Several organizations, lately, have made remarkable improvements in measuring and managing cyber risks present within their IT systems. However, they still struggle to extend that vigilance to third-party cyber risks, especially during events such as the ongoing COVID-19 pandemic. When instances of unexpected, potentially catastrophic events seem to be on the rise, the last thing any organization needs is to be blindsided by a cybersecurity incident—whether within its own environment or in that of their third- or fourth-party vendor, causing a supply-chain ripple effect.
Dependence on third parties cannot be circumvented in the current era and it is, in fact, continuously gaining thrust. As a result, third-party risk management (TPRM) has increasingly become an important organizational discipline and practice to gain enterprise-wide resiliency.
Outsourcing lets organizations focus on their core business objectives while onboarding third parties with specific functional expertise. However, third parties without robust cybersecurity initiatives could expose the organization to operational, regulatory, financial, and reputational risks.
Adopting a more holistic, resilient approach to TPRM will help organizations become more proactive, precautionary, and prescriptive with their cybersecurity requirements. Events, such as the COVID-19 pandemic, can have considerable impact on the entire third-party ecosystem, including vendors, suppliers, and business partners. Organizations across the world have faced supply-chain disruptions due to the COVID-19 crisis. Under these unprecedented conditions, it is paramount to verify and understand third-party risk assessment and ensure that they have capable and dependable continuity measures in place to prevent cybersecurity incidents.
Solutions to address Third-party Cybersecurity Risks
The COVID-19 crisis has underlined the need to revisit the cybersecurity requirements of third parties. Organizations must emphasize on the thorough analysis of third-party cybersecurity practices and security postures throughout the relations, not limiting it only to the third-party onboarding stage. It is vital to perform regular reviews on a predefined frequency for high-risk and medium-risk third parties for identifying cybersecurity posture and operational issues.
Here are a some measures organizations need to take in order to make the TPRM program effective to address the current scenario for minimizing organizational security threats:
- The important action is to create a robust TPRM framework by implementing the following steps:
- Design a well-rounded, repeatable, and dependable TPRM framework to minimize cybersecurity incidents. This framework is critical for delineating processes and helping businesses identify and manage risks with the TPRM team.
- In the event of an already outlined TPRM framework, the next step an organization must commence is to revalidate the existing framework to make sure it addresses and helps the organization manage risks introduced by the supply chain. It is advised to revalidate and modify as per the requirement.
- TPRM policy and procedures
- Mandatory cybersecurity requirements for the third-party environment identified during third-party on-boarding process
- Governance requirements and processes around the third-party lifecycle
- Roles and responsibilities
- The due-diligence process and criteria
- Contract review process to identify security controls for third parties
- Governance and escalation procedures
- It is vital for organizations to develop guidance programs for employees and third-party resources on the cybersecurity practices required to be followed while working from home.
- Organization must revisit and take a close look at business continuity and pandemic plans of third parties. Ideally, these documents should already be available with the organization, at least for critical suppliers. If not, these plans must be requested and reviewed thoroughly. Make sure that they meet or exceed the organization’s requirements, and verify that the plans have been tested.
- It is very important for organizations to revalidate the third-party classification criteria and parameters. Unprecedented numbers of third-party resources will continue to work from home for the foreseeable future, which may change responses to conventional risk-scoping questionnaires. This sudden shift to working from home significantly raises cyber risks to organizations and may cause the following security challenges on organizational security:
- Sensitive data can be accessed via unsafe networks
- Use of personal device for official work may compromise security
- Lapse in physical security
- Support for critical business function may not be available for the home network
- Data loss through screenshots
- It is strongly recommended that organizations use supplementary cyber risk assessment questionnaire focused at risks caused by the pandemic. The responses to these questions will help the organization identify riskier third parties.
- Has the pandemic negatively impacted operations?
- Is there a pandemic-specific plan and has it been activated?
- Is the third party monitoring their supplier, who are in turn the fourth party of the organization?
- Has the pandemic resulted in closure or limiting of the third party’s services?
- Will the third party be able to meet demand for services?
- Are third-party resources working remotely?
- Has the pandemic caused financial distress?
- Organizations must ensure due diligence and monitoring during contingencies. They may give leeway on security requirements during a pandemic, but regulations will not. The following areas will help organizations follow and execute an effective due-diligence process:
- Always maintain accurate third-party inventory
- It is essential to update and validate third-party contact details on a regular basis
- Do not overwhelm the third-party with an enormous number of questions. Instead, design or modify questionnaire per specific categories of the provided service, and the respective tier classification of the third-party
- Make sure to add stringent security controls around access control while third-party resources are working from home
- Make sure previously identified issues are closed as early as possible by working with the third party
To summarize, managing cybersecurity risks arising from third parties is a continuous process. Organizations must stay focused and vigilant during the third-party risk assessment process, especially during the current pandemic situation to ensure:
- Appropriate actions and approach are taken and followed during the third-party classification (tiering) process, considering the work-from-home situation
- Assessment questions are tailored on the service and classification of third parties
- Perform appropriate due-diligence prior to on-boarding, and during the tenure of the relation, with third parties at regular intervals
- Always be observant about the cybersecurity incidents at third parties by utilizing services such as security scorecard and BitSight
- Work with the third-party to closely identify cyber risks during the assessment process
- Enlighten the management on the identified security issues and the suggested action