In this three-part series, we report on a just-released CyberRisk Alliance survey titled Third Party Risk: A Turbulent Outlook: Findings from a December 2021 Research Study, sponsored by Trava. (read Part 1) Here, we consider how companies learn the hard way that third-party risk is as important to assess and monitor as their own.
Alarming news reports of large data breaches and ransom attacks have made clear that a company’s cyber risk profile includes not just its own policies and practices, but those of its outside vendors, contractors, and software providers. Without assurances that those partners are compliant, a business can’t truly call itself secure. Just as a company’s prospects vet them during contract negotiations, it should in turn vet any current or potential partner with access to its data. In fact, 40% conduct ongoing or continuous risk reassessments after acquiring a third-party partner.
When it comes to third-party cyber risk, the IT and security professionals surveyed expressed the most concern about malware, ransomware, data leakage and business or supply chain disruptions. Almost one third cited the collateral damage to their company’s reputation as a chief worry.
Still others expressed fear of legal repercussions. Could a failure to adequately vet a vendor make them liable if a data breach occurs? Could they be liable if their third-party partner was negligent or failed to follow regulations? Why take the chance?
From a cybersecurity standpoint, organizations cannot assume a business partner incorporates certain security controls or remains off of threat actors’ radars. This has put more pressure on companies to improve their due diligence before onboarding a new contractor, supplier, or software provider. They also should reevaluate the risk profiles of current partners and business relationships.
Discovering a vulnerability as part of a routine cadence of assessments is infinitely better than finding out about it due to a catastrophic system failure or ransomware or distributed denial-of-service attack.
In managing third-party risk, a company can choose one of three paths: rely on their third-party partners’ own assessments or attestations (35%), conduct assessments and monitoring themselves or use questionnaires (35%), or—as 43% of those surveyed reported doing—hire an outside service.
When even a portion of an organization’s IT functionality is in the hands of outside providers, it’s crucial to know not only what vendor security controls are in place, but how to respond if they become vectors for cyber attacks, likely accounting for why 76% of those surveyed believed managing third-party risk was a high or critical priority. It also could be because 60% said they had in recent years experienced an IT security incident due to a third-party partner breach that had led to stolen sensitive data or some type of business outage. While 52% suffered less than $100,000 in damages, about 45% incurred higher costs, with a few paying $1 million or more. These events and the post–mortems that typically follow can serve as catalysts to changing cyber policies, procedures and even people to reduce organizational vulnerability. Especially when the weak link is within a supply chain.
Fortunately, many organizations are setting good examples by mitigating their third-party risk effectively. In part three, we present the top seven third-party risk management practices employed by organizations surveyed.
Source: CyberRisk Alliance, Third Party Risk: A Turbulent Outlook: Findings from a December 2021 Research Study, January 2022. Download the report.