Watch: Establishing a Third-Party Risk Management Program

Highlights of the March 23, 2022 webinar hosted by Bill Heaven, CPA, CISA, CITP, CSCP, Senior Director IT Development

Third-party risk is on the rise, through email/supply chain threats, third-party breach costs, and breach due to a third party.

How do your vendors rate?

Every organization should be able to answer that question, should have obligations their vendors have to meet via:

• Contract
• Security requirements
• Privacy regulations at the state level, like California Consumer Privacy Act, a landmark law that gives consumers the right to know about the personal information a business collects about them and how it is used and shared, and the right to have it deleted.

Attack vectors

Ransomware is getting more dangerous; attackers are doing two relatively new things:

• Infiltrating data from your systems before they encrypt it, then threaten to post customer data on websites.
• Getting into systems and attacking the backup so you can’t revert to that to avoid paying a ransom.

Code signing – getting into systems, such as with certificate checks to match codes, long enough to make the credential check match up so that you’re loading malware that you think is from a legitimate vendor

Compromising open-source code – harder to get malware into an open-source code as opposed to code signing

Who’s responsible for vendor risk?

Confusion on responsibility: like the misnomer that responsibility for cybersecurity is IT’s, so the same thing happens with vendor risk; it needs to be owned at upper levels of management for procurement and information security.

Third-party risk management steps

Discover:

• Have a data classification process by sensitivity to know what types of data you have and what’s most important.
• Know what vendors will do with your data, what type of data, and their access.
• Need a framework to evaluate vendor access objectively, including controls vendors should have in place based on what kind of information they are accessing.

Analyze:

• It’s important to evaluate how the vendor is going to integrate into your business processes.
• It’s your job to be as responsible as possible with your customers’ data.

Manage and quantify:

• Assign a risk quantification score.
• Document it to allow mitigation when necessary.
• Need an objective process, regardless of size of vendor organization, like a SOC report or from an independent security firm to ensure information is valid.

Prioritize and treat:

• Put in as many controls as you can in your vendor contracts to make sure you are creating a secure environment, enough to keep a business on the up and up

Monitor continuously:

• Have to keep tabs on what’s going on.
• It is most important to risk management to have a formalized process, steps that have to be followed.
• Assess regularly, at least annually.

Third-party risk is on the rise

• Email/supply chain threats – 80 percent of cyber attacks result from phishing – sad to say, but it does work.
• Supply chain threats are relatively new and more sophisticated, typically by nation-states, like the Solar Winds attack.
• The average cost of a third-party breach across all industries is up by $370,000; 53 percent of organizations have experienced a third-party breach.

Suggestions/ best practices

• Put policies in place to minimize access to systems to whatever people need to do their jobs.
• Monitor regulations on privacy and security requirements, which are typically set at a state level.
• Monitor vendors to maintain their obligations relative to your business and data.
• Visit www.cisa.gov for resources on such as risk assessment, the latest phishing scams, etc.
• Make sure someone at the highest levels of the organization, such as the chief operating officer, owns vendor risk.