March 15, 2019
The Need for 3rd Party Risk Management Increasing
Most companies are overwhelmed with the task of trying to provide adequate security for their own company. But the requirement for you to secure your company requires that you take responsibility for 3rd party risk as well. Many companies do nothing. Others make their vendors or partners sign contracts attesting to the fact that they comply with your requirements when handing your data.
The definition of what is appropriate 3rd party risk management is quickly changing to mean much more proactive monitoring and enforcement of your 3rd parties. Are you ready?
Drivers for 3rd Party Risk Management
Companies of all sizes are finding multiple drivers for 3rd party risk management.
- Compliance: 3rd Party Security Verification of Security Regulation Compliance (HIPAA business Associate requirements, PCI Third party Security Assurance, FDIC guidance on Managing Third-Party Risks…). All regulations expect regulated companies to hold their 3rd party service providers to the same standards as they are being held. Attestation and verification and ongoing assessments are key.
- Sensitive Data Protection: Ensuring Outsourcing Partners Handle Sensitive Data Securely
- Mergers and Acquisitions Due Diligence: Evaluate your M&A partner before closing the deal
- Annual Risk Assessments for risk management initiatives or regulation compliance
Use Cases for 3rd Party Risk Management
Third party risk assessments are being used for an expanded set of uses.
- Third-Party Monitoring
- Pre-Contract Vendor Assessment
- Fourth-Party Risk Measurement – Assess risks related to your 3rd party vendors
- Investment Due Diligence (mergers & acquisitions, etc.)
- Assessing Your Own Company – Benchmarking your company from the outside in.
Necessary Components to Manage 3rd Party Risk
The process of a 3rd party risk assessment requires multiple steps.
- Identify your 3rd parties. Surprisingly, many companies don’t know who all their partners are.
- Identify 3rd party risk (ID assets at risk and types of protection required when using this supplier)
- Establish compliance standard – Define what the 3rd party must demonstrate to be compliant
- Contractual attestation by 3rd party suppliers to comply with necessary regulations or desired security level
- Ongoing monitoring of 3rd party security compliance.
What is Lacking in Most Risk Management Programs?
Unfortunately, for many companies, 3rd party risk management is not taken seriously enough. Areas that are lacking but where there are new solutions include the following.
- Transparency: The inability to measure, assess or verify the level of security commitments made by 3rd parties. Some of your vendors might have risk assessments done by 3rd party security service companies that help them demonstrate their compliance with security regulations. Vendor partners with cloud datacenters should have SOC 2 certifications. But many of your vendors have little evidence of security compliance leaving the burden of verification up to you.
- Ongoing Monitoring: Definitely missing is some level of ongoing monitoring of security compliance.
- Internal monitoring: Vendors that have SIEMs and use Monitoring Detection and Response (MDR) services have some evidence of ongoing monitoring of their security systems. However, many vendors are missing this sophistication.
- External continuous monitoring: Most companies are missing comprehensive external security monitoring of their security.
- Comprehensive external continuous monitoring of security can provide:
- A worldwide asset map of company managed & outsourced systems using the WWW
- Deep external security assessments with actionable insights into high value assets and ranked risks
- Continuous scanning and updates to risk changes
- Drill down support for all metrics. Understand the reasons for risk ratings
- A solution to comprehensive risk assessments for: 1) your company, 2) 3rd parties and 3) 4th parties
Risk Management Recommendations
- Companies should have comprehensive 3rd party risk management programs that do not rely on their partners for all validation of their ability to safely handle your data. Companies are expected to do what they can reasonably do to ensure the security of their 3rd