Watch: Establishing a Third-Party Risk Management Program

Date March 24, 2022
Article Authors

Highlights of the March 23, 2022 webinar hosted by Bill Heaven, CPA, CISA, CITP, CSCP, Senior Director IT Development

Third-party risk is on the rise, through email/supply chain threats, third-party breach costs, and breach due to a third party.

How do your vendors rate?

Every organization should be able to answer that question, should have obligations their vendors have to meet via:

  • Contract
  • Security requirements
  • Privacy regulations at the state level, like California Consumer Privacy Act, a landmark law that gives consumers the right to know about the personal information a business collects about them and how it is used and shared, and the right to have it deleted.

Attack vectors

Ransomware is getting more dangerous; attackers are doing two relatively new things:

  • Infiltrating data from your systems before they encrypt it, then threaten to post customer data on websites.
  • Getting into systems and attacking the backup so you can’t revert to that to avoid paying a ransom.

Code signing – getting into systems, such as with certificate checks to match codes, long enough to make the credential check match up so that you’re loading malware that you think is from a legitimate vendor

Compromising open-source code – harder to get malware into an open-source code as opposed to code signing

Who’s responsible for vendor risk?

Confusion on responsibility: like the misnomer that responsibility for cybersecurity is IT’s, so the same thing happens with vendor risk; it needs to be owned at upper levels of management for procurement and information security.

Third-party risk management steps

Discover:

  • Have a data classification process by sensitivity to know what types of data you have and what’s most important.
  • Know what vendors will do with your data, what type of data, and their access.
  • Need a framework to evaluate vendor access objectively, including controls vendors should have in place based on what kind of information they are accessing.

Analyze:

  • It’s important to evaluate how the vendor is going to integrate into your business processes.
  • It’s your job to be as responsible as possible with your customers’ data.

Manage and quantify:

  • Assign a risk quantification score.
  • Document it to allow mitigation when necessary.
  • Need an objective process, regardless of size of vendor organization, like a SOC report or from an independent security firm to ensure information is valid.

Prioritize and treat:

  • Put in as many controls as you can in your vendor contracts to make sure you are creating a secure environment, enough to keep a business on the up and up

Monitor continuously:

  • Have to keep tabs on what’s going on.
  • It is most important to risk management to have a formalized process, steps that have to be followed.
  • Assess regularly, at least annually.

Third-party risk is on the rise

  • Email/supply chain threats – 80 percent of cyber attacks result from phishing – sad to say, but it does work.
  • Supply chain threats are relatively new and more sophisticated, typically by nation-states, like the Solar Winds attack.
  • The average cost of a third-party breach across all industries is up by $370,000; 53 percent of organizations have experienced a third-party breach.

Suggestions/ best practices

  • Put policies in place to minimize access to systems to whatever people need to do their jobs.
  • Monitor regulations on privacy and security requirements, which are typically set at a state level.
  • Monitor vendors to maintain their obligations relative to your business and data.
  • Visit www.cisa.gov for resources on such as risk assessment, the latest phishing scams, etc.
  • Make sure someone at the highest levels of the organization, such as the chief operating officer, owns vendor risk.

Speak to one of our professionals about your organizational needs

"*" indicates required fields