Third party risk management: A getting started guide

For some, the idea of starting a comprehensive third party risk management program might seem like the ultimate task on some obsessive-compulsive bucket list. After all, most organizations today have dozens, if not hundreds … and often thousands … of third party vendor relationships. Just where, and how, would one even begin such a process?

But, as the saying goes, you’re only as strong as the weakest link in your chain. And that makes it critical to know just how strong the security defenses are for every one of those links. Your data security could easily be dependent on some other organization’s due diligence.

As evidence, consider a 2017 study by the Audit Committee Leadership Network, which surveyed nearly 400 private and public organizations and found that two-thirds have 5,000-plus third party relationships. And for some organizations, those third party vendors can be the open back door for hackers wanting to gain entrance.

A recent example is Airbus SE, which announced in September that it has taken new steps to guard its systems against cyber-attacks through the computer systems of subcontractors. Earlier this year, hackers targeted two of the firm’s suppliers – Rolls-Royce Holdings Plc and Expleo – in attempts to infiltrate employee personal information at Airbus SE.

With cybersecurity threats and awareness both on the rise, information security pros are facing greater pressure to make all systems and networks even more secure, to compensate for any shortcomings on the part of suppliers and partners. And they’re most often being asked to do it with a shortage of resources and manpower. All of which makes a strong third party risk management program vital.

5 phases of a successful third-party risk management program

In terms of the actual program, IT security pros can adapt the Third Party Risk Management Guidelines established in 2017 by the U.S. Office of the Comptroller of the Currency. These guidelines are intended for any risk management program, but apply equally well for a cybersecurity program.

Phase 1: Planning. Plans are developed to manage relationships with third party vendors.

Phase 2: Due diligence and third party selection. The organization conducts due diligence on all potential third parties before entering into contracts or relationships.

Phase 3: Contract negotiation. Legal counsel reviews all contract proposals.

Phase 4: Monitoring. Third party relationships are periodically reviewed.

Phase 5: Termination and contingency planning. Steps can be taken in the event of contract default, breach or termination.

TPRM takes a village

Increased cybersecurity protection doesn’t happen in a vacuum, and that includes a successful third party risk management program. As was noted by the sources contacted for this article, an effective TPRM program is dependent on everyone in the organization following established protocols. Remember, most supplier and partner relationships were initiated by business units, and the relationships are managed by them.

 “When the decision has been made to engage a vendor or third party, that’s when they come to my organization, to determine whether a security assessment is required on that vendor based on the nature of the relationship,” says Siobhan Hunter, director of IT governance, risk and compliance at Blue Cross Blue Shield of North Carolina

The key here is that the risk management group is brought into the picture up front, and that the vendor relationship does not take off until it has been cleared to do so. Clearance depends on each vendor providing evidence to the organization that they are doing everything in their power to follow cybersecurity best practices.

Trust but verify

Of course, not every vendor that an organization does business with requires the same level of security scrutiny. The first steps in establishing a TPRM program is to identify all of the business relationships that the organization has, and then assess each vendor on the organizational impact if they fell victim to a cyber breach.

Delta Dental uses a tiering system to categorize vendors by potential organizational impact. Those vendors that represent the greatest impact if they are breached are placed in Tier 1; those with slightly less impact in Tier 2, etc. But, like all organizations, Delta Dental doesn’t have an unlimited budget for cybersecurity, so it must determine “acceptable risk” in categorizing every partner.

“You don’t want more than 10 percent of your vendor population to be in Tier 1,” explains Kay Naidu, director of cyber risk assurance at Delta Dental of California. “If you have unlimited resources, you could literally hire 100 people – each one to focus their time on end-to-end assessments of third parties. But we don’t have that. We have five people on the team.”

Following a period of process refinement, Naidu says that Delta Dental settled based its tier system on the number of protected health information records that a vendor touches. Any vendor touching 500 or more records is categorized as Tier 1, and they move down the ladder depending on the type and amount of confidential information they are able to access.

How to reveal the greatest risks

Phani Dasari agrees that client information should top the list of criteria used in categorizing vendors for a TPRM program. As vice president of global third party risk management at ADP, Dasari says there are a few basic questions that quickly determine if a vendor should be categorized as top risk:

• “Are they touching my money?”
• “Are they touching my data?”
• “Are they touching my systems?”
• “If their systems go down, will my systems go down?”

“These are the kinds of things that you have to manage,” Dasari says. “If you have those kinds of vendors as partners, then you have to have a program that makes sure you have not taken on any unintentional risk with the relationship.”

Like at Delta Dental, Sadasi says the creation of a third party risk management program at ADP was a long journey – three years to be exact. Complicating the process was the General Data Protection Regulation (GDPR), which took effect last year and added new requirements for ensuring data safety and privacy.

Follow the money

Probably the biggest factor in how long this journey takes is the sheer number of third party vendors that an organization has to sort through.

“Many companies are struggling with getting an accurate listing of all of the companies are that they do business with and what is the nature of their engagement,” Hunter explains. “If you don’t know who all of your vendors are, or that information is not accurate, it’s very hard for you to perform and conduct a comprehensive third party risk program.”

All sources agree that at the very least, a good place to start is looking at your firm’s accounts payable.

“For many companies, the only way they know [all the vendors they work with] is by looking at their accounts payable and who they received invoices from. It is not a great way for you to have a handle on your vendor base, but it’s a start,” Hunter says.

Then, create some form of repository that maintains your vendor profiles, including their name, industry, products or services they offer, primary contacts and the type of engagement you have with them.

“I don’t need to assess a vendor that is mowing my lawn for security risk. I do need to assess a vendor for security risk if they are logging onto my systems and accessing restricted information,” Hunter continues. “You can’t treat everyone the same. You need to be able to customize and understand the profile of each vendor.”

Not all security risks are created equal

Once third party vendors and partners have been identified, they must be assessed for potential cyber risk. Many organizations have used a series of questionnaires or audits for this step, but there are a growing number of vendor scoring tools on the market that can aid in the process.

All of the sources for this article say their organizations have used a series of question-and-answer surveys to build initial profiles of vendors, and they use them for ongoing management of their programs. Ongoing management of the process is critical to identify any changes at the vendor that could impact your cyber security preparedness.

“Other than the data that we get through our assessments, we have a great threat intelligence team and they alert us if they see any unusual activity at one of our vendors,” Naidu explains. “We may not have them on our schedule to review for the next three months, but we’ll say, ‘hey, it looks like something has happened over there, so let’s meet with them immediately.’”

Breaking up shouldn’t be hard to do

Successful third party risk management involves a great deal of trust between the organization and each vendor, and how each vendor reacts to being profiled and monitored can be as varied as each relationship itself.

Like any relationship, conditions can change over time, and attitudes about commitment can waver.

 “It’s a partnership, in the sense that it should be transparent when it comes to security risk and managing that with the vendor,” Hunter says. “We’re up front with our processes and the remedial activity that’s needed. If we see significant concerns, we work with the vendor with the expectation that they will remediate. If they don’t, or they’re not willing to, that’s a decision that our company has to make as to whether we can work with them.”