The Need for 3rd Party Risk Management Increasing

Most companies are overwhelmed with the task of trying to provide adequate security for their own company. But the requirement for you to secure your company requires that you take responsibility for 3^rd party risk as well. Many companies do nothing. Others make their vendors or partners sign contracts attesting to the fact that they comply with your requirements when handing your data.

The definition of what is appropriate 3^rd party risk management is quickly changing to mean much more proactive monitoring and enforcement of your 3rd parties. Are you ready?

Drivers for 3^rd Party Risk Management

Companies of all sizes are finding multiple drivers for 3^rd party risk management. 

• Compliance: 3^rd Party Security Verification of Security Regulation Compliance (HIPAA business Associate requirements, PCI Third party Security Assurance, FDIC guidance on Managing Third-Party Risks…). All regulations expect regulated companies to hold their 3^rd party service providers to the same standards as they are being held. Attestation and verification and ongoing assessments are key.
• Sensitive Data Protection: Ensuring Outsourcing Partners Handle Sensitive Data Securely
• Mergers and Acquisitions Due Diligence: Evaluate your M&A partner before closing the deal
• Annual Risk Assessments for risk management initiatives or regulation compliance

Use Cases for 3^rd Party Risk Management

Third party risk assessments are being used for an expanded set of uses.

1. Third-Party Monitoring
2. Pre-Contract Vendor Assessment
3. Fourth-Party Risk Measurement – Assess risks related to your 3^rd party vendors
4. Investment Due Diligence (mergers & acquisitions, etc.)
5. Assessing Your Own Company – Benchmarking your company from the outside in.

Necessary Components to Manage 3rd Party Risk

The process of a 3^rd party risk assessment requires multiple steps.

• Identify your 3^rd parties. Surprisingly, many companies don’t know who all their partners are.
• Identify 3^rd party risk (ID assets at risk and types of protection required when using this supplier)
• Establish compliance standard – Define what the 3^rd party must demonstrate to be compliant
• Contractual attestation by 3^rd party suppliers to comply with necessary regulations or desired security level
• Ongoing monitoring of 3^rd party security compliance.

What is Lacking in Most Risk Management Programs?

Unfortunately, for many companies, 3^rd party risk management is not taken seriously enough. Areas that are lacking but where there are new solutions include the following.

• Transparency: The inability to measure, assess or verify the level of security commitments made by 3^rd parties. Some of your vendors might have risk assessments done by 3^rd party security service companies that help them demonstrate their compliance with security regulations. Vendor partners with cloud datacenters should have SOC 2 certifications. But many of your vendors have little evidence of security compliance leaving the burden of verification up to you.
• Ongoing Monitoring: Definitely missing is some level of ongoing monitoring of security compliance.
  • Internal monitoring: Vendors that have SIEMs and use Monitoring Detection and Response (MDR) services have some evidence of ongoing monitoring of their security systems. However, many vendors are missing this sophistication.
  • External continuous monitoring: Most companies are missing comprehensive external security monitoring of their security.
  • Comprehensive external continuous monitoring of security can provide:
    • A worldwide asset map of company managed & outsourced systems using the WWW
    • Deep external security assessments with actionable insights into high value assets and ranked risks
    • Continuous scanning and updates to risk changes
    • Drill down support for all metrics. Understand the reasons for risk ratings
    • A solution to comprehensive risk assessments for: 1) your company, 2) 3^rd parties and 3) 4^th parties

Risk Management Recommendations

• Companies should have comprehensive 3^rd party risk management programs that do not rely on their partners for all validation of their ability to safely handle your data. Companies are expected to do what they can reasonably do to ensure the security of their 3^rd