• CUSTOMER LOGIN
  • Products
    • TPRM by ThirdPartyTrust
    • Beacon by ThirdPartyTrust
  • Resources
    • Blog
    • Strategy Guides
    • Case Studies
    • Data Sheets
    • Webinars
    • API
  • Company
    • About us
    • Partners
    • Product Security
    • Privacy Policy
REQUEST DEMO
  • Products
    • TPRM by ThirdPartyTrust
    • Beacon by ThirdPartyTrust
  • Resources
    • Blog
    • Strategy Guides
    • Case Studies
    • Data Sheets
    • Webinars
    • API
  • Company
    • About us
    • Partners
    • Product Security
    • Privacy Policy
REQUEST DEMO
  • CUSTOMER LOGIN
  • Products
    • TPRM by ThirdPartyTrust
    • Beacon by ThirdPartyTrust
  • Resources
    • Blog
    • Strategy Guides
    • Case Studies
    • Data Sheets
    • Webinars
    • API
  • Company
    • About us
    • Partners
    • Product Security
    • Privacy Policy
REQUEST DEMO
  • CUSTOMER LOGIN
  • Products
    • TPRM by ThirdPartyTrust
    • Beacon by ThirdPartyTrust
  • Resources
    • Blog
    • Strategy Guides
    • Case Studies
    • Data Sheets
    • Webinars
    • API
  • Company
    • About us
    • Partners
    • Product Security
    • Privacy Policy
REQUEST DEMO
  • Products
  • TPRM by ThirdPartyTrust
  • Beacon by ThirdPartyTrust
  • Solutions
  • Risk Assessment Automation
  • Security Questionnaire Automation
  • Shadow IT Management
  • Zero Day Remediation
  • Integrations
  • Industries
    • Financial
    • Energy
    • Healthcare and Hospitals
    • Legal
    • Life Sciences
    • Manufacturing Industry
    • Retail
    • Technology
    • Other Industries
  • Pricing
  • Resources
  • Blog
  • Strategy Guides
  • Case Studies
  • Data Sheets
  • Webinars
  • Dictionary
  • API
  • Company
  • About us
  • Careers
  • Partners
  • Partners Login
  • Product Security
  • Privacy Policy

7 Risks to Data in the Third Party Vendor Ecosystem

Published by Sabrina Pagnotta on July 20, 2021
Categories
  • Blog
Tags
  • Cybersecurity
  • TPRM Best Practices
7 risks to data third party vendor

The global, interconnected network of enterprises and third party vendors working together has allowed for increased efficiency and reduced cost across multiple industries and business areas. At the same time, and especially after the covid19 pandemic, it has created some risks and challenges in protecting sensitive and confidential information shared with third parties.

We outline seven risks to data in the new normal and dive into how best practices in third party risk management (TPRM) can reduce these risks.

7 risks to data and how to stay ahead

1. Companies are often unaware that their third parties have had a data breach or cyber attack involving their sensitive and confidential information.

Public announcements and victim notification requirements vary state by state, and some companies fail to give proper notice to their customers. As part of a comprehensive third party risk management strategy, it’s important to:

  • Ensure your third party vendors will take all necessary prevention and control measures against data breaches as part of your initial assessment
  • Ensure they will notify you in a timely manner in case of a data breach
  • Monitor on an ongoing basis if they are maintaining their security posture

To complement your proactive approach, you can use sources like The Privacy Rights Clearinghouse, Have I Been Pwned or BreachAlarm, or full services like HackNotice to stay up to date with publicly announced breaches.


2. Companies are not able to determine the number of third parties with access to their confidential information and how many of them are sharing this data with one or more fourth parties.

Fourth party risk a whole other chapter in a holistic TPRM strategy (read more here), but these are the minimum controls you need to implement:

  • Catalog all your vendors across all your business units
  • Then map what vendors have access to critical data and how; this might need a business case to involve legal, procurement and security teams so they work together

3. There is a lack of visibility over third parties’ data safeguards, security policies and procedures and if their security posture is sufficient to respond to a data breach or cyber attack.

To make sure you’re covering all fronts, do the following:

  • Start with a basic categorization of your third party vendors according to their level of criticality and types of data that they will handle
  • Request security attestations or certificates apart from questionnaires, especially for critical vendors 
  • Decide which set of requirements is needed depending on their category


4. A lack of resources makes it difficult for organizations to have a robust vendor management program to manage Nth party relationships.

The journey towards TPRM maturity is not complete yet. In many cases, there is an organizational process problem where finding scalable technology to gain insight to the Nth party relationships and the ability to reduce manual, repetitive tasks would be ideal.

Download Guide: Building a scalable TPRM Process Without Adding Bodies to the Process

 

5. Accountability for the correct handling of an organization’s third-party risk management program is often decentralized. Similarly, no one department or function is responsible for ensuring that appropriate privacy and security language is included in all vendor contracts.

In some organizations there is no dedicated TPRM team, so the risk accountability is shared among multiple areas or business owners. To stay ahead, ensure there’s a process in place to assess vendor risk across appropriate parties and that it has baseline standards.

A standard questionnaire, such as SIG Lite, can help you understand what kind of risks the vendor poses and subsequently, what your risk experts should be made aware of when engaging with a new vendor. This is the first step in accountability, and needs to be followed with building a centralized process for third party risk management.

Read More: How to Think Your TPRM Program from a Governance Perspective


6. Senior leadership and boards of directors need to be involved and onboard with third-party risk management.

We’ve already gathered some tips for building your TPRM business case. Your next step is to find a simple, quantified way of explaining the risk of vendors to the board using business impact and inherent risk ratings.

Read More: Quantifying Third Party Risk

Another key argument is how regulation, such as the New York legislation, holds board members accountable for understanding and reinforcing cybersecurity.

7. Companies need to rely on continuous audits and assessments instead of contractual agreements to evaluate the security and privacy practices of third party vendors.

Third party risk management does not end at due diligence and the initial assessment. A lot of things can happen after a contract with a vendor is signed and you need to constantly reassess their security posture based on your risk standards.

A good way to do this is by bringing in external controls, such as security ratings: data-driven, dynamic measurements of a vendor’s cybersecurity performance that can serve as KPIs to track any shifts in their security posture. This will always be better than a single point-in-time questionnaire.

Getting Ahead

To solve these issues, ThirdPartyTrust reduces redundancies in the vendor management process by inviting enterprises and vendors to an online B2B network. Customers across different industries use our platform to gain insight into third and fourth party risk, reduce the number of security questionnaires and map their digital vendor ecosystem.

Download Guide: How the Network Approach Streamlines TPRM

 


 

To learn more about how ThirdPartyTrust can help you manage third party risk, request your free trial now:

 

Trial Account Sign-Up
Sabrina Pagnotta
Sabrina Pagnotta
Sr. Content Strategist
    • Phone
      |+1-617-245-0469
    • Address
      |
      111 Huntington Ave, Suite 2010, Boston, MA 02199
    • Sales
      |sales@bitsighttech.com
    • Contact Us
    Laika_SOC2_TypeI_PurpleIris        CSA_Trusted_Cloud_Provider

    ©2022 ThirdPartyTrust, LLC and its Affiliates. All Rights Reserved. | 111 Huntington Ave. Suite 2010 Boston, MA 02199
    • BLOG
    • PARTNERS LOGIN
    • CONTACT US
    • PRIVACY POLICY
    We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept”, you consent to the use of ALL the cookies.
    Do not sell my personal information.
    Reject AllAccept
    Cookie Settings
    Manage consent

    Privacy Overview

    This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
    Necessary
    Always Enabled
    Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
    CookieDurationDescription
    cookielawinfo-checkbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
    cookielawinfo-checkbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
    cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
    cookielawinfo-checkbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
    cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
    viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
    Functional
    Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
    Performance
    Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
    Analytics
    Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
    Advertisement
    Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
    Others
    Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
    SAVE & ACCEPT