A third-party vendor is any entity that your organization does business with.
This includes suppliers, manufacturers, service providers, business partners, affiliates, brokers, distributors, resellers and agents.
Vendors can be upstream (suppliers and vendors) and downstream (distributors and resellers), as well as non-contractual entities.
What Risks Do Third-Party Vendors Bring?
Third-party vendors, partners, contractors and consultants can bring needed expertise and services to your organization, but can often have access to internal systems and sensitive data. This means they can steal company data, change system configurations or sabotage critical infrastructure.
Even with no malicious intent, poor third-party vendor security represents a large security risk.
This is why governments around the world have introduced strict regulatory requirements that require a form of vendor risk management to ensure sensitive data and personally identifiable information (PII) is transferred, stored and processed in a way that protects information security.
Financial institutions, e.g. APRA CPS 234, and healthcare organizations, e.g. HIPAA, come under particular regulatory scrutiny.
Do I Need to Worry About Vendors Who Don't Work on Critical Business Activities?
Yes, third-parties who don't conduct critical business activities can still represent significant third-party vendor risk. In some cases, cleaners can represent a larger third-party risk than a typical Software-as-a-Service (SaaS) provider.
This is because the cleaner may have access to the CEO's computer that stores information that could be the target of corporate espionage.
The role and size of the third-party is generally not as important as the nature of the vendor relationship, the criticality of its activities, the level of access it has to sensitive data or property and your organization's accountability for its inappropriate actions.
This is why a cleaner could introduce more cybersecurity risk than an outsourced business function.
The key takeaway is to understand your organization's security standards are only as good as your weakest third-party vendor's security practices.
What are Examples of Third-Parties?
Recall that a third-party vendor is anyone who provides a product or service to your organization including:
- Manufacturers and suppliers (everything from PCBs to groceries)
- Services providers, including cleaners, paper shredding, consultants and advisors
- Short and long-term contractors. It's important you need to manage short and long-term contractors to the same standard and assess the information that they have access to.
- Any external staff. It's important to understand that understanding of cyber risk can be widely different depending on the external staff.
- Contracts of any length can pose a risk to your organization and the Internal Revenue Service (IRS) has regulations about vendor and third-party relationships that go beyond specific time frames so even the length of a contract can pose risk. In the IRS's eyes, a vendor working onsite with a company email address for longer than a specific period of time should be classified as employees and receive benefits.
What is Vendor Risk Management?
Vendor risk management (VRM) or third-party management deals with the management and monitoring of risks resulting from third-party vendors and suppliers.
VRM programs are concerned with ensuring third-party products, IT vendors and service providers do not damage business continuity, data security or expose sensitive information like credit card numbers or personally identifiable information (PII).
The demand and need for vendor risk management has grown in recent years due to the introduction of laws like the EU General Data Protection Regulation (GDPR), as well as the fact organizations are entrusting more of their business processes to third-parties.
Vendor security must be a key part of your overall cybersecurity strategy.
It's not enough to focus on service-level agreements (SLAs) and disaster recovery in your third-party risk management program. You need real-time, ongoing monitoring to be a part of your third-party vendor management program.
Your information security policy needs to focus on both first and third-party security to minimize total cyber risk. Spend some time creating a third-party risk management framework and operationalizing it. Consider investing in automating vendor risk management.
Is My Business Liable For Third-Party Breaches?
It depends on your industry.In the United States, the Office of the Comptroller of the Currency (OCC) wrote in its risk management guidance:
A bank’s use of third parties does not diminish the responsibility of its board of directors and senior management to ensure that the activity is performed in a safe and sound manner and in compliance with applicable laws.
Along with the OCC, the Federal Reserve System (FRS) and the Federal Deposit Insurance Corporation (FDIC) have statutory authority to supervise third-party service providers in contractual agreements with regulated financial institutions.
Even if you aren't legally liable your customers expect you to protect their data and probably don't care that a data breach was the result of a third-party.
The Supervision of Technology Service Providers booklet from the FFIEC, highlights the use of third-party providers "does not diminish the responsibility of the...board of directors and management to ensure that activities are conducted in a safe and sound manner and in compliance with applicable laws and regulations, just as if the institutions were to perform the activities in-house."
What are Fourth-Party Vendors?
A fourth-party vendor is a third-party vendor of your third-party vendor. In other words, it's a vendor who you don't have direct contact with but may still have an impact of your organization in the event of a data breach or data leak.
You need to understand four things about your fourth-party vendors:
- Who they are
- What products and services they provide to your vendor
- What level of due diligence your vendor has done on their vendors
- Their cybersecurity rating
This will allow your organization to better understand what risks may reside and how your sensitive data may be being shared or stored in a fourth-party vendor's system.
How Can I Get Information About My Fourth-Party Vendors?
Ask your third-party vendors to provide you with:
- Their vendor management policy
- A complete list of vendors who are processing your sensitive data
- Their most recent cybersecurity risk assessment of each of these vendors
- The fourth party's SOC 2 report
Best in class organizations who want to minimize third-party risk and fourth-party risk are continuously monitoring and scoring third-party and fourth-party vendors and sending security questionnaires over the lifecycle of the vendor relationship.
Even former third-party vendors can create risk to your organization. For example, TigerSwan’s former recruiting vendor left sensitive information publicly available in an S3 bucket until only recently. While the contract with the vendor was terminated in February 2017, thousands of resumes remained stored in the Amazon S3 subdomain “tigerswanresumes.”