Benefits (and Risks) Associated with Third-Party Risk Assessments
Why (the risk exists)?
In today’s economy, most enterprises have one or more third-party vendors who handle some parts of the business. This is especially evident in small to medium size businesses, where the business is focused on producing a product or providing a service. Many businesses cannot afford to hire, train, and retain specialized talent and needed infrastructure to handle, for example, credit card processing, payroll, recruiting or information security and risk management. Additionally, many companies, across all spectrums of sizes and industries, outsource customer relations management systems (CRM), enterprise management systems (ERM) or IT helpdesks. Each of these business functions handles Personally Identifiable Information (PII), Intellectual Property (IP), or some other form of Non-Public Information (NPI).
What (exactly is the risk)?
There are many risks associated with utilizing a third-party vendor to handle parts of the business; however, at least three risks are evident and worth elaborating:
- As mentioned above, in many cases, third-party vendors handle, process, and store customers’ personal information, which needs to be properly protected, both in transit and in storage.
- Some third-party vendors are critical enough that without them the daily operations, production of products or services would be impaired or halted, resulting in direct monetary loss and potential reputation damage.
- Additionally, third-party vendors are a threat vector which attackers increasingly utilize to gain unauthorized access to partner companies.
Further, in certain industries, there is a risk of not conforming to regulatory requirements. For instance, Third-Party Risk Assessment is a requirement in certain regulations such as 23 NYCRR 500 (NYDFS Cybersecurity Requirements for Financial Services Companies), Maine Insurance Data Security Act, and HIPAA/HITECH. This risk assessment is specifically designed to identify, assess, and prioritize risks directly associated with conducting business with a major third-party vendor.
What (can you do about it)?
Companies can choose to vet vendors’ security during the selection process, at the same time as evaluating if the vendor can fulfill all business requirements or assessing a vendor’s financial fitness. It is critical to not overlook the security assessment prior to signing-on the new vendor, as it is much more difficult to impose security requirements on an existing third-party vendor. However, many companies have existing, long-standing third-party contracts, from when security wasn’t an area of emphasis, as much as it is today. In this case, security should be brought up during contract renewal, or periodically, as required by internal cyber security program, and the relevant security requirements clearly communicated.
In all cases, companies can choose to conduct third-party risk assessments, to gain better understanding of their third-party vendor’s security posture.
It is also important to have a clearly defined risk appetite. The National Institute of Standards and Technology (NIST) defines risk appetite as: the types and amount of risk, on a broad level, [an organization] is willing to accept in its pursuit of value. Only the company’s board of directors or leadership can assess whether the risk appetite is aligned with the organization’s strategy.
How (can you assess the risk)?
The purpose of a third-party risk assessment is to determine a third-party vendor’s ability to assess, manage and mitigate IT risk; remediate vulnerabilities; and protect its and its partners’ information and systems from cyber threats. This can be achieved by an inspection of the vendor’s cyber security program and practices, documentation review, questionnaires and personnel interviews.
Steps for a successful third-party risk assessment, include:
- Communicate with your third-party vendor why the risk assessment is being conducted.
- Identify inherent risks associated with the third-party vendor.
- Evaluate the controls in place that address these risks.
- Assess residual risk against your company’s risk appetite.
- Communicate with your third-party vendor if any of the risks fall outside risk tolerance and work with the vendor on a plan to align security practices to your company’s requirements.
What (if the risk is too great)?
Knowledge is power. Imagine for a moment that you are responsible for a selection of a new third-party vendor that will handle all of your company’s CRM system. Surely, you’ll do your research and send a request for information (RFI) to top vendors in the field. Some of these vendors will receive a request for proposal (RFP) and a fraction will receive a request for quote (RFQ). Along the way, you will work with the business units to understand the business requirements, service level agreements, and licensing, and to negotiate the contract. Finally, after months of hard work, when everyone agrees on one vendor, your security team discovers that your proposed vendor has very poor security practices, has been breached a number of times, and their software engineering team doesn’t have a Software Development Life Cycle (SDLC) defined. Wouldn’t you prefer to have this information at the beginning of the vendor selection process? Probably!
However, in cases where risk is identified and it lies within your company’s risk tolerance, this is a great opportunity to take the soon-to-be vendor for a test drive and see how you can together arrive at a remediation plan to address the shortcomings. If the vendor is unwilling or unable to work with you on the remediation plan, you are probably in luck, and can avoid a challenging business relationship.
How (can you get help)?
Third-party risk assessments can be as in-depth as needed, and it depends on company resources, the business relationship with the third-party vendor and many other factors. Companies can conduct third-party risk assessments using internal staff, a trusted partner or choose a hybrid model where they would hire a trusted vendor, but utilize their internal staff to interact with the third-party vendor to leverage their knowledge and experience.
For more information, please contact Pawel Wilczynski, or your BNN advisor.
Disclaimer of Liability: This publication is intended to provide general information to our clients and friends. It does not constitute accounting, tax, investment, or legal advice; nor is it intended to convey a thorough treatment of the subject matter.