Watch: Third-Party Risk Management: Recent Trends and New Approaches

Date March 27, 2024
Authors William J. Heaven
Categories

Highlights of the March 2024 edition of the HBK Risk Advisory Services webinar series hosted by William J. Heaven, CPA/CITP. CISA, CSCP, Senior Director, HBK Risk Advisory Services.

Watch on Demand.

Is your company currently managing vendor or third-party risk?

  • Only 30 percent of companies are managing risk of at least half of their third-party relationships.
  • 77 percent of executives say they need to overhaul their risk management program.
  • 71 percent of this webinar’s attendees responded that they are not currently managing third-party risk.
  • 52 to 54 percent of cyber breaches are caused by a third party.
  • 46 percent of all beaches impact businesses with fewer than 1,000 employees.
  • Third-party risk continues to rise:

Email/ phishing/supply chain threats (SolarWinds supply chain hack: hackers made it look like the firm was sending messages to clients that they needed updates and trusting clients accepted them thinking they were legitimate.)

How do vendors rate?

Are they meeting their obligations?

  • Contractual
  • Security
  • Privacy

Attack vectors include:

  • Ramsomware is about 25% of breaches
  • Undermining code signing, as in supply chain hacking (looks like the information is coming from a trusted source)
  • Compromising open-source code (many people are relying on open sources)

Zero-day vulnerability: where the bad guys have access before you notice. Cybersecurity hygiene is the best defense against zero-day vulnerability.

Who owns vendor risk?

There is confusion about responsibility: Cybersecurity is a business-level risk that can result in a tug of war between information security and procurement.

  • Procurement is responsible for onboarding new third parties.
  • Information security is responsible for data privacy, data protection, and information security protection.
  • Express the risks and let procurement make the decision of whether or not to engage the vendor.

Third-party risk management steps:

  • Discover: understand how to categorize your vendors.
  • Analyze how a vendor will work into your environment. (Triage: a series of high-level questions as to how you will work with a vendor; higher risk based on whether they will take possession of your data or have access to your computer system; determine possible negative impact)
  • Based on the analysis, quantify the risk.
  • Prioritize which will be the most or least risky vendors.
  • Continuous monitoring: most important to security; maintaining an understanding of the risk level of a vendor, whether it’s changing.
  • 88 percent of webinar attendees answered they had been impacted by third-party risk.

Third-party risk on the rise

  • Text messaging risk has increased.
  • Third-party breach costs are rising: by about 25% and getting close to an average of $5 million per breach.
  • 54 percent of organizations have experienced a breach due to a third party.
  • Almost 60 percent of businesses hit with a cybersecurity breach go out of business within a year.
  • Rating vendors provides an opportunity for a new vendor to protect against exposure.
  • Vendors doing business in various states must adhere to security and privacy rules in those states.

Information sources:

  • International Association of Privacy Professionals
  • California Consumer Privacy Act: the regulation in the U.S. that is most often referenced

Where to own the risk?

  • Someone has to own it, and not only IT security and procurement
  • Educate employees how to take responsibility at the business level

Suggestions

  • Establish a program of governance: Put things in place to make people aware of the risks.
  • Use IAPP.org to monitor what’s new in terms of risk and privacy.
  • Get vendor commitments.
  • Sign up with FBI for hacking updates.
  • CISA.gov: suggestions for security awareness programs.
  • Any program needs the support of and adherence by the company’s highest level of management.

Gaps/mature characteristics

63 percent of webinar attendees responding answered that their gap in performing third-party risk assessment is a lack of personnel; 25 percent said third parties are too difficult to assess.

Biggest gaps:

  • Inadequate coverage of third parties
  • Assessment backlog
  • Lack of design/prioritization (Start with highest risk.)
  • Difficulty of assessing vendors

Mature program characteristics:

  • Automation: used to continuously monitor
  • Assessment exchanges: sharing incident information
  • Artificial Intelligence: AI to be available soon to check vendors’ security, but have to be careful about providing data to AI.

If you don’t have a third-party risk management program yet, consider getting something in place.

Speak to one of our professionals about your organizational needs

"*" indicates required fields

hbkcpa.com needs the contact information you provide to us to contact you about our products and services. You may unsubscribe from these communications at anytime. For information on how to unsubscribe, as well as our privacy practices and commitment to protecting your privacy, check out our Privacy Policy.