In today’s cybersecurity landscape, keeping data secure isn’t just about the measures that your business or organization takes to keep hackers out. With the rise of cloud computing, software-as-a-service, and other third-party vendors and services that require sensitive data sharing, the cybersecurity risk is now shared across various parties, platforms, and systems. Which is why comprehensive cyber risk assessment needs to include any and all external third parties that handle sensitive, confidential, or proprietary data.
Third party risk assessments can take a variety of shapes and forms, depending on your industry and corresponding regulations or standards. Healthcare providers that share patient data will have to ensure their partners are HIPAA compliant, while a financial services firm may need to work with vendors under the PCI-DSS (or other similar) regulatory framework.
Either way, it’s critical that your company conducts a third party security risk assessment to achieve compliance with industry standards. A well orchestrated third party risk assessment can protect your business ecosystem from exposure to cybersecurity gaps created by vendors you share data with, and help formulate a strategy moving forward.
No matter what industry you’re in, here’s our comprehensive third-party risk assessment checklist to help you begin shoring up your cyber defenses for both you and your partners.
1. Inventory Partners
The first step towards accurately assessing your third-party risk is a fairly simple one: know who your vendors, partners, and associates are with whom you share critical data. Depending on the nature of your business, you’ll be sharing data with partners that process, analyze, or store sensitive information. Double check by asking all of your staff to list any outside systems, partners, or vendors that they send data to on a regular basis, and cross-reference that with your own list.
When conducting a partner inventory, emphasize to your team that the risk of third-party data breaches are real and extremely serious. Upwards of 75% IT professionals surveyed by the Ponemon Institute acknowledged that the cybersecurity risk of a breach from a third party is increasing. Moreover, according to a survey by Soha Systems, 63% of all data breaches can be linked either directly or indirectly to third-party access.
Once you’ve created an inventory of all partners within your ecosystem that could potentially be vulnerable to cyber breaches, establish a point of contact with them (in conjunction with your risk assessment partner), to begin assessing potential gaps and vulnerabilities based on the appropriate compliance frameworks. Whether it be HIPAA, PCI-DSS, or NIST standards, make sure you begin working towards implementing measures that bring all parties involved up to snuff.
Remember that all of the following risk areas should be included in your assessment:
- Strategic risk – Related to adverse business decisions, or the failure to implement appropriate business decisions in a manner that is consistent with your strategic goals.
- Reputational risk – Related not necessarily to critical data loss, but to negative public opinion.
- Operational risk – Related to loss resulting from inadequate or failed internal processes, people, and systems, or from external events.
- Transactional risk – Related to problems with service or product delivery.
- Compliance risk – Related to violations of laws, rules, or regulations, or from noncompliance with internal policies or procedures or business standards.
Each vendor is unique and may contain a mix of each of these risks. A payment processing partner, for example, might contain transactional, operational, and compliance risks. That’s why it’s important to work with a risk management partner to help map out the types of risks associated with each vendor.
Assess your Third Party Risk
2. Prioritize Partner Risk
Next, you’ll need to prioritize vendors based on the potential risks that you, the vendor, and your risk assessment partner come up with. A cloud service provider might be lower risk than say, a legal vendor, so you’ll want to focus your efforts on those third parties that are deemed most vulnerable.
Below is a helpful framework to consider that will help in categorizing and prioritizing your third parties based on risk:
- Critical Risk – Partners who are critical to your operations, and whose failure or inability to deliver contracted services could result in your organization’s failure.
- High Risk – Partners who have access to customer data and have a high risk of information loss. Your organization is highly dependent on these vendors from an operational standpoint, but not necessarily mission critical.
- Medium Risk – Partners whose access to customer information is limited, or whose loss of services would be disruptive to your organization.
- Low Risk – Partners who do not have access to customer data and whose loss of services would not be disruptive to your organization.
Where each of your partners falls will greatly depend on the nature of your business, and the confidential data that you handle. In general, you want to grant access to information solely based upon legitimate business need. This is known as the Principle of Least Privilege (POLP), which is the practice of limiting partner access rights to the bare minimum necessary to perform their work. Under POLP, users are granted permission to read, write, or execute only the files or resources necessary to do their jobs. Prioritizing risk in tandem with POLP will ensure that risk is minimized to the appropriate levels for each and every vendor.
3. New Vendor Vetting
As the needs of your business (and customers) evolve, so will your vendor or partner ecosystem. One of the big mistakes that organizations make is that, while they have adequate risk assessments for their current vendors, they don’t adequately vet and onboard new vendors to assure proper cyber security measures are in place.
As new vendors or partners enter into agreements with you, you’ll want to clearly define the risk management vetting process. The first step in the process is getting references from past clients, to ensure they have a solid reputation. You can also use a standard risk management checklist that you can provide with new partners before ever signing an agreement, to nip any obvious problems in the bud. And as above, you’ll want to perform a risk analysis to determine if the vendor will be ranked critical, high, medium, or low risk. Document and report all onboarding processes for senior management for compliance and legal purposes.
You’ll want to focus extra efforts on vendors that you deem Critical and High risk. Ask them to provide evidence of cyber security controls in both the contract agreement and internal documentation. This could include things like Information Security Policies, Business Continuity Program, Disaster Recovery test results, list of recent breaches, proof of insurance, or financial statements. Have them also provide evidence that their current security controls are effective. Your risk management partner can help where needed, with things like independent penetration testing or vulnerability scanning. New vendors may, in fact, have adequate security controls. But you’ll need to take a “trust and verify” approach so that their measures are sufficiently documented.
Moreover, you’ll want evidence that new vendors can continue to provide adequate contracted services in the event of a disaster. Have them show that they have a strong Incident Management Program, and will duly report incidents to you as required by law, regulations, and best practices. At the end of the day, your risk assessment checklist should include new vendor onboarding because you’ll want to fill in any gaps at the start of the relationship, lest they get larger and increase vulnerabilities down the road.
4. Assess Contracts & Agreements
Next, you’ll want to assess current contracts and agreements with your current vendors to ensure that your Critical and High-risk vendors are contractually taking the right steps to properly mitigate cyber risks. This usually includes a full, annual due diligence review conducted in conjunction with your risk management partner. For medium risk vendors, a due diligence review every two years is usually appropriate. That being said, some industries and regulators may require an annual review of medium risk vendors, so make sure to reference the appropriate regulatory frameworks and conduct due diligence reviews as appropriate. For all others, including Low-risk vendors, an annual survey is adequate to ensure they’re managing risk appropriately.
Also, work with your legal team and risk management partner to review contract renewals for your Critical and High-risk vendors. When renewing contracts, make sure that requirements are in place that will continue to keep systems and data secure, based on regulations, best practices, and industry standards. Review all confidentiality and privacy requirements as contracts are being renewed. This includes requirements that the vendor notifies you immediately of any security breaches, cyber incidents, or new vulnerabilities that may have arisen subsequent to the previous contract. Make sure the new contract includes updated requirements for penetration and vulnerability testing, in addition to allowing you access to any and all risk management audit documents.
Having the right clauses and requirements written into your partner and vendor contracts is a critical part of third-party risk management because it puts you and your partners on the same page from a legal standpoint. Your partners will know exactly what they’re contractually obligated to do in order to better manage risk, and be aware of the consequences should they not live up to their legal obligations.
5. Continuous Review & Contingencies
Just like everything else in cybersecurity, vendor risk management is a continuous process. You and your partners will never reach a point where you’re 100 percent secure, and that no further measures need to be put into place. You’ll need to help your partners continuously monitor their critical systems that handle your data, and be on the lookout for new cyber threats and vulnerabilities. This is where a risk management partner can add significant value, helping you and your vendors create a roadmap for continuous review and improvement over the course of weeks, months, and years.
That being said, scenarios do arise where you might feel like one (or more) of your partners simply isn’t mitigating risk up to the standards that you’d like. If your vendor fails to provide adequate performance, you need to be able to quickly pivot to another vendor. This is especially true if they’re critical or high-risk vendors that are handling the most sensitive data or providing a mission-critical service. Have a contingency or backup plan for each and every vendor in the (unlikely) event that the relationship goes south. Simply know which other vendors are in the same field and provide the same services. You don’t necessarily have to reach out or have a point of contact at your contingency vendors, but at the very least have them listed in a database for quick reference in the event of an emergency.
So if you were previously asking yourself “exactly what is third-party risk assessment?”, by now you should have a clear picture of the steps you’ll need to take to shore up your vendor and business partner ecosystem. It’s also important to note that hackers who target third-party vendors often aren’t just seeking access to critical information in your partner’s systems. Oftentimes, they’re looking for a backdoor into your systems. Which is why following our third-party risk assessment checklist is so important. Nevermind the fact that under many regulatory frameworks like HIPAA and PCI-DSS, your organization may be responsible for fines or penalties for third-party cybersecurity negligence.
Make sure to inventory all of your partners, and categorize them by risk level and the sensitivity of data that they handle. When you onboard new vendors, have systems and processes in place that adequately analyze their risks and vulnerabilities to make sure the relationship gets off on the right foot. And whether it’s a new vendor contract or a current one coming up for renewal, work with your legal team and compliance/risk management partner to ensure adequate safeguards are spelled out on paper. And finally, have a continuous improvement program to make sure that your third parties stay ahead of the curve as hackers, cybercriminals, and malicious actors develop new methods of stealing sensitive data.
For more information on cyber risk assessments or cybersecurity solutions, please call RSI Security today.