What is Third-Party Cyber Risk Management?
Many organizations have relationships with partners, vendors, and other third parties in order to conduct day-to-day operations. Supply chain attacks have been on the rise due to the fact that the supply chain ecosystem is an attractive vector to cyberattackers, with a single attack evolving quickly to include many others. Third-party security breaches pose serious risks to your business as they can result in significant downtime, financial losses, data compromise, violated trust with customers and stakeholders, compliance breaches, fines, as well as legal liabilities. Third-party Cyber Risk Management (TPCRM) refers to a strategic process for assessing and controlling the risks associated with doing business with third parties. TPCRM focuses on risks in the areas of cyber, financial, operational, and regulatory. The following steps can help in the development of a comprehensive TPCRM program:
Identify vendors. Create an inventory of all vendors and third parties, what they can access, and what data that you share with them. Categorize vendors by their impact on your business, with those who supply critical supplies or services ranking higher than those who provide support services.
Classify vendors. Create risk profiles for each vendor so that you may classify them. Risk profiles can be created through questionnaires that can be completed by employees who are responsible for the vendor relationship and by the vendor themselves. Information should include services provided, location and sensitivity of data that can be accessed, processed, or stored, and other security information that can inform your risk assessment. Assign risk ratings to vendors to indicate their level of threat to your organization using the following guidelines:
- High risk. Corrective action must be taken immediately
- Medium risk. Corrective action must be taken within a predetermined timeframe
- Low risk. Accept the risk or create a mitigation plan
Address risks. Address risks in order of priority. Possible controls that may be implemented include encryption, multi-factor authentication, endpoint detection and response, security awareness training, and more.
Clarify expectations with vendors. Clarify the risks and associated controls in vendor contracts. Request copies of attestations from independent auditors, such as a SOC report or ISO certification. Attestations should be reviewed by a cybersecurity consultant to verify that it provides sufficient assurances based on the levels of risk. SOC audits can be limited, so you would want confirmation that the scope of the attestation included the appropriate controls.
Repeat annually. Follow these steps annually in order to ensure that new vendors are assessed for risks, changes in older vendors risk profiles are identified, security profiles are updated, and that contracts and attestations are current.