The National Basketball Association (NBA) has begun notifying individuals that their personal data was stolen in a data breach at a third-party service provider. The NBA claims that impacted information includes names and email addresses, but no other types of personal information were accessed.
Since it is currently March Madness here in the U.S., and continuing the basketball theme, this post will review seven plays to keep your third-party risk management team from lobbing "air balls" against third-party data breach threats.
Every coach will tell you that establishing a winning culture from the beginning is essential to long-term team and organizational success. The same is true for your third-party risk management program. Start with the right foundation, including defining:
Championships are won during practice, so continually test and improve your organization’s TPRM processes to keep pace with changing threats.
Effective team building begins with drafting or trading for the right players, or signing free agents that align with your team’s culture. In third-party risk management, that means sourcing and selecting vendors that represent the least risk exposure to your company’s operations.
As part of your vendor selection process, compare and monitor important vendor risk information such as demographics, fourth-party technologies in use, ESG scores, recent business and reputational insights, data breach history, and financial performance. This will enable you to select vendors that are not only fit for purpose but also a fit for your organization’s risk appetite.
To maximize vendor performance, build measurable and enforceable key performance indicators into the vendor contract. This will make contract renewal discussions more transparent.
In the game of basketball, knowing your opponent means studying film before the game, understanding player-by-player matchups, and choosing the right starting five players to maximize your chances of a win. In third-party risk management, knowing your opponent is more difficult as they are unseen until they strike. That’s why it is essential to understand your vendor’s risk exposure to cybersecurity risks as these gaps are where the opponent will target.
Start by assessing selected third parties based on criticality or the extent of threats to their information assets by capturing, tracking and quantifying inherent risks. Criteria used to calculate inherent risk for third-party classification includes:
From this inherent risk assessment, your team can automatically tier suppliers; set appropriate levels of further due diligence; and determine the scope of ongoing assessments and continuous monitoring.
8 Steps to a Third-Party Incident Response Plan
When one of your critical vendors is breached, being ready with a prescriptive incident response plan is essential to preventing your company from becoming the next victim.
Successful basketball teams play their game but constantly adjust their approach to improve their chances of winning. Agility is key here, and in third-party risk management that means continually assessing risks and responding to third-party vendor incidents accordingly.
Key components of an effective third-party incident response program include:
Standardizing on a risk response framework will improve team performance by aligning around a singe set of expectations.
In college basketball, the possession arrow is used to determine which team will gain possession in situations where definitive control of the ball is not clear. For third-party risk management teams, we extend that definition to include the possession of data – sometimes you have it, and sometimes a third, fourth or Nth party has it.
To limit your risk exposure to data security incidents in your extended vendor ecosystem, identify fourth-party and Nth-party subcontracting relationships by conducting a questionnaire-based assessment or by passively scanning the third party’s public-facing infrastructure. The resulting relationship map will depict information paths and dependencies that could expose your environment to risk.
Once this is determined, conduct data security and privacy assessment. Key considerations should include:
Knowing who has the ball (or in this case the data) is the first step to improving third-party incident response.
Nothing can alter a basketball team’s momentum more than a mis-timed foul. For third-party risk management teams, fouls can mean a damaging compliance violation. To efficiently demonstrate compliance and avoid fines, automate the collection of vendor risk information; quantify risks; offer remediations to vendors (or require compensating controls); and map results to established IT security controls frameworks such as ISO 27001, NIST, and others. A proactive view into vendor security practices can help your team get ahead of potential compliance fouls and speed reporting during audits.
When the losses pile up or when team chemistry is suffering it may be time to change the lineup, and that could mean a trade. For third-party risk management teams, this means constantly monitoring contractual performance and offboarding vendors when KPIs, KRIs or SLAs are missed.
When a termination is required, leverage automation and workflows to:
Performing these tasks will reduce your organization’s post-contract risk exposure.
If a cybersecurity incident such as the NBA data breach occurred in your vendor ecosystem, would your organization be able to quickly understand its implications to your business and activate its own incident response plan? Consider running these seven plays to improve your team’s performance, download the third-party incident response checklist, or contact us to schedule a personalized demonstration today.