6 steps for third-party cyber risk management

Many organizations transact with hundreds of third-party partners, according to EY’s Global Third-Party Risk Management Survey 2019-2020, a trend that PwC finds shows no sign of slowing, even as the risks increase. A recent survey by security vendor Anchore found that in the past 12 months, 64% of businesses were affected by a supply chain attack, and this year supplier attacks are expected to quadruple, according to the European Union Agency for Cybersecurity.

For sophisticated cybercriminals, the supplier ecosystem is an attractive vector to exploit, as an attack on one becomes an attack on many. There are several ways in which cybercriminals can leverage the supply chain, including compromising third party software updates (e.g., SolarWinds), stealing login credentials from third-parties (e.g., Target), or injecting malicious code into vulnerable applications or software (e.g., Magecart).

Third-party breaches can result in severe financial losses, downtime, loss of sensitive information, loss of reputation, breach of compliance, fines, and other legal liabilities. Third-party cyber risk management (TPCRM) is an organized approach of analyzing, controlling, monitoring and mitigating cyber risks associated with third-party vendors, suppliers, and service providers. A well-orchestrated TPCRM program can not only mitigate third-party cyber risks but also boost the ability to on-board, manage, and maintain third-party suppliers.

Here are the six key steps involved in creating a comprehensive TPCRM framework:

Identify vendors

If you don’t already have an inventory or a central repository of all your third-party vendors, it’s essential that you create one. Start with those that provide core/critical supplies and then move on to smaller vendors that provide support services. It’s important that every single vendor used by every single department is accounted for because just one, no matter its size, can put the entire organization at risk.

Determine risk potential

Classify vendors based on the inherent risk they pose to the organization (i.e., risk that doesn’t take into account existing mitigations). To do this, create a scoping questionnaire that can be completed by the employee who owns the vendor relationship to capture vital information regarding the service being offered, the location and level of data being accessed, stored or processed, and other factors that indicate what kind of security assessment may be needed.

Have vendors complete risk questionnaires

Every vendor presents a different level of risk. For example vendors that provide critical services usually have access to sensitive information and therefore pose a larger threat to the organization. This is where a vendor risk questionnaire comes in. You can develop your own or use one of the templates available online. In certain cases your organization may be required to comply with standards like SOC2 Type 2, ISO 27001, NIST SP 800-53, NIST CSF, PCI-DSS, CSA CCM, etc. It’s also important that your questionnaire covers questions related to such frameworks and compliance requirements.

Develop a security scorecard

Create a security scorecard or assign a risk rating to vendors based on their level of threat to the organization. You may use the guidelines below to develop a risk rating:

• High Risk: Deploy corrective actions immediately
• Medium Risk: Deploy corrective actions within a stipulated time period
• Low Risk: Accept the risk or create a mitigation plan in the longer term

Remember that high and medium risk vendors are those that handle critical operations or work with sensitive data; low risk vendors do not.

Address risks in order of priority

Upon completion of the assessment, management can decide on how they want to respond to each vendor independently. Implementing controls like encryption, multi-factor authentication, endpoint detection and response, security awareness training, etc., can help boost protection and mitigate cyber risks. It’s also important to address these risks by mentioning controls and requirements in your contracts with the vendor so that they understand your expectations clearly and act accordingly.

Monitor, optimize, strengthen, and streamline

Third-party risk is always evolving due to changes in services or scope or due to factors like supplier’s financial health, market conditions, or ability to deliver. Continuous monitoring at regular intervals is necessary to keep risks in check, safeguard customer information, meet regulatory requirements, and maintain overall health of the organization. Finally, risk must be monitored throughout the entire vendor lifecycle—from on-boarding to off-boarding.

Remember, TPCRM isn’t simply a security tactic, nor is it simply a compliance requirement, it’s a key cornerstone of a solid security foundation.