Security risks come in all shapes and sizes and affect all manner of companies. For small businesses, like a local computer repair shop, security is important, but requires only a small-scale operation. In contrast, large corporations, like many banks, turn to third-party contracts to better delegate resources and improve efficiency. However, implementing and maintaining security measures for external companies is challenging. Managing them takes significant time and human resources, as well as organization. Learn about third-party risk management regulations and guidelines with our complete guide below.
What is Third-Party Management?
GRC 20/20 Research defines third-party management as a capability that enables organizations to reliably achieve objectives while addressing uncertainty and act with integrity in and across third-party relationships. The business world no longer functions on the concept of independence; rather, it requires interconnectedness. For example, companies have vendor relationships, suppliers, contractors, etc, that affect daily business operations. Even more importantly, many companies now face the task of cooperating beyond national borders. The 21st century is an age of globalization and third parties are key to that globalization. Being able to manage the level of risk from third-party relationships, such as vendor management, is important in protecting and securing your organization and avoiding breaches and reputational risks.
Why Third-Party Breaches are so problematic
According to DarkReading, third-party breaches result in the highest damages. In other words, when data leaves an organization (due to a breach) companies face steeper obstacles to recovery. Targeted attacks, compromised infrastructure, and cloud computing are three top vulnerabilities for third parties. Subsequently, the companies hiring such third parties are also at risk.
Additionally, if a company is in a transition or expansion phase, vulnerabilities may increase. For example, a company may transition from one platform to another and hire a third party to store data while the work is in progress. Attackers may then target supply chains because when data is in transit, it is vulnerable.
Each new vendor, contractor, or other relationship expands the potential for a security breach. However, due to the interconnectedness of technology and society, it is simply not feasible to consider forgoing third-party contracts on the basis of security concerns alone. To mitigate the risk, proper vetting and management of third parties is key.
Why Is Management Important?
Third-party management isn’t just about monitoring for cybersecurity weaknesses and providing compliance advisory services of third parties, although such concerns are important. Third-party risk management includes a whole host of other aspects such as ethical business practices, corruption, environmental impact, and safety procedures to name a few. How third parties operate can directly impact the reputation of the company hiring them.
What are the Risks?
The term risk is sometimes thrown around without clearly defining how companies can be affected. The financial services industry often utilizes third parties. Consequently, the U.S. Federal Deposit Insurance Corporation (FDIC) published guidelines for third-party management, including 7 risk classifications. These categories, while directed at financial institutions, offer insight for all companies considering third-party management. For further information and guidance, refer to our third-party cyber risk assessment checklist.
Strategic Risk – This kind of risk focuses on aligning business goals with third-party involvement. Are third-party contracts assisting in the strategic goals of the company as a whole, or do they provide menial tasks? In other words, do the benefits of the third-party outweigh the added security risk?
Reputational Risk – Make sure third parties possess good customer service and show a dedication to protecting customer confidentiality. Institutions should seek third parties that politely respond to customers, make informed recommendations, and follow the specific industry guidelines when it comes to consumer privacy. If these requirements are not met, companies face the possibility of negative publicity and reputation risk at the hands of a third party.
Operational Risk – Integrating third parties into company systems increases operational complexity. If the internal processes of the third party are not secure, the operations of integrated systems become more vulnerable, particularly if more than one-third party is integrated.
Transactional Risk – Transactional risk refers to vulnerabilities during product delivery. Are third parties able to deliver as expected? A company should have contingency plans in place in the event a third party cannot deliver. Likewise, controls over the technology/devices involved in third-party transactions should be monitored.
Credit Risk – It is important to verify the third party is on firm financial ground. The overall consideration is whether the third party is able/unable to fulfill financial obligations or contractual agreements.
Compliance Risk – Third parties must abide by the laws, regulations, and ethical considerations of the industry in which they work. For example, maintaining customer privacy and following marketing restrictions fall under this category. Any entity hiring a third party should include a “right to audit” in the contract to ensure regulatory compliance to the proper laws and regulations.
Other Risk – This simply refers to the unique risks that arise due to the differences of each company and third party. Drafting a list of potential threats, prior to signing a contract, will assist in covering all the bases when it comes to third-party management.
Ranking the Risks
Like most risk mitigation plans, a sound strategy involves categorizing the threats by priority. In terms of third parties, the goal is to determine which third-party relationship is riskiest. Follow these simple steps to get started.
First, set up a diverse team, including people from different departments. For example, the insights provided by a financial analyst will be different from that of an Information Technology professional.
Next, outline the initial risk assessment plan(s) and to which entity the plan(s) relate. While there may be one general approach for minimizing third-party risk, plans can also be tweaked to accommodate each contractor involved.
Then, list out the priority concerns. Is operational security more important than reputational security? Or is financial risk the top concern? When weighing the risks, consider the impact and likelihood of occurrence. These factors will serve as criteria for creating a weighted or tiered priority list. Some experts also recommend utilizing a vendor survey to help categorize third parties into the previously created risk tiers.
Finally, allocate resources based on the categorization of third parties.
Two Ways to Avoid Third-Party Failures
1. Allocate resources properly.
Having departments or positions solely dedicated to managing third-party interactions will help ensure third-party breaches do not fall through the cracks. Large companies will likely operate with numerous third parties, each of which may fall under the purview of a different set of regulations.
Employees with multiple tasks, in addition to ensuring third-party compliance, will find it difficult to stay abreast of all the changes in different regulations. One method of tackling this issue is have a security team solely designated to third-party compliance, with each member covering a different aspect of security (e.g., compliance, security procedures, etc.). However, before implementing any such plan, first take stock of what departments are currently involved in third-party operations.
The goal is to improve efficiency and avoid oversight redundancy, while still maintaining an acceptable level of third-party management.
2. Define expectations.
An easy mistake is to make assumptions about how a third party will go about a task. However, collaboration and clear communication will help improve efficiency and help guarantee the end product is what was initially desired.
Defining expectations and documenting details or changes as a project progresses will also assist when audits take place. This will avoid any discrepancies if a third party attempts to manipulate contract details.
Furthermore, it’s recommended that companies include a “right-to-audit” clause in any contract. This enables the hiring entity to conduct an audit on the third party, checking to see if signed contract is actually being followed. Such a clause also allows companies to assess whether new clauses need to be added to the contract in the future.
Lastly, make sure any plans for subcontracting (by the contractor) are addressed. Sometimes, contractors subcontract without properly alerting the entity that hired them, resulting in unknown security threats.
Third-Party Management Best Practices
Before working with a third party, it’s important to do some research on the company and make sure that your entity has guidelines and risk management practices in place to avoid security breaches. TechTarget recommends four considerations when getting started.
- Create a standard method for remote access. Each vendor may use a different service, tool, or method for network access. However, if they all use different methods, it becomes difficult for internal management to keep track of what company is using what, much less make sure each third party remains on top of security regulations. Consequently, a company should outline several preferred methods for remote access and convey these to potential third-party partners in the service-level agreements.
- Monitor access by third-party vendors. Even if a vendor agrees to a certain remote access method, mistakes may happen. Utilizing web filters and next-generation firewalls offer security options, like blacklisting, for preventing unauthorized network access. Additionally, there are management tools available for identifying remote access software installed on company computers and removing it. The University of California Irvine offers a basic checklist for taking inventory of authorized and unauthorized software. It specifies measures that should be required, recommended, and optional. SANS Institute also offers a more comprehensive guide for implementing security controls.
- Review segment network access. It is a best practice to keep vendor access in a firewalled environment, separate from other company property. Containing third-party access to only the necessary network environment will mitigate damages in the event that a vendor’s network is compromised.
- Include security compliance in contracts. As mentioned above, details are key, especially when it comes to contracts.
- Do some research. The vendor offering the lowest cost may not be the best choice. Examine the vendor’s past record, risk profile, and dedication to the proposed task.
What is EERM?
Yes, there are risks to working with third parties, but there are just as many benefits if the management process is done right. Using an Extended Enterprise Risk Management [EERM] program examines third-party risk from both broad and specific angles. This system enables entities to capitalize on third-party value in addition to protecting assets. EERM is a decentralized management model that takes a holistic approach. The risk management program is designed to reduce management silos that inhibit productivity within a third-party relationship. For example, business objectives and risk management may overlap, but if the security team does not properly communicate with other departments, ideas may be lost and productivity undermined.
Four cornerstones support the EERM model.
- The first, strategy and management, encourages entities to design a strategy for dealing with third parties before entering into any agreements. Furthermore, any such strategy should take into account potential pitfalls of third-party relationships and outline methods to communicate between compliance auditors, business executives, and security teams.
- Secondly, consider the people involved. Third parties involve relationships, in addition to compliance and regulations. As noted above, it’s prudent to have designated individuals for each aspect of a third-party relationship. This will assist in fostering respectful communication, which often results in better products and end results.
- Thirdly, strive to achieve effective, not just acceptable, management. This means standardizing risk management throughout an entity, communicating between departments, and holding third parties accountable to contracts. These steps will help improve strategy viability and operational efficiency.
- Lastly, remember that technology is your friend when it comes to monitoring and management. For example, monitoring new technology and practices for risk management will help entities maintain an effective management plan (the third cornerstone). Rather than using technology that simply gets the job done, try and find the most efficient, most applicable tools for your entity.
Benefits of Effective Management
- Transparency – By laying out clear risk management guidelines and expectations before signing a contract with a vendor, companies will be able to better complete tasks in allotted timelines. Additionally, having adequate records smooths the auditing process. Having this transparency also means that customer transparency improves. If a customer raises concerns, well-organized companies will quickly be able to identify if the issue is third-party related or an internal issue.
- Efficiency – using third parties can enable entities to better allocate resources. For example, a design studio may outsource security or a coffee company may outsource roasting. There are numerous occasions where partnering with other entities allows for greater innovation by letting those with more knowledge in one area help fill a knowledge, time, or financial gap at another company.
- Reduced Costs – Outsourcing minimizes costs in that only one department/team needs to be created rather than several different departments. Going back to the design studio example, instead of hiring numerous individuals and investing in technology for security monitoring, the company would only pay for the contractor and for internal oversight.
Both the entity hiring a vendor and the vendor should have insurance for certain scenarios. Prior to signing a contract, review both policies and procedures, making sure assets are protected properly. Furthermore, depending on the length of the contract, it may be necessary to review insurance policies at a later time. Plans change and, if not caught in time, uncovered events may open up an entity to liability in the future.
How to Get Started
Third-party management is a process, but if done right, it will benefit the entire company and institution. Making sure third parties abide by industry regulations will help ensure the security of your company and support your company’s internal controls. Whether you are new to third-party management or want to re-evaluate your current risk management process, RSI Security’s cybersecurity solutions and regulatory guidance can help.