The shift from office-based work to working from home that characterized 2020’s adaptation to COVID-19 lockdowns, has seen soaring digital risks stemming from mishandled third-party risk management.
This at a time where reliance on third-party service providers is so pervasive that the Institute of Collaborative Working estimates that up to 80 percent of direct and indirect operating costs of a business can come from third parties, and up to 100 percent of a company’s revenue from alliance partners, franchisees and sales agents.
Yet, Opinion Matters’ “Global Insights: Supply Chain Cyber Risk–Managing Cyber Risk Across the Extended Vendor Ecosystem” research, published last November, indicates that out of over 1500 CISOs, CIOs, and Chief Procurement Officers from USA, UK, Singapore, Switzerland, and Mexico surveyed:
- 77% have limited visibility around their third-party vendors
- 2.7 is the average number of breaches experienced in the past 12 months
- 80% have suffered a third-party related breach in the past 12 months
Despite this, only 22.5% monitor their entire supply chain.
In 2020, third-party risk management flaws led to an epidemy of successful attacks, spanning all industries. Such attacks include:
March 20, 2020 – A third-party data breach of the London-based bank technology solution Finestra exposed the protected banking information of customers and sent employees home in the thousands as a result of the security breach.
July 28, 2020 – A third-party data breach of the US digital bank, Dave exposed the protected banking information of over seven million customers.
NorthShore University HealthSystem
September 9, 2020 – A third-party data breach of the Chicago-based healthcare system, NorthShore University HealthSystem exposed the protected health information of 348,000 medical patients.
Children’s Hospitals and Clinics of Minnesota
September 16, 2020 – Notifications were sent about a third-party data breach that exposed over 160,000 patient records of Children’s Hospitals and Clinics of Minnesota.
Warner Music Group
September 29, 2020 – A three-months-long Magecart on Warner Music Group (WMG) was revealed. Worryingly, the leaked data of an undisclosed number of customers included payment card details such as card numbers, CVC/CVV, and expiration dates.
Fragomen, Del Rey, Bernsen & Loewy
October 27, 2020 – Fragomen, Del Rey, Bernsen & Loewy, the immigration law firm responsible for representing Google, announced that a third party gained access to an undisclosed number of employee Form I9’s.
November 14, 2020 – Over 27 million Texas citizens’ personal and driver’s license data were exposed through a third-party breach of the insurance software firm Vertafore.
Unfortunately, this is far from an exhaustive list. These examples merely illustrate that the range of industries targeted is wide and varied.
Third-Party Risk Management Compliance
Even in the absence of a successful breach, failure to adequately assess third-party risks may be costly, as exemplified by last October’s $60 million fine imposed on Morgan Stanley, by the Office of the Comptroller of the Currency. The consent order stated that, in 2016, the bank “failed to adequately assess the risk of using third party vendors, including subcontractors,” and in 2019, it “experienced similar vendor management control deficiencies in connection with the decommissioning of wide area application services devices.”
Preventing such fines requires compliance with an ever-growing number of regulations, including CaCPA, PCI, NIST, ISO, SIG, HIPAA, and GDPR.
In addition to risking fines for non-compliance, improperly managed third party risks open the door to damage suits. On March 15, 2021, the National Law Review stipulated that “data breach class actions where the data at issue were exposed and improperly accessed by unrelated third parties” could potentially “expose businesses and governments to an increased risk of data privacy and data breach class actions.”
Information security relates to all measures taken to preserve the confidentiality, integrity, and availability of data, information, and operating systems.
Improving your organization’s security posture requires tightening not only the on-premise security infrastructure, but also factoring in third-party vendor risk management, including:
Data privacy risk
Mitigating privacy risks requires meeting standards exceeding the existing compliance requirements in a specific area as the regulatory compliance landscape is constantly evolving.
The latest US privacy law regulation map published by the IAAP (International Association of Privacy Professionals) provides a visual illustration of the rapidly expanding privacy regulations.
With the combination of increased third-party risks and greater complexity of compliance requirements, it is no wonder that “52% of legal and compliance leaders are concerned about third-party cyber risks due to remote work since COVID-19.”(Gartner)
Third-party risk management should also cover vetting the vendor’s own security posture. Aside from being a potential vector of attack to your organization, external vendors also provide services necessary to run your service or business.
If your vendor system shuts down following a successful cyberattack, it might catastrophically impact your own business.
For your clients and customers, news that your organization has been breached decreases their trust in your brand. The breach might have originated from an external vendor, but it does nothing to protect your brand’s name for users, clients, and customers.
Even without a breach, third-party vendors are invisible to your users, so their poor performance is attributed to your brand.
Checking vendors’ reliability, ability to scale and provide continuous, uninterrupted services with consistent quality is an integral part of the selection process.
Aside from the financial risk pertaining to a vendor breach or operational flaws, sound third-party vendor risk management needs to consider their service cost fluctuations, in case of increased or decreased demands to avoid unexpected cost rise.
So when wondering why third-party risk management is on you, keep in mind that:
- Your organization is legally responsible for monitoring vendors’ compliance and data security privacy and security management, making your organization liable for their flawed risk management.
- A breach in your vendor security infrastructure might generate legal, punitive, operational, and reputational costs for your organization if their breach leaks into your system.
- A flaw in their ability to provide service might impact your operational continuity with the ensuing cost of loss of business.
Any of the above occurrences might negatively affect your brand’s reputation.
- As the purpose of monitoring third-party cyber and compliance soundness is to prevent any of this. So, when selecting vendors, it is a rational policy to establish contingency plans.