Analyst Insight: The Gartner® Market Guide for IT Vendor Risk Management Solutions

NBA Third-Party Data Breach: 7 Plays to Avoid Shooting Air Balls

Improve your team’s performance against third-party cybersecurity incidents by running these seven plays.
By:
Scott Lang
,
VP, Product Marketing
March 21, 2023
Share:
Blog nba breach 0323

The National Basketball Association (NBA) has begun notifying individuals that their personal data was stolen in a data breach at a third-party service provider. The NBA claims that impacted information includes names and email addresses, but no other types of personal information were accessed.

Since it is currently March Madness here in the U.S., and continuing the basketball theme, this post will review seven plays to keep your third-party risk management team from lobbing "air balls" against third-party data breach threats.

#1. Build a Winning Culture

Every coach will tell you that establishing a winning culture from the beginning is essential to long-term team and organizational success. The same is true for your third-party risk management program. Start with the right foundation, including defining:

  • Clear roles and responsibilities (e.g., RACI) for teams across the organization
  • Risk scoring and thresholds based on your organization’s risk tolerance
  • Third, fourth and Nth parties in scope
  • Assessment and monitoring methodologies based on third-party criticality
  • Key performance indicators (KPIs) and key risk indicators (KRIs) to measure vendors against
  • Governing policies, standards, systems and processes to protect data
  • Compliance and contractual reporting requirements against service levels
  • Incident response requirements
  • Stakeholder reporting
  • Risk mitigation and remediation strategies

Championships are won during practice, so continually test and improve your organization’s TPRM processes to keep pace with changing threats.

#2. Draft the Right Players for Your Team and Set Contractual Expectations

Effective team building begins with drafting or trading for the right players, or signing free agents that align with your team’s culture. In third-party risk management, that means sourcing and selecting vendors that represent the least risk exposure to your company’s operations.

As part of your vendor selection process, compare and monitor important vendor risk information such as demographics, fourth-party technologies in use, ESG scores, recent business and reputational insights, data breach history, and financial performance. This will enable you to select vendors that are not only fit for purpose but also a fit for your organization’s risk appetite.

To maximize vendor performance, build measurable and enforceable key performance indicators into the vendor contract. This will make contract renewal discussions more transparent.

#3. Know Your Opponent

In the game of basketball, knowing your opponent means studying film before the game, understanding player-by-player matchups, and choosing the right starting five players to maximize your chances of a win. In third-party risk management, knowing your opponent is more difficult as they are unseen until they strike. That’s why it is essential to understand your vendor’s risk exposure to cybersecurity risks as these gaps are where the opponent will target.

Start by assessing selected third parties based on criticality or the extent of threats to their information assets by capturing, tracking and quantifying inherent risks. Criteria used to calculate inherent risk for third-party classification includes:

  • Type of content required to validate controls
  • Criticality to business performance and operations
  • Location(s) and related legal or regulatory considerations
  • Level of reliance on fourth parties (to avoid concentration risk)
  • Exposure to operational or client-facing processes
  • Interaction with protected data
  • Financial status and health
  • Reputation

From this inherent risk assessment, your team can automatically tier suppliers; set appropriate levels of further due diligence; and determine the scope of ongoing assessments and continuous monitoring.

8 Steps to a Third-Party Incident Response Plan

When one of your critical vendors is breached, being ready with a prescriptive incident response plan is essential to preventing your company from becoming the next victim.

Read Now
White paper incident response 0421

#4. Diagram Effective Plays and Respond Aggressively

Successful basketball teams play their game but constantly adjust their approach to improve their chances of winning. Agility is key here, and in third-party risk management that means continually assessing risks and responding to third-party vendor incidents accordingly.

Key components of an effective third-party incident response program include:

  • Automated event and incident management questionnaires to determine risk exposure
  • Defined risk owners with automated chasing reminders to keep surveys on schedule
  • Proactive vendor reporting to accelerate risk response
  • Workflow rules to trigger actions on risks according to their potential impact to the business
  • Guidance from built-in remediation recommendations to reduce risk
  • Built-in report templates
  • Data and relationship mapping to identify relationships between your organization and third parties to visualize information paths and determine at-risk data

Standardizing on a risk response framework will improve team performance by aligning around a singe set of expectations.

#5. Maintain Possession

In college basketball, the possession arrow is used to determine which team will gain possession in situations where definitive control of the ball is not clear. For third-party risk management teams, we extend that definition to include the possession of data – sometimes you have it, and sometimes a third, fourth or Nth party has it.

To limit your risk exposure to data security incidents in your extended vendor ecosystem, identify fourth-party and Nth-party subcontracting relationships by conducting a questionnaire-based assessment or by passively scanning the third party’s public-facing infrastructure. The resulting relationship map will depict information paths and dependencies that could expose your environment to risk.

Once this is determined, conduct data security and privacy assessment. Key considerations should include:

  • Privacy Impact Assessments to uncover at-risk business data and where personally identifiable information (PII) exists, where it is shared, and who has access
  • Control mapping and reporting against privacy regulations
  • Continuous vendor data breach monitoring – including types and quantities of stolen data; compliance and regulatory issues; and real-time vendor data breach notifications
  • Enforcing contractual data protection provisions from the beginning of the relationship

Knowing who has the ball (or in this case the data) is the first step to improving third-party incident response.

#6. Avoid Fouls

Nothing can alter a basketball team’s momentum more than a mis-timed foul. For third-party risk management teams, fouls can mean a damaging compliance violation. To efficiently demonstrate compliance and avoid fines, automate the collection of vendor risk information; quantify risks; offer remediations to vendors (or require compensating controls); and map results to established IT security controls frameworks such as ISO 27001, NIST, and others. A proactive view into vendor security practices can help your team get ahead of potential compliance fouls and speed reporting during audits.

#7. Know When to Trade Up

When the losses pile up or when team chemistry is suffering it may be time to change the lineup, and that could mean a trade. For third-party risk management teams, this means constantly monitoring contractual performance and offboarding vendors when KPIs, KRIs or SLAs are missed.

When a termination is required, leverage automation and workflows to:

  • Perform a final review of the contract
  • Settle any outstanding invoices
  • Revoke access to IT infrastructure, data and physical buildings
  • Review data privacy and information security compliance
  • Update your vendor management database
  • Continuously monitoring vendors for potential future risks

Performing these tasks will reduce your organization’s post-contract risk exposure.

Next Steps to Mitigate Third-Party Data Breach Risks

If a cybersecurity incident such as the NBA data breach occurred in your vendor ecosystem, would your organization be able to quickly understand its implications to your business and activate its own incident response plan? Consider running these seven plays to improve your team’s performance, download the third-party incident response checklist, or contact us to schedule a personalized demonstration today.

Tags:
Share:
Leadership scott lang
Scott Lang
VP, Product Marketing
Scott Lang has 25 years of experience in security, currently guiding the product marketing strategy for Prevalent’s third-party risk management solutions where he is responsible for product content, launches, messaging and enablement. Prior to joining Prevalent, Scott was senior director of product marketing at privileged access management leader BeyondTrust, and before that director of security solution marketing at Dell, formerly Quest Software. He can be reached on Twitter @scottinohio, LinkedIn and Facebook.
  • Ready for a demo?
  • Schedule a free personalized solution demonstration to see if Prevalent is a fit for you.
  • Request a Demo