Posted on Feb 20, 2018
Third-party technology providers can confer huge strategic advantages to a business. It allows each organization to focus on their highest value activities. But new cyber security risks come with these partnerships. Third party risk is now an integral part of business ecosystems. A solid risk management framework is required.
More than a quarter of business and technology executives do not know how many cyber security attacks they have suffered in total and a third do not know how they occurred.
Establishing a risk assessment framework is the first critical step an organization can take in order to decrease risk and increase security. The risk assessment should not only be a part of an organization’s internal process, but should also include supply chain and third parties.
Third parties consist of an organization’s vendors, suppliers, business channels, marketing partners, and so on. The choice of a third party risk management framework should be based on the companies’ structures and risk profiles, because no two companies are the same.
The US Federal Office of the Comptroller of the Currency puts it succinctly in its guidance for banks and savings associations:
“[An organization] should adopt risk management processes commensurate with the level of risk and complexity of its third-party relationships.”
As the FFIEC notes in its Supervision of Technology Service Providers guidance, using partners in your business processes “does not diminish the responsibility of […] management to ensure that the activities are conducted in a safe and sound manner […] just as if the institution were to perform the activities in-house.”
In other words, a proper third party risk management framework is not a ‘nice to have’. It’s required to limit liability. And liability is a real issue. Deloitte provides an example in its Third Party Risk Governance & Management white paper:
“A non-US headquartered multinational company, with interests in electricity generation and transmission as well as rail transport, was fined US$ 772 million in December 2014 for engaging in conduct in violation of the Foreign Corrupt Practices Act (FCPA). This has mainly resulted from the inappropriate conduct of third parties and ineffective due diligence and corporate controls over such third parties.”
The most popular risk management frameworks are the NIST and the ISO frameworks, both of which can be used in tandem and encourage organizations to assess risks and implement controls based on its needs.
There are several best practices for any risk management framework:
A solid third party risk management framework protects an organization's clients, employees, and the strength of their operations. Properly managing cyber security risks can reduce costs allowing an organization to operate at a greater efficiency with quality third party partnerships that can radically change an organization for the better.
Third party risk management frameworks provide standards across the organization, streamlining and focusing on third parties posing the greatest risks. Ultimately this saves money, whether by reducing and eliminating of fines and liabilities, or by protecting reputation and brand perception.
At an administrative level, managing third party relationships can become a cumbersome task. As a result, many organizations have opted to use intelligent tools that leverage existing data on cyber security risk in order to implement their third party IT risk management processes.
Platforms such as SecurityScorecard’s cyber security ratings help identify and prioritize third party cyber risks. Trusted by the world’s leading brands, Security Scorecard can help you strengthen your risk management framework, reduce risks and increase compliance.
Vendor management is the process an organization utilizes to assess and manage a third- or fourth-party vendor. Learn how SecurityScorecard can help.
Performing cybersecurity risk assessments is a key part of any organization’s information security management program. Read our guide.
Templates and vendor evaluations are needed to level that playing field, in a time efficient and fair way, so that the best vendors are chosen.
Co-founder and CEO, Alex Yampolskiy, speaks about the importance of measuring and acting on key indicators of cybersecurity risk.
You can’t manage what you can’t measure. Check out our list of the top 20 cybersecurity KPIs to track in 2021.
No waiting, 100% Free
Get your free scorecard and learn how you stack up across 10 risk categories. Answer a few simple questions and we'll instantly send your score to your business email.