The global, interconnected network of enterprises and third party vendors working together has allowed for increased efficiency and reduced cost across multiple industries and business areas. At the same time, and especially after the covid19 pandemic, it has created some risks and challenges in protecting sensitive and confidential information shared with third parties.
We outline seven risks to data in the new normal and dive into how best practices in third party risk management (TPRM) can reduce these risks.
7 risks to data and how to stay ahead
1. Companies are often unaware that their third parties have had a data breach or cyber attack involving their sensitive and confidential information.
Public announcements and victim notification requirements vary state by state, and some companies fail to give proper notice to their customers. As part of a comprehensive third party risk management strategy, it’s important to:
- Ensure your third party vendors will take all necessary prevention and control measures against data breaches as part of your initial assessment
- Ensure they will notify you in a timely manner in case of a data breach
- Monitor on an ongoing basis if they are maintaining their security posture
To complement your proactive approach, you can use sources like The Privacy Rights Clearinghouse, Have I Been Pwned or BreachAlarm, or full services like HackNotice to stay up to date with publicly announced breaches.
2. Companies are not able to determine the number of third parties with access to their confidential information and how many of them are sharing this data with one or more fourth parties.
Fourth party risk a whole other chapter in a holistic TPRM strategy (read more here), but these are the minimum controls you need to implement:
- Catalog all your vendors across all your business units
- Then map what vendors have access to critical data and how; this might need a business case to involve legal, procurement and security teams so they work together
3. There is a lack of visibility over third parties’ data safeguards, security policies and procedures and if their security posture is sufficient to respond to a data breach or cyber attack.
To make sure you’re covering all fronts, do the following:
- Start with a basic categorization of your third party vendors according to their level of criticality and types of data that they will handle
- Request security attestations or certificates apart from questionnaires, especially for critical vendors
- Decide which set of requirements is needed depending on their category
4. A lack of resources makes it difficult for organizations to have a robust vendor management program to manage Nth party relationships.
The journey towards TPRM maturity is not complete yet. In many cases, there is an organizational process problem where finding scalable technology to gain insight to the Nth party relationships and the ability to reduce manual, repetitive tasks would be ideal.
5. Accountability for the correct handling of an organization’s third-party risk management program is often decentralized. Similarly, no one department or function is responsible for ensuring that appropriate privacy and security language is included in all vendor contracts.
In some organizations there is no dedicated TPRM team, so the risk accountability is shared among multiple areas or business owners. To stay ahead, ensure there’s a process in place to assess vendor risk across appropriate parties and that it has baseline standards.
A standard questionnaire, such as SIG Lite, can help you understand what kind of risks the vendor poses and subsequently, what your risk experts should be made aware of when engaging with a new vendor. This is the first step in accountability, and needs to be followed with building a centralized process for third party risk management.
6. Senior leadership and boards of directors need to be involved and onboard with third-party risk management.
We’ve already gathered some tips for building your TPRM business case. Your next step is to find a simple, quantified way of explaining the risk of vendors to the board using business impact and inherent risk ratings.
Read More: Quantifying Third Party Risk
Another key argument is how regulation, such as the New York legislation, holds board members accountable for understanding and reinforcing cybersecurity.
7. Companies need to rely on continuous audits and assessments instead of contractual agreements to evaluate the security and privacy practices of third party vendors.
Third party risk management does not end at due diligence and the initial assessment. A lot of things can happen after a contract with a vendor is signed and you need to constantly reassess their security posture based on your risk standards.
A good way to do this is by bringing in external controls, such as security ratings: data-driven, dynamic measurements of a vendor’s cybersecurity performance that can serve as KPIs to track any shifts in their security posture. This will always be better than a single point-in-time questionnaire.
To solve these issues, ThirdPartyTrust reduces redundancies in the vendor management process by inviting enterprises and vendors to an online B2B network. Customers across different industries use our platform to gain insight into third and fourth party risk, reduce the number of security questionnaires and map their digital vendor ecosystem.
Download Guide: How the Network Approach Streamlines TPRM
To learn more about how ThirdPartyTrust can help you manage third party risk, request your free trial now: