Third-party risk has always been well known by security professionals. In our increasingly connected world, the third party ecosystem is an attractive vector to exploit. A successful attack or breach can result in a significant impact – financial loss, reputational damage, operational downtime, loss of sensitive information, fines, closure… the list goes on.
Sadly, these events are becoming commonplace. Recently, an organisation in the automotive sector was forced to close 14 factories in Japan after a supplier of plastic parts and electrical components suffered a cyber-attack. Another automotive organisation stored unsecured data with a cloud vendor which led to 3.3 million customers and potential buyers personal information being exposed.
A survey by Gartner revealed that 89% of companies experienced a supplier security risk event within the last 5 years. According to the European Union Agency for Cybersecurity, supplier attacks are expected to quadruple in the next 12 months. Due to our reliance on third parties, it is no longer enough to secure your own organisation; it’s essential to manage and evaluate the risk of third parties through monitoring and protecting against breaches in your supply chain.
Organisations must be well organised to manage third party security risk. It is essential to:
- Get the basics right – cyber hygiene and basic security fundamentals must be aligned to industry best practice and a cyber-safe culture
- Use a risk based approach – prioritise resources in line with an enterprise risk management framework
- Define a clear governance framework – define roles and responsibilities for procurement, cyber security, legal and any other teams involved in the end-to-end lifecycle of a third party
- Be data driven – reporting must enable the fast identification of high-risk third parties or key risk areas that require attention
- Utilise automated tooling – platforms must operate with minimal human intervention for consistency and efficiency.
What Makes For A Strong TPRM Framework?
A successful third party risk management (TPRM) framework should contain the following phases:
A foundational element of a TPRM framework is a central repository (a ‘single source of truth’) of all third-parties – this will require collaboration with all business units or departments to ensure they are included. This should include key information around the relationship, such as the service provided, as well as key contact information and a classification.
Organisations do not have unlimited resources or budgets, so prioritisation is key. Third parties must be classified (Tier 1, 2 and 3, etc.) according to the inherent risk that they pose to the organisation. This should be performed in conjunction with the relationship owner.
A classification schema will inform the frequency of assessments, number and type of controls assessed (e.g. additional regulatory controls) and an acceptable target score.
A TPRM questionnaire, aligned to an industry recognised framework should incorporate all relevant regulatory requirements such as; SOC2, ISO 27001/2, NIST CSF, PCI-DSS, CSA CCM, GDPR, etc. Bridewell utilises a Cyber Mesh Framework that incorporates all of the necessary frameworks to ensure consistency, efficiency and ease of reporting. Regular automated assessments minimise the end-to-end timeframe, lower the risk of human error and are far less resource intensive.
Analysis of the responses should provide a result (eg: high, medium or low) that illustrates a level of maturity for each control and an overall score for the third party. These scores will then indicate the priority for remediation.
The overall risk score is indicative of the importance and urgency of remedial action or controls. Third parties classified as high or identified as high risk should be prioritised for remedial action. Organisations can further enhance the prioritisation of remediation activity by using the aforementioned in conjunction with current threat intelligence feeds.
To demonstrate the value of a TPRM framework in reducing cyber risk, actionable data driven reporting must exist that visualises key metrics, trends and highlights the current risk position.
The cyber security industry and threat landscape is constantly changing, as does the services and technology used by third parties. Organisations should continuously evolve their approach, benefiting from automation and new technologies, mapping current threats and incident data to results from technical testing, and adapting contractual agreements.
The management of supply chain or third party risk is too often thought of as a compliance or tick box exercise or something that can be outsourced to transfer the risk, with no real tangible action to reduce the risk exposure. As organisations relationships with third parties becomes even more complex and intertwined, together with the increasing financial pressures of the current economic climate, the risk is increasing exponentially. If organisation do not take action sooner, third party risk will become the top risk and biggest topic of conversation at every board.