The issue can seem daunting, but most organizations have more agency and flexibility to deal with third-party risk than they think.

Matt Mettenheimer, Associate Director of Cyber Advisory, Cybersecurity Practice, S-RM

March 25, 2024

5 Min Read
Arrow pointing up with cubes inside of it, with silhouettes of people on the cubes; blue background
Source: Andriy Popov via Alamy Stock Photo

COMMENTARY

Mitigating third-party risk may seem daunting when considering the slew of incoming regulations coupled with the increasingly advanced tactics of cybercriminals. However, most organizations have more agency and flexibility than they think they do. Third-party risk management can be built on top of existing risk governance practices and security controls that are currently implemented at the company. What's reassuring about this model is that it means organizations do not have to fully scrap their existing protection to successfully mitigate third-party risk — and this encourages a culture of gradual, continuous improvement. 

Third-party risk presents a unique challenge to organizations. On the surface, a third party can appear trustworthy. But without complete transparency into the inner workings of that third-party vendor, how can an organization ensure that data entrusted to them is secure?

Often, organizations downplay this pressing question, due to the longstanding relationships they have with their third-party vendors. Because they've worked with a third-party vendor for 15 years, they'll see no reason to jeopardize their relationship by asking to "look under the hood." However, this line of thinking is dangerous — a cyber incident can strike when or where it's least expected.

A Changing Landscape

When a data breach strikes, not only can the organization be fined as an entity, but personal consequences may be issued as well. Last year, the FDIC tightened its guidelines on third-party risk, setting the stage for other industries to follow suit. With the emergence of new technologies such as artificial intelligence, the outcomes of mismanaging data by a third party can be dire. Incoming regulations will reflect these serious consequences by issuing harsh penalties to those who haven't developed strong controls.

Besides new regulations, the emergence of fourth- and even fifth-party vendors should incentivize organizations to secure their external data. Software isn't the simple, internal practice it was 10 years ago — today, data passes through many hands, and with each added link to the data chain, security threats increase while oversight becomes more difficult. For example, doing proper due diligence on a third-party vendor is of little benefit if the vetted third party outsources private client data to a negligent fourth party and the organization is unaware of it.

Five Simple Out-of-the-Box Steps

With the right roadmap, organizations can successfully mitigate third-party risk. Better still, costly and disruptive tech investments aren't always necessary. To start with, what organizations need when performing due diligence is a sensible plan, capable personnel willing to buy in, and heightened communication between the IT, security, and business teams.

The first step is to thoroughly understand the vendor landscape. While this may seem obvious, many organizations, especially large companies with budgets to outsource, neglect this crucial step. While hastily establishing a third-party vendor relationship may save money in the short-term, all those savings will be erased if a data breach occurs and the organization faces hefty fines.

After researching the vendor landscape, organizations should determine which third-party roles are "critical" — these roles may be operationally critical or process sensitive data. Based on criticality, vendors should be grouped by tiers, which allows for flexibility in how the organization assesses, reviews, and manages the vendor.

Sorting vendors by their criticality can shed light on the overreliance organizations might have on their third-party vendors. These organizations must ask themselves: If this relationship were to suddenly cease, do we have a backup plan? How would we replace this function while seamlessly continuing day-to-day operations?

The third step is to develop a plan for governance. There must be synergy between the three main arms of an organization to effectively perform due diligence and manage risk—the security team shines a light on holes in the vendor's security program, the legal team determines legal risk, and the business team predicts the negative cascading effect on operations if data or operations is compromised. The key to creating solid governance is to tailor the plan to suit an organization's unique needs. This is especially applicable to organizations in less regulated industries.

The governance step incorporates the drafting of contractual obligations. For instance, often in cloud computing, business leaders will mistakenly rush into signing a contract without understanding that certain security measures may or may not be included in the baseline package. Contractual obligations are often industry dependent, but a standardize security clause should be developed as well. For example, if we are evaluating a delivery company, there may be less focus on a vendor's software development lifecycle (SDLC) process and more about their resiliency measures. However, if we're evaluating a software company, we will want to focus on the vendor's SDLC's processes, such as how code is reviewed and what the safeguards to push to production looks like. 

Finally, organizations need to develop an exit strategy. How does an organization cleanly separate from a third party while ensuring that their client data is scrubbed? There have been cases where a company severs ties with a vendor only to receive a call years later informing them that their former partner suffered a data compromise and that their client data was exposed — despite being under the assumption that this data was erased. Moral of the story: Do not assume. Besides an accidental data breach, there's also the possibility that third-party vendors will use a former partner's data for internal development, such as using that data to build machine learning models. Organizations must prevent this by stating in clear, specific, and legally binding terms how vendors will erase data in the event of the partnership ending, and what the consequences will be if they don't.

Create a Culture of Shared Responsibility and Continuous Improvement 

Taking a team approach to performing due diligence means the chief information security oficer (CISO) doesn't have to fully shoulder the responsibility of de-risking a third-party vendor. The SEC's charges against SolarWinds set a concerning precedent — a CISO can take the fall, even if the problem stems from organizationwide dysfunction. If the IT and business teams support the CISO in vetting third-party vendors, it sets the stage for future cross-team collaborations, boosts the organization's buy in, and produces better results when it comes to security.

About the Author(s)

Matt Mettenheimer

Associate Director of Cyber Advisory, Cybersecurity Practice, S-RM

Matt Mettenheimer is an Associate Director in S-RM’s Cybersecurity Advisory practice. He specializes in developing large scale multinational security programs, conducting cyber security maturity assessments, creating, developing, and assessing third-party risk management. Matt has collaborated with thought leaders throughout the industry to tackle leading cyber risks such as AI and Third Party Risk. Additionally, he works with leading Cyber Insurance firms to identify and manage cyber risks across their insureds. He has experience in responding to and remediating regulatory consent orders and providing program defense against external auditors.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights