Companies typically outsource to third parties to both reduce costs and access capabilities not available internally.
A “third-party” is an entity or organization with which you have an agreement to deliver a product or service to either you or your client on behalf of the company. A third party can also be referred to as a supplier, service provider, or vendor. The third-party relationships come with multiple risks (risk needs to be managed), including strategic, reputational, regulatory, information security, and financial risks. The economic impact can involve a third party that includes penalties for non-compliance, supply chain disruption, security breaches, and data theft. As a matter of good governance operating in a digital world, companies need to start and improve their third-party vendor management.
On a positive note, using a third party will help grow your business and stay competitive; however, third parties can introduce unwanted risks, including cybersecurity, regulatory, information security, reputational, and financial risks to the organization. Third-party vendor management is the process of monitoring and managing the interactions with third-party vendors. When managing third-party risk, your vendor management needs to go beyond a one-time questionnaire or assessment for third-party risk and compliance. In an ultra-connected world, now more than ever, it is vital to take a comprehensive approach to ensure compliance with regulations, but also protection of sensitive data, and handle disruptions effectively.
Best Practices for Third-Party Risk Management
Begin with making a list of all vendors providing products or services with access to customer or sensitive data. Simultaneously, you should have an exhaustive list of all vendors; a risk-based approach should prioritize vendors with sensitive data once you have the inventory list, sort by “high impact” vendors if a breach occurred. High Impact includes the level of sensitivity and volume of data that a vendor is handling. Type of data includes such as personally identifiable data (PII), cardholder data (related to PCI), or protected health information (PHI, related to HIPAA).
A risk assessment is a review of the functions, policies, and processes that an organization has in place, either internally or externally and what risks they introduce to an organization. A cybersecurity risk assessment typically evaluates the risk of a cyberattack or data breach, but a risk assessment could also include compliance, operational, and competitive risk. Risk assessment varies depending on the organization and scope; at the core of an assessment are typically:
- Technology protection and configuration
- Data classification and Storage
- Policies and Procedure
- Penetration Testing and other evaluation methods
A risk assessment outcome will be a risk rating (i.e., low, medium, high), which you can use to assess the Impact. The risk impact estimates potential losses associated with an identified risk and may require mitigation strategy or acceptance of risk. Risk impact can include data breach, system availability, reputation, etc.
Keep in mind assessments only capture a single point in time; continuous monitoring of 3rd party vendors is necessary. Monitoring should include vendor audits, periodic requests of SOC reports, business continuity plans, security documentation, disaster recovery plans.