Whether you’re answering a steady stream of cybersecurity questions or asking your own suppliers to answer them, these documents have probably become a significant part of your job in the last year. The recent flood of cyber attacks has motivated most organizations to elevate third-party risk management to a top priority in 2021.
But even if the concept just appeared on many radar screens, it’s not a new issue. Every business of the past had to decide whether critical partners (from those supplying raw materials to those delivering finished goods) could reliably fulfill their contracts and protect what was entrusted to them. But the challenge has grown massively more complex with increasing integration and sharing of critical data. Government regulations raise the bar even more with breach notification laws and other rules that can make a vendor’s security problem a legal liability for everyone in the chain.
So proactive companies are quickly spinning up ways to get proof that every partner handles data securely. At this year’s Secure Iowa Conference, Julie Gaiaschi, CEO & Co-Founder of the Third Party Risk Association reviewed the latest best practices in this quickly developing area. This post highlights top takeaways from her talk.
Julie Gaiaschi, CEO & Co-Founder, Third Party Risk AssociationJulie Gaiaschi, CISA, CISM, is the CEO & Co-Founder of the Third Party Risk Association (TPRA). She has over 14 years of technology and information security risk experience, with the last 10 years specializing in third party risk. In her role as CEO, she provides strategic direction for the non-profit, whose mission it is to further the third party risk profession through knowledge sharing and networking. She also has a passion for helping others enhance their own third party risk management programs.
Prior to co-founding the TPRA, Julie consulted on third party risk for a large bank. She also developed and led a large health payer organization’s Third Party Security program. There, she established and executed the third party risk assessment process, which included integration into the Procurement process. Prior to her role as the leader over Third Party Security, Julie was a Senior IT Auditor.
Forces Driving Change in Third-Party Risk Management
Julie highlighted several areas demanding fresh thinking about managing risk:
- Increasingly complex threats – Everyone knows breaches are up dramatically this year, and many of the attacks are coming through third parties via software supply chain attacks such as the Kaseya breach in July 2021. That means your vendors’ security policies are, to a large extent, becoming your problem to manage.
- Expanded reliance on third parties – It’s tempting to think that sending your data to a cloud vendor ensures someone else will take care of security for you. But Julie notes that, “Your cloud partner may provide the controls, but it’s up to you to turn those controls on properly.” Many businesses are also seeing increased exposure from heavy use of e-commerce shopping carts and payment processing.
- New momentum for digital transformation projects –New tools such as smart predictive analysis, AI, and business process reengineering all enhance operations, but they also present a fresh set of risks to manage.
- Additional regulatory scrutiny – State and federal laws continue to ramp up requirements for managing security and reporting breaches.
Best Practices to Remember
To effectively keep up with these changes, Julie recommends a third-party risk management program built on these five elements:
As she walked through each of these core areas, Julie provided the following tips:
- Look for hidden contracts at your company – Compiling a list of your existing contracts can be a tall order, especially since there are probably many you won’t even think of. Julie says, “When you go through the contract review stage, you may realize you have people in your organization that are clicking buttons as they do their work, which means they are often entering into contracts and don’t even know it.”
- Visit your vendors – When you’re reviewing the security posture of key suppliers, take time to go see them. On-site visits provide essential insight into how your vendors are actually implementing what they wrote on paper. Plus, personal visits build relationships that will make your partners more inclined to spend time providing detailed answers to your questions in the future.
- Get a voice in the contract review process –“You need a seat at the table with the team that drafts and reviews contracts,” Julie says. “You need to know the kinds of controls that need to be put into contracts, and you can suggest the kinds of alternative controls you can use if they don’t agree to your terms.” Someone with an eye for risk management can also help write contracts that include triggers related to changes in a vendor’s situation. If a supplier makes a big change like adding an offshore location, changing owners, changing data handling systems, etc. your contract may need to specify adjustments.
- Join the business continuity/disaster response team – Your organization’s plans for recovering from data disasters have to account for your third-party relationships. Make a point of building relationships with the BC/DR crowd so that you can have a say in what goes into the plans.
- Check the exact scope of reports you receive – Reports from SOC 2 auditors and penetration testers provide valuable insight into a system’s policies and defenses. But the reports help you only if they cover the areas you’re interested in. Read the scoping information carefully before agreeing that these reports will be sufficient.
- Don’t overlook disengagement – Unless you want to be held hostage in a contract, you should be planning how to minimize the impact if it makes business sense to part ways with a given partner. Your disengagement plan should address issues such as ensuring all your data is returned or destroyed—and that you can validate that vendors did what they claimed.
- Show leadership why your work matters – While the value you’re adding each week may be obvious to you, it probably isn’t to leaders who haven’t given this area much thought in the past. “If you’re starting this effort from scratch, you need metrics and reporting that show the value you’re adding,” Julie says. “Make sure they’re appropriate to the audience you’re talking to, whether those are executives, board members or a steering committee.”
You can download a copy of Julie’s full presentation here. You’ll get details such as 13 essential inherent risk questions to ask your vendors.
If you need help reviewing your third-party risk or handling questions from your customers, contact Pratum for a free consultation.