For many businesses, global third-party vendors have become an important source of strategic advantage and business value. Yet outsourcing is not without its risks. As reliance on third-parties continues to grow, so does the number of headline stories of regulatory action and reputational damage that arise from third-party breaches or failure.
Those driving organizations need to reconsider how they approach, identify and manage third-party risk.
Financial services organizations in or operating in the United States must have a strong focus on third-party risk management due to the increasing regulatory focus and complexity of relationships with foreign and domestic third-parties. Outside of the United States, countries like Australia have a strong focus on third and fourth-party vendor management in financial services via APRA's Prudential Standards, too.
Third-party providers can provide great strategic advantages to your organization and the best businesses are utilizing vendors heavily, by focusing on what they do best and outsourcing the rest. But these same third-party relationships present cyber security risk when not managed well.
As organizations grow in size and complexity, the ability to manage third-party relationships becomes ever more critical to success. Organizations that struggle to expand their third-party ecosystem, for fear of the risks it can create, will be disrupted by organizations who can confidently identify and manage risk.
Whether or not it's a regulatory requirement, every organization should mitigate digital risks by instituting a third-party, and even fourth-party, management plan in their security risk management processes.
Learn how UpGuard simplifies Vendor Risk Management >
What is Third-Party Risk Management (TPRM)?
Third-party risk management (TPRM) is the process of analyzing and controlling risks associated with outsourcing to third-party vendors or service providers. This could include access to your organization's intellectual property, data, operations, finances, customer information or other sensitive information.
This means due diligence is required to determine the overall suitability of a third-party for a given task and increasing whether they can keep the information secure.
Due diligence is the investigative process by which a third-party is reviewed to determine if it's suitable for a given task. Due diligence is an ongoing process including review, monitoring and management communication over the entire vendor lifecycle.
The goal of any third-party risk management program is to reduce the likelihood of data breaches, costly operational failures, vendor bankruptcy and to meet regulatory requirements. Managing third-party risk is nothing new, but the level of risk that is being taken on is.
Organizations are now facing risks such as the threat of high profile business failure, illegal third-party actions being attributed to the organization, or regulatory enforcement for actions taken by third-parties.
Learn how to communicate third-party risk to the Board >
Why You Do I Need a Third-Party Risk Management Framework?
It is critical organizations have a robust, mature third-party risk management program that encompasses all aspects of risk and all stages of the lifecycle that a third-party relationship can transition through from initial due diligence to business continuity.
It is not enough to have a myopic focus on operational risk factors like performance, quality standards, delivery times, KPIs and SLA measurement. Increasingly, reputational and financial risks are more important. Such as labour practices, information risk management, financial health.
Legal and regulatory requirements should also be understood. Such as compliance with bribery regulations, awareness of global industry standards as they apply to third-parties, as well as environmental and health and safety compliance.
Senior management must understand the high risk their organization is exposed to from cyber security attacks and data breaches from their organization and their third and fourth-party service providers. Regardless of your organization's risk profile, establishing a third-party risk management process is a critical part of internal audit and reducing risk exposure.
The risk assessment process should be part of your organization's internal controls and include supply chain and other third-party risk assessments.
Third-parties include your vendors, suppliers, business channels, marketing partners, payroll providers, and anything else that could cause financial, regulatory compliance, or reputational damage if breached.
Learn why third-party risk management is important >
How Do I Select a Third-Party Risk Management Framework?
Your choice of a third-party risk management framework should be based on your organization's regulatory requirements, acceptable level of risk, use of third-parties, business processes, joint ventures, compliance requirements and overall enterprise risk management strategy.
Organizations are now leveraging third-parties directly in their supply chain, as well as auxiliary services like sales, distribution and support. The increasing use of technology, like cloud and cloud-based applications, is further accelerating the trend toward outsourcing and increasing associated risks.
Further, the value of the tasks being executed by third-parties is increasing, increasing the impact of disruption or failure of third-party vendors.
Third-party risk is a feature on board agendas with CEO/board-level responsibility in many organizations especially those operating in regulated environments. Visits to third-party locations are becoming more common to gain assurance over third-party management.
As businesses become more decentralized, there is increasing need for consistent third-party governance frameworks. Best-in-class organizations are leveraging third-parties extensively while effectively managing the risks associated.
How to Implement TPRM into your Existing Security Framework >
Is My Business Liable For Third-Party Breaches?
If you work in the financial services industry, the short answer is yes.
In the United States, the Office of the Comptroller of the Currency (OCC) wrote in its risk management guidance:
A bank’s use of third parties does not diminish the responsibility of its board of directors and senior management to ensure that the activity is performed in a safe and sound manner and in compliance with applicable laws.
Along with the OCC, the Federal Reserve System (FRS) and the Federal Deposit Insurance Corporation (FDIC) have statutory authority to supervise third-party service providers in contractual agreements with regulated financial institutions.
In the Supervision of Technology Service Providers booklet from FFIEC, it is highlighted that the use of third-party providers "does not diminish the responsibility of the...board of directors and management to ensure that activities are conducted in a safe and sound manner and in compliance with applicable laws and regulations, just as if the institutions were to perform the activities in-house."
If you're in Australia and regulated by APRA, read our post on APRA CPS 234: Information Security Prudential Standard.
Is My Organization Liable For Third-Party Breaches if We are Not in Financial Services?
Even if you're outside the United States and not a financial services provider, if you have an office or customers in the United States, you could still be liable for third-party providers.
A non-US headquartered multinational company, with interests in electricity generation and transmission as well as rail transport, was fined US$ 772 million in December 2014 for engaging in conduct in violation of the Foreign Corrupt Practices Act (FCPA). This has mainly resulted from the inappropriate conduct of third parties and ineffective due diligence and corporate controls over such third parties.
Remember, even if your business does not have financial or regulatory responsibility for third-party breaches or failures, they can still do massive reputational damage that leads to financial loss and more importantly, loss of customer trust and data.
What are the Best Practices for a Third-Party Risk Management Framework?
Both the National Institute of Standards and Technology (NIST) and International Organization for Standardization (ISO) have popular risk management frameworks that can be used together in the assessment process of any third-party risk management program.
In general, best practices for any risk management framework are to:
- Take inventory of all third-party vendors your organization has a relationship with
- Catalog cybersecurity risks that the counterparties can expose your organization to
- Assess and segment vendors by potential risks and mitigate risks that are above your organization's risk appetite
- Develop a rule-based system to assess future vendors and set a minimum acceptable hurdle for the quality of any future third-parties in real-time by reviewing data security and independent reviews
- Establish an owner of vendor risk management and all other third-party risk management practices
- Define three lines of defense including leadership, vendor management and internal audit
- The first line of defense – functions that own and manage risk
- The second line of defense – functions that oversee or specialize in risk management and compliance
- The third line of defense – functions that provide independent assurance, above all internal audit
- Establish contingency plans for when a third-party is deemed below quality or a data breach occurs
Establishing a third-party risk management framework means the financial and reputational damage to your organization will be minimize if a third-party data breach does occur. Data breaches can have massive impacts on your customers, employees and the position of your organization in the market.
Properly managing cyber security reduces the impact and cost of risk management without impacting the overall productivity and ability to onboard third-parties to an organization.
Third-party risk management frameworks provide your organization with shared standards for decision-making, minimizing the hassle and time it takes to manage third-party vendor risk. Ultimately saving your organization money and more importantly, its reputation and relationship with its customers.
