Posted on Jun 11, 2019
It’s often worth it to take on some risk when it comes to your third parties — third parties are an essential part of your business ecosystem. They’re your vendors, partners, and contractors. They improve efficiency, extend your reach, and make it possible to deliver the best possible products and services, but they also bring with them a significant amount of risk.
Misconfigurations of a third-party’s cloud can lead to supply chain data breach risks. These common third-party risks can cost an organization — in reputation, legal fees, and lost revenue.
Managing your supply chain becomes increasingly difficult as you add more Software-as-a-Service (SaaS) applications to streamline business operations.
The 2019 Data Breach Investigations Report found
Ponemon’s 2018 Cost of a Data Breach report found
The data breach risks and costs often come from a control failure in the supply chain. According to Ponemon’s 2018 Data Risk in the Third-Party Ecosystem report:
That risk can be managed, however. A solid third party risk management framework will help you understand the risk you take on with your third parties and limit your liability. Here’s what you need to know when choosing a risk management framework.
Before you start the process of selecting a vendor risk management framework, you need to remember that it doesn’t matter if the fault is not your own. When a member of your extended ecosystem exposes you to risk, you are liable. Under most U.S. data protection laws, the data owner rather than the data holder is liable for breaches and exposure. The same is true under the General Data Protection Regulation (GDPR), which requires companies to track and protect the data they process, even if that data is being stored by a third party.
To minimize your liability, you must be able to prove you’ve done your due diligence. That’s where a risk management framework comes in.
A third-party risk management framework provides a set of benchmarks, policies, and standards for an entire organization, including the extended enterprise. Such a framework focuses on the third parties and the activities which pose the greatest risks to an organization
Most frameworks require an organization to do the following:
There are several risk management frameworks, however, making it difficult to choose the right one.
Not every risk management framework will work for every organization. Some frameworks are designed specifically for certain industries, while others are used in certain geographical areas. Many can be used together.
The two most widely used risk frameworks are the National Institute of Standards and Technology (NIST) and the International Standards Organization (ISO). Meanwhile, others, such as Control Objectives for Information and Related Technologies (COBIT), are often used in Europe. Some standards are used as the basis for regulations, such as the NIST 800-53, which is the foundation of many federally regulated cybersecurity requirements.
Knowing which frameworks apply to your organization depends on your industry as well as your size. Since most incorporate a risk-based approach, you need to review third-party risk, but you also may find that the requirements change based on your company’s unique needs.
In some cases, it may make sense to use more than one risk management framework in tandem with another. If you’re using more than one framework, you’ll want to make sure the frameworks you use are mapped to one another, so they’re assessing the risks and implementing controls based on your organization's needs without leaving any gaps in compliance.
The criteria you use for choosing your framework (or frameworks) will depend on your company’s specific needs. For example, if you are a healthcare organization, you need to meet the Healthcare Portability and Accountability Act (HIPAA) compliance requirements. However, if you accept payments, you also need to meet Payment Card Industry Data Security Standard (PCI DSS) requirements.
When incorporating multiple third-party vendor risk management frameworks, you need to start with your business objectives to ensure that you choose based on the compliance requirements necessary to meeting these business goals. You’ll also want to consider the people to whom you’re accountable, such as shareholders, board members, or regulatory organizations.
The way companies look at risk is changing. According to Deloitte’s extended enterprise risk management survey, organizations are increasingly using extended enterprise risk management to “exploit the upside of risk,” using their partnerships with third parties to enhance organizational effectiveness and brand confidence, while becoming more innovative and agile.
A good third party risk management framework protects an organization's clients, employees, intellectual property, and business operations. Implementing one is not about completely eliminating risk, but knowing where the highest risk is, and managing it appropriately.
From developing questionnaires to collecting data, due diligence can be labor-intensive. To minimize the amount of administrative time spent managing third party relationships, consider a tool that automates parts of the process.
SecurityScorecard’s Atlas uses machine learning and advanced artificial intelligence to streamline the third-party risk management process. Using our platform, organizations can upload vendor responses to questionnaires. Our machine learning compares those answers to previous questionnaires and the platform’s analytics, verifying vendor responses almost immediately. Our easy-to-read security ratings, based on an A-F scale, enable you to provide your Board of Directors with the necessary documentation to prove governance over your vendor risk management program to meet the increasingly stringent cybersecurity compliance requirements.
Vendor management is the process an organization utilizes to assess and manage a third- or fourth-party vendor. Learn how SecurityScorecard can help.
Performing cybersecurity risk assessments is a key part of any organization’s information security management program. Read our guide.
Templates and vendor evaluations are needed to level that playing field, in a time efficient and fair way, so that the best vendors are chosen.
Co-founder and CEO, Alex Yampolskiy, speaks about the importance of measuring and acting on key indicators of cybersecurity risk.
You’ve invested in cybersecurity, but are you tracking your efforts? Check out our list of 20 cybersecurity KPIs you should track. Read more.
No waiting, 100% Free
Get your free scorecard and learn how you stack up across 10 risk categories. Answer a few simple questions and we'll instantly send your score to your business email.