Businesses of all types are increasingly becoming intertwined with their business partners from a data, operational, and financial perspective. This interconnectedness drives a variety of third-party risks. Third-party risk is the risk a business accepts, mitigates, transfers, or rejects when working with any partner/supplier. Third-party risk management (TPRM) is a formal process for managing the risk created by partners/suppliers. Insurance is one of the most basic third-party mechanisms to transfer risk. It has been around for millennia and was seen in ancient Rome, Chine, and Babylon.. The goal of TPRM is to minimize the occurrence and impact of the risk an organization takes on when engaging with a third party.

Third-Party risk in Cybersecurity

Third-Party risk management is a critical component of cybersecurity management. When an organization enters a relationship with a partner/supplier in which the partner has access to critical data, significant risk is involved. A common attack is for bad actors (e.g. criminals, state actors, and hacktivists) to infiltrate an organization through a less secure partner (e.g., Target and Solar Winds). While many organizations are aware of and make efforts to comply with third-party risk requirements (e.g., HIPAA), third-party cybersecurity risk management as an organizational, technical, and business function is still new for many organizations.

Third-party risk is no longer a risk that any organization can ignore

Third-party risk is your organization’s responsibility; no SLA or insurance will completely indemnify your organization from the mistakes made by your partners — not in the eyes of regulators and definitely not in the eyes of your customers. Based on the number of applications and solutions that have been designed for third-party risk management in the last few years (including large players like Archer and emerging players like findings.co), cybersecurity professionals are beginning to actively manage their third Party risk.

Learning from Banking

In the banking industry, bankers must understand every action performed with the bank’s and, in turn, its customers money by a business partner. Similarly, in the field of cybersecurity, security professionals must understand all activities associated with their critical data. The banking industry has developed a deep understanding of third-party risk. It, therefore, provides an excellent corollary for cybersecurity when identifying what you should look at when assessing a potential partner.

In October of 2021, the Federal Deposit Insurance Company (FDIC) and Department of the Treasury- Office of the Comptroller of the Currency (OCC) released the following guidance on risk management for third-party risk- Proposed Interagency Guidance on Third-Party Relationships: Risk Management. These third-party risks include the collective understanding of third-party risk from 100s of years of banking. The guidance provides a framework for assessing Third-Party Risk

Third-Party Due Diligence

The FDIC’s guidance on third parties includes a set of due diligence topics to help users assess the risk of a potential partner. These topics are as relevant to cybersecurity organizations as they are to the banking industry. Below are highlights from the 16 due diligence topics from the FDIC guidance and suggested questions to assess this risk when entering into third-party relationships.

Examine Legal and Regulatory Compliance capabilities.

Does the third party have the right regulatory authority to perform an activity? Does it have the capabilities to meet regulatory requirements? Does it have experience both complying with regulations and documenting their compliance? Some regulations require that organizations demonstrate that the third party has the required controls in place.

Examine Risk Management Strategy?

Does the third party have the risk management procedures in place across risk domains including Financial, Operational, Reputational, etc.?

· Do they have business continuity plans or disaster recovery plans?

· Depending on the potential impact of data loss; can the third parties demonstrate the ability to move to a fail over location?

Appraise the Operational Resilience of the third party.

· Does the Operational Resilience plan leverage risk management strategy? (see above)?

· Are there backup locations and/or backup facilities to continue operations?

· Is there succession planning and human capital strategies?

· Does the third party develop, test and utilize Business Continuity Plans?

Incident Reporting and Management Programs

· Does the third party have the tools and processes in place to meet regulatory and industry standards? A clear example is recent regulations have introduce for the banking system stricter reporting requirements

· Can the third party meet regulatory requirements for breach notification (often breaches have to be disclosed within 72 hours or less)?

Reliance on Subcontractors.

· Does the third party have the proper processes and agreement to ensure the sub-contractor are held to the same cybersecurity standards as the third party. ?

· Do contracts with the third party specifically limit or allow use of customer data by subcontractors or partners of the third party?

Though some of these practices may seem extreme, we face an environment in which the financial impact of a breach is rising exponentially while the cost, in terms of time, financial cost and effort, to the bad actor to perform the breach is going down exponentially. Understanding third party risk is essential for all industries, especially banking, and no corporate function is more dependent on third parties than cybersecurity. For each of these risks an organization must decide if they are willing to accept the risk, will require mitigation before they are willing to engage the third party, transfer the risk (e.g. insurance) or not accept the risk (and find another partner).

What do I do now?

Engaging your colleagues in other functions of the organization can help the cybersecurity professionals develop a deeper understanding or third-party risk while giving your colleagues an insight into the challenges of cybersecurity. There are opportunities for cybersecurity professionals to learn about third-party risk.. Some recommendations to help your team better prepare for and mitigate third party risk include:

· Read the FDIC guidance to learn more about third party risk

· Inventory your critical data (e.g., customer PHI and employee PII)

· Identify those partners that have access to critical data

· Invite your CFO to lunch (maybe even invite a key banker that your organization works with) talk about risk learn from each other.

Slalom is a global consulting firm focused on strategy, technology, and business transformation, with expertise is cybersecurity advisory. Learn more and reach out today, www.slalom.com

David Roggen is a cybersecurity consultant with expertise in helping clients build robust cybersecurity strategies, utilizing multiple methods (e.g. defense in depth). He focuses on developing and implementing actionable plans with metrics, deliverables and fast turnaround.