Globalization and increasing regulatory pressure means more organizations need to examine their third-party vendors, service providers and supply chain in order to assess the level of risk, inform decisions and comply with laws.
Ignorance is no longer a valid defense.
Governments, boards of directors, senior management, shareholders, customers and regulators have heightened expectations for effective cybersecurity, particularly information security controls designed to prevent data breaches.
And effective third-party risk management (TPRM) is a large part of this.
Whether you are a financial services company relying on an information technology provider to manage your web onboarding, or a Fortune 500 company conducting business in multiple jurisdictions, you are at risk.
As organizations enter and operate in new markets, they are increasingly reliant on third-parties, many of whom operate far from headquarters, in different languages, who may or may not have the same information security policies in place.
To reduce this risk, regulators around the world are introducing new laws to make vendor risk management a regulatory requirement. This can include the management of sub-contracting and on-sourcing arrangements (fourth-party risk).
What is third-party risk management?
Third-party risk management is the process of analyzing and controlling risks associated with outsourcing to third-party vendors or service providers. Increasingly, the scope of vendor management extends to sub-contracting and on-sourcing arrangements to mitigate fourth-party risk.
This is particularly important for high-risk vendors who process sensitive data, intellectual property or other sensitive information.
This means due diligence is required to determine the overall suitability of third-parties for their given task and increasingly, whether they can keep information secure.
Due diligence is the investigative process by which a third-party is reviewed to determine if it's suitable. In addition to initial due diligence, vendors need to reviewed on a continuous basis over their lifecycle as new security risks are introduced over time.
The goal of any third-party risk management program is to reduce the following risks:
- Cybersecurity risk: The risk of exposure or loss resulting from a cyber attack, data breach or other security incident. This risk is often mitigated by performing due diligence before onboarding new vendors and ongoing monitoring over the vendor lifecycle.
- Operational risk: The risk that a third-party will cause disruption to the business operations. This is generally managed through contractually bound service level agreements (SLAs). Depending on the criticality of the vendor, you may opt to have a backup vendor in place to ensure business continuity. This is common practice for financial institutions.
- Legal, regulatory and compliance risk: The risk that a third-party will impact your organization's compliance with local legislation, regulation or agreements. This is particularly important for financial services, healthcare and government organizations as well as their business partners.
- Reputational risk: The risk arising from negative public opinion caused by a third-party. Dissatisfied customers, inappropriate interactions and poor recommendations are only the tip of the iceberg. The most damaging events are third-party data breaches resulting from poor security controls, like Target's 2013 data breach.
- Financial risk: The risk that a third-party will have a detrimental impact on the financial success of your organization. For example, your organization may not be able to sell a new product due to poor supply chain management.
- Strategic risk: The risk that your organization will fail to meet its business objectives because of a third-party vendor.
What makes a third-party risk management program successful?
Managing third-party risk is isn't new, but the level of risk the average organization takes on, is.
Cyber attacks are increasing in frequency, sophistication and impact, ith perpetrators continually refining their efforts to compromise systems, networks and information.
An accelerant to this trend is the increasing use of technology and third-party vendors at every organization to improve customer experience and drive operational efficiencies.
As a result, organizations are looking to build out processes and programs to manage third-party risk that are efficient, scalable and fit for their risk profile and regulatory requirements.
Many organizations are only at the beginning of developing processes to onboard new vendors and to put their existing vendors through a robust third-party risk assessment process.
An effective third-party risk management process will generally include the following elements:
- An inventory of all third-party relationships
- A catalog of all cybersecurity risks that vendors could expose your organization to
- Assessment and segmentation of all vendors by potential risks and plan to remediate risks that are above your organization's risk appetite
- A rule-based third-party risk management framework and minimal acceptable hurdle for the security posture of current and future third-parties, ideally a real-time security rating
- An established owner of third-party management plans and processes
- Three lines of defense including leadership, vendor management and internal audit
- The first line of defense – functions that own and manage risk
- The second line of defense – functions that oversee or specialize in risk management and compliance
- The third line of defense – functions that provide independent assurance, above all internal audit
- Established contingency plans for when a third-party is deemed high risk, unavailable or when a third-party data breach occurs
And will provide the following benefits:
- Allow you to address future risks in less time and with fewer resources
- Provide context for your organization and your vendors
- Ensure the reputation and quality of your products and services are not damaged
- Reduced costs
- Improved confidentiality, integrity and availability of your services
- Allow you to focus on your core business functions
- Drive operational and financial efficiencies
That said, even the best risk management practices are only as good as the people who follow them. Most third-party breaches are caused by a failure to enforce existing rules and protocols. You need to be transparent with your vendors about what you expect from them.
Ideally, security posture will be a contractual requirement.
What are the common problems third-party risk management programs have?
There are a number of common problems third-party risk management programs including:
- Resiliency: No assessment of business continuity or incident response planning in place
- Solvency monitoring: No assessment of third-party solvency or financial viability
- Security controls: Team does not have adequate visibility into their vendors' security controls
- Regulatory compliance: No measurement of whether third-parties are in compliance with your regulatory requirements
- AML-CTF and KYC: No contractual obligation to perform AML-CTF or KYC checks on customers, vendors or contractors
- Corporate social responsibility: No processes in place to ensure third-parties are protecting your organization's brand and CSR efforts
- Health and safety: Vendors have no health and safety controls in place, which may cause reputational damage for your organization
How to use security ratings to measure third-party risk
Security ratings or cybersecurity ratings are an increasingly popular way to measure third-party security postures in real-time.
They allow third-party risk management teams to perform due diligence on business partners, service providers and third-party vendors in minutes rather than weeks by instantly and objectively assessing their external security posture.
Security ratings are akin to credit ratings, in that they seek to measure the cybersecurity risk associated with an organization.
Like credit ratings agencies, security ratings providers are independent which means they are objective and use the same criteria to assess each company. That said, each security ratings provider will use different data to generate their ratings.
UpGuard is one of the most popular security ratings platforms. Our ratings are generated by proprietary algorithms that take in and analyze trusted commercial and open-source threat feeds, and non-intrusive data collection methods to quantitatively evaluate enterprise risk.
With UpGuard, an organization's security rating will range from 0 to 950 comprised of a weighted average of the risk ratings of all their domains.
The higher the rating, the better the organization's security.
The traditional methods are time-consuming, point-in-time, expensive and often rely on subjective assessments. Additionally, it can be hard to verify the claims a vendor makes about their information security controls.
By using security ratings in conjunction with existing risk management techniques, third-party risk management teams can have a objective, verifiable and always up-to-date information about a vendor's security controls.
According to Gartner, cybersecurity ratings will become as important as credit ratings when assessing the risk of existing and new business relationships…these services will become a precondition for business relationships and part of the standard of due care for providers and procurers of services. Additionally, the services will have expanded their scope to assess other areas, such as cyber insurance, due diligence for M&A and even as a raw metric for internal security programs.
Additionally, many security leaders find security ratings, and the cybersecurity metrics they provide, invaluable for reporting to their board of directors, C-suite and increasingly, shareholders.
How UpGuard can help you scale your third-party risk management program
Companies like Intercontinental Exchange, Taylor Fry, The New York Stock Exchange, IAG, First State Super, Akamai, Morningstar and NASA use UpGuard's security ratings to protect their data, prevent data breaches and assess their security posture.
UpGuard Vendor Risk can minimize the amount of time your organization spends assessing related and third-party information security controls by automating vendor questionnaires and providing vendor questionnaire templates.
We can help you continuously monitor your vendors' external security controls and provide an unbiased security rating.
We base our ratings on the analysis of 70+ vectors including:
- Susceptibility to man-in-the-middle attacks
- Insecure SSL/TLS certificates
- SPF, DKIM and DMARC settings
- HTTP Strict Transport Security (HSTS)
- Email spoofing and phishing risk
- Malware susceptibility
- Unnecessary open administration, database, app, email and file sharing ports
- Exposure to known data breaches and data leaks
- Vulnerable software
- HTTP accessibility
- Secure cookie configuration
- Results of intelligent security questionnaires
We can also help you instantly benchmark your current and potential vendors against their industry, so you can see how they stack up.
For the assessment of your own information security controls, UpGuard BreachSight can monitor your organization for 70+ security controls providing a simple, easy-to-understand cyber security ratings and automatically detect leaked credentials and data exposures in S3 buckets, Rsync servers, GitHub repos and more.
You can read more about what our customers are saying on Gartner reviews.
If you'd like to see your organization's security rating, click here to request your free Cyber Security Rating.