulatory, financial and reputational. According to a survey from Cyber Risk Alliance, the average organization uses 88 IT third parties (including software and service providers, partners, external contractors, agencies, suppliers and vendors), and larger organizations can rely on nearly twice as many (175) third parties.
What We Saw in TPRM in 2023
Before we address the future of third-party risk management, let’s take a quick look at a few of the trends we saw this past year.
- Increase in supply chain attacks and third-party breaches. We continued to see major digital supply chain attacks such as MOOVEit and Citrix Netscaler and third-party breaches such as Okta and Dollar Tree. Both of these types of attacks emphasized the need for greater visibility not only of their third-party ecosystem but identifying and mapping fourth, fifth and n-th parties as well.
- Third parties can be easier to exploit than directly targeting an organization, offering cybercriminals a better opportunity. Enterprise-level companies often have the budget and resources to spend on cybersecurity solutions aimed at mitigating low-cost and common phishing, email security, social engineering and Man-in-the-Middle (MITM) attacks. Advanced third-party risk management platforms, however, are necessary to defend against attacks on third parties that may not have these types of security systems in place.
- Understanding the criticality of your third parties and the sensitivity of data shared with them is crucial to mitigating third party risk. As supply chains increase in complexity and the number of third party risks increase, organizations must determine the importance of each vendor to their business. They can then monitor them regularly and communicate with the third party at the head of the supply chain to remediate these threats or vulnerabilities as they are identified.
Trends in TPRM We Should Expect in 2024
Now that we’ve reviewed the trends in TPRM of the past year, what are the TPRM security risks we should be aware of in 2024? Here are a few of the trends that third-party risk and security teams will need to stay on top of and learn to communicate how impacts the company’s business goals.
1. Increasing use of artificial intelligence (AI)
We will witness artificial intelligence continue to be a double-edged sword in terms of security in 2024. On the one hand, AI-powered third-party risk platforms can assist in enabling organizations to scale their third-party management by improving the accuracy of risk assessments. For example, it can accelerate the process of completing and evaluating cybersecurity questionnaires through AI-generated answers based on past similar questionnaires and AI-powered validation of answers by cross-referencing them with vendor documents. It can also use AI to map the digital supply chain and identify the KEVs, CEVs and vulnerabilities relevant to each party so that organizations can prioritize and remediate against risk more efficiently.
At the same time, however, AI poses continued risks to security risks to organizations when used by an organization’s third party.
These risks include:
- Data privacy and control. Training models based on personal information of customers, source code and intellectual property (IP) information risks being leaked. Biased data samples, misinformation and “hallucinations” result in inaccurate responses that hurt an organization’s reputation and damage user trust. Forrester predicts that in 2024, a third-party application will be fined for compromising the personal data of its customers. Companies integrating these third-party applications should consider how their combined lack of resources and knowledge of mitigating risks make them attractive targets to attackers.
- Security. Polymorphic attacks can be used to send convincing, well-written phishing emails to customers at scale, changing the text just enough to evade phishing detectors. Other techniques such as prompt engineering and indirect injection from training data direct an AI to act maliciously. For example, users can create prompts that direct AI to reveal sensitive information and generate misinformation or code that can be used to launch a cyberattack. Indirect injection from training data can embed malicious instructions or data from sources the AI ingests or insert malicious content into the training data itself.
- Supply chain risks. As suppliers adapt AI too, often even faster than your organization, attack surfaces expand without being aware of the third, fourth, fifth and n-th parties in the expanded digital supply chain, the risks they pose and the level of criticality each business relationship has with your organization. This makes it increasingly challenging to meet compliance and regulations that are related to third-party risk management.
2. Emphasis on cloud-first strategies
As companies rush to increase the digital transformation of their businesses and their attack surface increases, they lose the control they used to have when these applications were on-premise. This is particularly true with regard to their data security. Many cloud infrastructure systems, such as AWS, operate on a shared responsibility model. Amazon takes responsibility for the physical security of their infrastructure, but the responsibility for software updates, configurations and data security remains in the hands of the SaaS providers hosting on AWS. When a company outsources a service to a SaaS payment service, for example, and that payment service uses a cloud provider such as AWS to host your company’s data, the company can’t make any assumptions about the security practices the SaaS service has in place to protect itself against data breaches or other types of attacks.
Take the case of the Uber breach in 2015, which exposed the names and driver’s license numbers of 50,000 Uber drivers from its third party, Github. The breach occurred because a user was able to access the GitHub password and user credentials stored on the public application due to a misconfiguration of the AWS bundle, a security setting of the hosting package. In other words, Uber was responsible for its data security, but the data was hosted on AWS through its third party, Github, which it relied on to configure properly. Although best practices controls such as the Principle of Least Privilege (PoLP) Access and separations of networks can help form effective kill chains to defend against these types of attacks, mistakes still can and do occur.
3. Increased regulatory focus on the cyber risks posed by outsourcing to third parties
As a result of increasing reliance on AI and migration to cloud services, organizations must embrace accelerated governance while at the same time accepting greater accountability. In the past few years, global regulators have begun drafting complex regulations that specifically deal with the security risks posed by outsourcing to third parties.
- DORA. The Digital Operational Resilience Act (DORA) was developed with the goal of regulating financial institutions in the EU to improve their cybersecurity resilience. This includes adopting Information and Communications Technology (ICT) security provisions such as mapping of third-party assets, evaluation of third-party criticality, and having a mitigation and remediation plan to deal with vulnerabilities as they occur.
- NYDFS. The New York Department of Financial Services (NFDFS) regulation is aimed at protecting the non-public sensitive information of financial institutions that conduct business with New Yorkers. It specifies guidelines for ensuring that data shared with third parties remains secure, including periodic risk assessments, the use of multi-factor authentication (MFA), encryption, and notification of any cyber incidents or data leaks.
- NIS2 Directive. This EU regulation includes a broader scope of organizations and industries than DORA. It outlines the types of security incidents that should be reported, including unauthorized access to services, data breach and DDoS attacks. It also emphasizes the importance of proactive risk management, including third party and digital supply chain risk assessments.
In 2024, we will see standards and regulations related to TPRM accelerate. AI-related regulation has only just started to develop, however.
This past year we saw:
- AI Act. The European regulations are the first to pose limits on AI technology, banning the use of certain applications such as facial in general and emotion recognition at work or at school. It also holds companies responsible for any damage incurred by the new technology.
- Executive Order on AI. These guidelines aim to protect U.S. citizens against the risks of AI by requiring greater transparency on how the models work and establish a new set of standards. The overarching goal is to facilitate greater safety and security while encouraging its responsible and ethical use.
How Panorays Helps You Manage Third-Party Risk
Panorays is an AI-powered third-party risk platform that maps, identifies and mitigates against third-party risks that are a result of outsourcing to third parties, suppliers, external contractors, agencies, subsidiaries, partners and vendors.
Its cybersecurity questionnaires, combined with external attack surface assessments, deliver a 360-degree cyber rating of security risks posed by third, fourth, fifth and n-th parties – your extended digital supply chain. This is calculated based on your supplier’s response to questionnaires, which are completed with the use of AI, both on the side of the evaluator and the supplier. On the supplier’s side, AI helps to generate questions based on similar types of questionnaires sent in the past. On the evaluator’s side, AI facilitates the evaluation of the accuracy of the answers to the questions based on vendor documents.
The questionnaires can also be easily customized to meet each company’s internal company policies and multiple external regulations. After this, once any cyber gaps in your company’s security posture are identified, it offers you a customized, step-by-step remediation plan to address these gaps according to each company’s specific risk appetite.
Want to learn more about how you can manage third-party risk across your extended attack surface? Sign up for a free demo today.
TPRM, or third-party risk management, is the process of identifying risks that are exposed by relying on third parties for your IT infrastructure and putting the proper controls in place to mitigate these risks. These risks can be operational, reputational, financial, regulatory and of course, cybersecurity risks. TPRM is becoming a more important aspect of cybersecurity best practices as increasing numbers of organizations outsource their cloud services to third parties.
TRPM, or third-party risk management is important because organizations today are increasingly relying on third parties and integrating them into their IT environment and infrastructure. In addition, many regulations require organizations and their third parties to hold to various industry regulations and standards. Since organizations do not have control over their third parties but are nevertheless bound by the regulations, it requires creative solutions for TPRM. Finally, the rapid integration of AI by an organization’s third parties also poses several risks related to data security and control, cybersecurity and supply chain risk.
A third-party risk management framework are sets of controls that manage risk that is a result of integrating third parties into your IT environment and infrastructure. These frameworks introduce a process that includes risk assessment, risk identification and risk management of third parties along with continuous monitoring and ensuring that the process meets the relevant industry regulations and standards.