To reduce the inexorable digital risks associated with vendor relationships, regulators globally are introducing new laws to make vendor risk management a regulatory requirement. This can include the management of sub-contracting and on-sourcing arrangements (fourth-party risk).
What is Third-Party Risk Management?
Third-party risk management is the process of analyzing and controlling risks associated with outsourcing to third-party vendors or service providers. Increasingly, the scope of vendor management extends to sub-contracting and on-sourcing arrangements to mitigate fourth-party risk.
This is particularly important for high-risk vendors who process sensitive data, intellectual property or other sensitive information.
This means due diligence is required to determine the overall suitability of third-parties for their given task and increasingly, whether they can keep information secure.
Due diligence is the investigative process by which a third-party is reviewed to determine if it's suitable. In addition to initial due diligence, vendors need to review on a continuous basis over their lifecycle as new security risks are introduced over time.
The goal of any third-party risk management program is to reduce the following risks:
- Cybersecurity risk: The risk of exposure or loss resulting from a cyberattack, data breach or other security incidents. This risk is often mitigated by performing due diligence before onboarding new vendors and ongoing monitoring over the vendor lifecycle.
- Operational risk: The risk that a third-party will cause disruption to the business operations. This is generally managed through contractually bound service level agreements (SLAs). Depending on the criticality of the vendor, you may opt to have a backup vendor in place to ensure business continuity. This is common practice for financial institutions.
- Legal, regulatory and compliance risk: The risk that a third-party will impact your organization's compliance with local legislation, regulation or agreements. This is particularly important for financial services, healthcare and government organizations as well as their business partners.
- Reputational risk: The risk arising from negative public opinion caused by a third-party. Dissatisfied customers, inappropriate interactions and poor recommendations are only the tip of the iceberg. The most damaging events are third-party data breaches resulting from poor security controls, like Target's 2013 data breach.
- Financial risk: The risk that a third-party will have a detrimental impact on the financial success of your organization. For example, your organization may not be able to sell a new product due to poor supply chain management.
- Strategic risk: The risk that your organization will fail to meet its business objectives because of a third-party vendor.
What Makes a Third-Party Risk Management Program Successful?
Managing third-party risk isn't new, but the level of risk the average organization takes on, is.
Cyber attacks are increasing in frequency, sophistication and impact, ith perpetrators continually refining their efforts to compromise systems, networks and information.
An accelerant to this trend is the increasing use of technology and third-party vendors at every organization to improve customer experience and drive operational efficiencies.
Many organizations are only at the beginning of developing processes to onboard new vendors and to put their existing vendors through a robust third-party risk assessment process.
An effective third-party risk management process will generally include the following elements:
- An inventory of all third-party relationships
- A catalog of all cybersecurity risks that vendors could expose your organization to
- Assessment and segmentation of all vendors by potential risks and plan to remediate risks that are above your organization's risk appetite
- A rule-based third-party risk management framework and minimal acceptable hurdle for the security posture of current and future third-parties, ideally a real-time security rating
- An established owner of third-party management plans and processes
- Three lines of defense including leadership, vendor management and internal audit
- The first line of defense – functions that own and manage risk
- The second line of defense – functions that oversee or specialize in risk management and compliance
- The third line of defense – functions that provide independent assurance, above all internal audit
- Established contingency plans for when a third-party is deemed high risk, unavailable or when a third-party data breach occurs
And will provide the following benefits:
- Allow you to address future risks in less time and with fewer resources
- Provide context for your organization and your vendors
- Ensure the reputation and quality of your products and services are not damaged
- Reduced costs
- Improved confidentiality, integrity and availability of your services
- Allow you to focus on your core business functions
- Drive operational and financial efficiencies
That said, even the best risk management practices are only as good as the people who follow them. Most third-party breaches are caused by a failure to enforce existing rules and protocols. You need to be transparent with your vendors about what you expect from them.
Ideally, security posture will be a contractual requirement.
What are the Common Problems Third-Party Risk Management Programs Have?
There are a number of common problems third-party risk management programs including:
- Resiliency: No assessment of business continuity or incident response planning in place
- Solvency monitoring: No assessment of third-party solvency or financial viability
- Security controls: Team does not have adequate visibility into their vendors' security controls
- Regulatory compliance: No measurement of whether third-parties are in compliance with your regulatory requirements
- AML-CTF and KYC: No contractual obligation to perform AML-CTF or KYC checks on customers, vendors or contractors
- Corporate social responsibility: No processes in place to ensure third-parties are protecting your organization's brand and CSR efforts
- Health and safety: Vendors have no health and safety controls in place, which may cause reputational damage for your organization
How to Use Security Ratings to Measure Third-Party Risk
Security ratings or cybersecurity ratings are an increasingly popular way to measure third-party security postures in real-time. They allow third-party risk management teams to perform due diligence on business partners, service providers and third-party vendors in minutes rather than weeks by instantly and objectively assessing their external security posture.
Security ratings are akin to credit ratings, in that they seek to measure the cybersecurity risk associated with an organization. Like credit ratings agencies, security ratings providers are independent which means they are objective and use the same criteria to assess each company. That said, each security ratings provider will use different data to generate their ratings.
According to Gartner, cybersecurity ratings will become as important as credit ratings when assessing the risk of existing and new business relationships…these services will become a precondition for business relationships and part of the standard of due care for providers and procurers of services. Additionally, the services will have expanded their scope to assess other areas, such as cyber insurance, due diligence for M&A and even as a raw metric for internal security programs.
Additionally, many security leaders find security ratings, and the cybersecurity metrics they provide, invaluable for reporting to their board of directors, C-suite, and shareholders.
How UpGuard Helps Businesses Scale and Manage Their Third-Party Risk Management Programs
UpGuard is one of the most popular security ratings platforms. Our ratings are generated by proprietary algorithms that take in and analyze trusted commercial and open-source threat feeds, and non-intrusive data collection methods to quantitatively evaluate enterprise risk. With UpGuard, an organization's security rating will range from 0 to 950 comprised of a weighted average of the risk ratings of all their domains.
The higher the rating, the better the organization's security. Security ratings fill a large gap that is left by traditional risk assessment methodologies like penetration testing and on-site visits. The traditional methods are time-consuming, point-in-time, expensive and often rely on subjective assessments. Additionally, it can be hard to verify the claims a vendor makes about their information security controls.
By using security ratings in conjunction with existing risk management techniques, third-party risk management teams can have a objective, verifiable and always up-to-date information about a vendor's security controls.